Core of our business

d2o uses enterprise class security features to ensure that your data is always protected.

Microsoft Azure
AICPA SOC
ISO 27001

Compliance Certifications

SOC 2 Type 2

d2o Production and Development environments undergo routine audits. Compliance is continuously monitored and managed within the Microsoft Azure environment.

A SOC 2 Type 2 attestation is performed under:

  • SSAE No. 18, Attestation Standards: Clarification and Recodification, which includes AT-C section 105, Concepts Common to All Attestation Engagements, and AT-C section 205, Examination Engagements (AICPA, Professional Standards).
  • SOC 2 Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (AICPA Guide).
  • TSP section 100, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (AICPA, 2017 Trust Services Criteria).
ISO 27001:2013

d2o Production and Development environments undergo routine audits. Compliance is continuously monitored and managed within the Microsoft Azure environment.

ISO/IEC 27001  standard for information security management. It specifies requirements and provides guidance for a Privacy Information Management System (PIMS), making the implementation of PIMS a helpful compliance extension for the many organizations that rely on ISO/IEC 27001, as well as creating a strong integration point for aligning security and privacy controls. ISO/IEC 27701 accomplishes this integration through a framework for managing personal data that can be used by both data controllers and data processors, a key distinction for General Data Protection Regulation (GDPR) compliance.

PCI DSS 3.2.1

d2o Production and Development environments undergo routine audits. Compliance is continuously monitored and managed within the Microsoft Azure environment.

The Payment Card Industry (PCI) Data Security Standards (DSS) is a global information security standard designed to prevent fraud through increased control of credit card data. Microsoft Azure maintains a PCI DSS validation using an approved Qualified Security Assessor (QSA), and is certified as compliant under PCI DSS version 3.2.1 at Service Provider Level 1. Azure Policy regulatory compliance built-in initiative for PCI DSS maps to PCI DSS compliance domains and controls.

NIST SP 800 171 R2

d2o Production and Development environments undergo routine audits. Compliance is continuously monitored and managed within the Microsoft Azure environment.

The National Institute of Standards and Technology (NIST) SP 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations provides guidelines for the protection of controlled unclassified information (CUI) in nonfederal information systems and organizations.

Azure Security Benchmark

d2o Production and Development environments undergo routine audits. Compliance is continuously monitored and managed within the Microsoft Azure environment.

The Azure Security Benchmark (ASB) provides prescriptive best practices and recommendations to help improve the security of workloads, data, and services on Azure. The Azure Security Benchmark focuses on cloud-centric control areas. These controls are consistent with well-known security benchmarks, such as those described by the Center for Internet Security (CIS) Controls, National Institute of Standards and Technology (NIST), and Payment Card Industry Data Security Standard (PCI-DSS).

Cloud Security

Data center physical security

d2o leverages Azure data centers in United States, Europe and East Asia. Main data centers for PMI customers resides in North Europe (Ireland) and West Europe (Netherlands).

Azure has 58 regions worldwide, and have data centers available in 140 countries. Microsoft takes a layered approach to physical security, to reduce the risk of unauthorised users gaining physical access to data and the datacenter resources. Datacenters managed by Microsoft have extensive layers of protection: access approval at the facility’s perimeter, at the building’s perimeter, inside the building, and on the datacenter floor.

Azure geographically dispersed datacenters comply with key industry standards, such as ISO/IEC 27001:2013 and NIST SP 800-53, for security and reliability. Azure comes with 90+ compliance offerings with the most comprehensive compliance coverage of any cloud service provider.

Vendor security

d2o minimises risks associated with third-party vendors by performing security reviews on vendors with any level of access to our systems or Service Data.

Network security

Dedicated Security Team

The d2o security team has members stationed in North Europe and West Asia and is on call 24/7 to respond to security alerts and events.


Protection

Our network is protected through the use of key Azure security services, integration with edge protection networks, regular audits, and network intelligence technologies, which monitor and/or block known malicious traffic and network attacks.


Architecture

Our network security architecture is segmented and consists of multiple security zones. Depending on the zone, additional security monitoring and access controls will apply.


Network Vulnerability Scanning

Network security scanning gives us deep insight for quick identification of out-of-compliance or potentially vulnerable systems. Microsoft Defender for Cloud provides advanced threat protection across the workloads in the cloud. Vulnerability scanning is performed on server operating systems, databases, and network devices. Blue and Red-team exercises are also performed and the results are used to make security improvements.


Intrusion Detection, Prevention and Incident Event Management

The secure score within Microsoft Azure continually assesses the security posture and track new security opportunities and efforts. It defends the workloads in real-time and makes it possible to immediately prevent security events from developing.


DDoS Mitigation

Azure DDoS Protection Standard provides enhanced DDoS mitigation features to defend against DDoS attacks.


Logical Access

Access to the d2o Production Network is restricted on an explicit need-to-know basis, utilizes least privilege, is frequently audited and monitored, and is controlled by our Operations Team. Employees accessing the d2o Production Network are required to use multiple factors of authentication.


Security Incident Response

In case of a system alert, events are escalated to our 24/7 teams providing Operations, Network Engineering, and Security coverage.

Encryption

Encryption in Transit

All communications with d2o UI and APIs are encrypted via industry standard HTTPS/TLS (TLS 1.2 or higher) over public networks. This ensures that all traffic between you and PMI is secure during transit.


Encryption at Rest

Service Data is encrypted at rest in Azure using AES-256 key encryption.

Availability and continuity

Uptime

Microsoft Azure guarantees uptime availability of at least 99.06% for their services depending of resource and configuration. Here is a summary of Azure  SLA for each service.


Redundancy

d2o employs service clustering and network redundancies to eliminate single points of failure. Azure Enhanced Disaster Recovery service offering allows us to deliver a high level of service availability, as Service Data is replicated across availability zones.


Disaster Recovery

Our Disaster Recovery program ensures that our services remain available and are easily recoverable in the case of a disaster. This is accomplished through building a robust technical environment, creating Disaster Recovery plans, and testing activities.

Due to Azures powerful global networking backbone, d2o can replicate and fail over applications to any Azure region around the globe (zone-to-zone disaster recovery, within-continent disaster recovery, and global disaster recovery).

Application Security

PMI Solution and websites

This Privacy Policy Statement covers the information practices of PMI Solutions, including services such as:

  • PMI R&P (Revenue and Productivity)
  • PMI P&L (Profit and Loss)
  • PMI GoGreen
  • PMI Task Manager
  • PMI Plus (Extended version of R&P and P&L modules)
  • This Privacy Policy Statement covers the information practices of Websites that link to this privacy statement, including domains as:
    • *.d2o.biz
    • *.d2o.com
    • *.d2o.no

Wildcard (*) means that any subdomain is covered on any of the listed domains.

Development security controls

Secure Code Training

d2o provide secure code training for engineers, based on OWASP Top Ten  security risks. d2o also employ Red and Blue team training with regular intervals.


Framework Security Controls

d2o leverages modern and secure open-source frameworks with security controls to limit exposure to OWASP Top 10 security risks. These inherent controls reduce our exposure to SQL Injection (SQLi), Cross Site Scripting (XSS), and Cross Site Request Forgery (CSRF), among others.


Quality Assurance

Our Quality Assurance department reviews and tests our code base. Dedicated personnel test, and triage security vulnerabilities in code.

Triage process should divide all issues identified into three categories: Fix, Acknowledge and Investigate. Vulnerability Management guidance by NCSC


Separate Environments

Test environments is logically separated from the Production environment.

Vulnerability management

Dedicated Security Team

The d2o security team has members stationed in North Europe and West Asia and is on call 24/7 to respond to security alerts and events.


Protection

Our network is protected through the use of key Azure security services, integration with edge protection networks, regular audits, and network intelligence technologies, which monitor and/or block known malicious traffic and network attacks.


Architecture

Our network security architecture is segmented and consists of multiple security zones. Depending on the zone, additional security monitoring and access controls will apply.


Network Vulnerability Scanning

Network security scanning gives us deep insight for quick identification of out-of-compliance or potentially vulnerable systems. Microsoft Defender for Cloud provides advanced threat protection across the workloads in the cloud. Vulnerability scanning is performed on server operating systems, databases, and network devices. Blue and Red-team exercises are also performed and the results are used to make security improvements.


Intrusion Detection, Prevention and Incident Event Management

The secure score within Microsoft Azure continually assesses the security posture and track new security opportunities and efforts. It defends the workloads in real-time and makes it possible to immediately prevent security events from developing.


DDoS Mitigation

Azure DDoS Protection Standard provides enhanced DDoS mitigation features to defend against DDoS attacks.


Logical Access

Access to the d2o Production Network is restricted on an explicit need-to-know basis, utilizes least privilege, is frequently audited and monitored, and is controlled by our Operations Team. Employees accessing the d2o Production Network are required to use multiple factors of authentication.


Security Incident Response

In case of a system alert, events are escalated to our 24/7 teams providing Operations, Network Engineering, and Security coverage.

Product Security

Authentication security

Authentication Options

d2o has two different authentication options. Customers can enable native PMI authentication or Enterprise Single sign-on (SSO) for Office365 for end-user and/or agent authentication.


Password Policy

The current policy requires passwords to contain at least 8 characters. The password must also contain lower case, upper case, number and special character.


2-Factor Authentication (2FA)

d2o native authentication for PMI backbone and development provide 2-factor (2FA) for BRE, agents and admins via SMS or an authenticator app.


Service Credential Storage

d2o follows secure credential storage best practices by never storing passwords in human-readable format, and only as the result of a secure, salted, one-way hash.

Additional product security feature

Role-Based Access Controls

Access to data within PMI applications is governed by role-based access control (RBAC) and can be configured to define granular access privileges. PMI supports various permission levels for users (owner, admin, agent, end-user, etc.).


Audit Logs

d2o offers Audit Logs. These logs include account changes, user changes, activity and settings changes. A redacted Audit Log is available within PMI for any specific customer. Complete Audit logs for production resources are available within the Azure framework.


Redaction

d2o use  manual redaction for removing sensitive data. Manual redaction provides the ability to redact or remove sensitive data to protect confidential information for a user. Manually initiated  redaction allows for automatic redaction of all historic data for any specific user. When enabled, user names and activities are anonymised. They are also redacted from logs and database entries. This is inline with GDPR initiative.

HR Security

Security awareness

Policies

d2o has developed a comprehensive set of security policies covering a range of topics. These policies are shared with and made available to all employees and contractors with access to PMI information assets.


Training

All employees attend a Security Awareness Training, which is given upon hire and annually thereafter. All engineers receive annual Secure Code Training. The Security team provides additional security awareness updates via email, blog posts, and in presentations during internal events.

Employee vetting

Background Checks

d2o performs background checks on all new employees in accordance with local laws. These checks are also required for contractors. The background check includes criminal, education, and employment verification.


Confidentiality Agreements

All new hires are required to sign Non-Disclosure and Confidentiality agreements.

Privacy related policies

Development security controls

Framework

d2o use Azure DevOps that provides developer services for allowing teams to plan work, collaborate on code development, and build and deploy applications.


Quality Assurance

d2o use code deployment controls with ownership within the DevOps lifecycle phases such as Code Review and Staging Deployment. Dev team within EEU approve code before it is published to Production.


Separate environments

Development and Production environments are separated in different Azure regions (i.e. geographic location as well as separate networks and resources). Access is based on user roles (RBAC) with 2FA (for higher access levels) and VPN gateways.

What information is collected?

When expressing an interest in obtaining additional information about the Services or registering to use the Services, the Company requires you to provide personal contact information, such as name, company name, address, phone number, and email address (“Required Contact Information”).

As you navigate the Company’s websites, d2o may also collect information through the use of commonly used information-gathering tools, such as cookies.

When you register for or attend corporate events, the Company will ask you to provide basic contact information, and information on your participation in the events on d2o’s Websites.


PMI Solution Integration (Client Specific Source Data)

The Company may, on Clients request, collect Source System Data from Clients or Client specific Integration Partners or Systems. Source System Integration may be with systems such as:

    • Points of Sale (POS)
    • F&B Reservation Systems (FRS)
    • Table Reservation System (TRS)
    • Time Keeping/Management System (TKS/TMS)
    • Property Management System (PMS)
    • Revenue Management System (RMS)
    • Sales & Catering Management System (S&C)
    • Accounting Management System (AMS)

Source data integration is important for Clients in order for specific PMI products and Services to work optimally. Source data is encrypted after import when stored for backup.


PMI Account

The Company directly collects information when you are:

    • enrolled as a PMI user (name, username, email address, title and employee number)
    • actively editing and submitting information within your specific PMI portal
    • submit a support request

The way to have an account removed is to send an email to support@d2o.com with the username and/or email address of the user(s) you would like to be removed. d2o will only honor account removal requests from known contacts at client organisations. If the removal, due to database dependencies, is not possible the username in question will be else anonymized.

Web site cookies

d2o uses cookies to make interactions with the Company’s Websites easy and meaningful. When you visit one of the Company’s Websites, d2o.com’s servers send a cookie to your computer. Standing alone, cookies do not personally identify you; they merely recognize your Web browser. Unless you choose to identify yourself to d2o, either by responding to a promotional offer, opening an account, or filling out a Web form (such as a “Contact Me”), you remain anonymous to the Company.

d2o uses cookies that are session-based and persistent-based. Session cookies exist only during one session. They disappear from your computer when you close your browser software or turn off your computer.

Persistent cookies remain on your computer after you close your browser or turn off your computer. Please note that if you disable your Web browser’s ability to accept cookies, you will be able to navigate the Company’s Websites, but you might not be able to successfully use all the Services.


Essential Cookies

Essential cookies (First Party Cookies) are sometimes called “strictly necessary” as without them we cannot provide many services that you need on the Website. For example, essential cookies help remember your preferences as you move around the Website.


Analytics Cookies

These cookies track information about visits to the Websites so that we can make improvements and report our performance. For example: analyze visitor and user behavior so as to provide more relevant content or suggest certain activities. They collect information about how visitors use the Websites, which site the user came from, the number of each user’s visits and how long a user stays on the Websites. We might also use analytics cookies to test new ads, pages, or features to see how users react to them.


Functionality or Preference Cookies

During your visit to the Websites, cookies are used to remember information you have entered or choices you make (such as your username, language or your region) on the Websites. They also store your preferences when personalizing the Websites to optimize your use of PMI, for example, your preferred language. These preferences are remembered, through the use of the persistent cookies, and the next time you visit the Websites you will not have to set them again.


IP Addresses and Social Media Features

The websites include third party social media features, such as the Facebook Like button, and third-party widgets, such as the ‘Share This’ button or interactive mini-programs that run on the websites. These features may collect your IP address, which page you are visiting on the websites, and set a cookie to enable the feature to function properly. Your interaction with these features is governed by the privacy policy of the third-party company providing it.

International transfer of information collected

The Company primarily stores Data about d2o Clients and Data about d2o.com Attendees in Norway. To facilitate d2o’s global operations, the Company may transfer and access such information from around the world, including from other countries in which the Company has operations. A list of the Company’s global offices is available here. this privacy statement shall apply even if d2o transfers data about d2o clients or data about d2o attendees to other countries.

Third party links

Occasionally, at our discretion, we may include or offer third party products or services on our website. These third-party sites have separate and independent privacy policies. We therefore have no responsibility or liability for the content and activities of these linked sites. Nonetheless, we seek to protect the integrity of our site and welcome any feedback about these sites.

GDPR Compliance

Europe General Data Protection Regulation (GDPR)

Our GDPR Commitments

At d2o, we wholeheartedly embrace the implementation and enforcement of the General Data Protection Regulation (GDPR).  d2o supports approximately 500 customers and 5000 end-users in more than 10 countries (and counting).

The agreement grants customers a license to access and use PMI delivered as SaaS. In providing this service, the customers entrust d2o with processing (non-sensitive) personal data which are submitted to and stored within the service by the end-users of the customers.

In general, as a SaaS provider, d2o is committed to providing features that enable and support customers to effectively live up to their rights and duties as defined in the GDPR, including rights of a data subject (art. 13 – 22).

In case the customers, in their use of PMI services, do not have the ability to address their GDPR duties, they can trust that whenever commercially reasonable and legally permitted, d2o will loyally provide assistance to address enquiries raised by the data subjects.
Equally important, we are committed to:

    • Pursue technical and organisational good practices so that personal data is always processed in a manner that ensures appropriate security (art. 5 (1)(f);
    • Be ready to demonstrate compliance and take accountability for GDPR related tasks and duties entrusted to us; and
    • Live up to the spirit of the regulation w.r.t. the fact that nothing in DPA relieves us, as Processor, of our direct responsibilities and liabilities under the GDPR (art. 29).


PMI only allows non-sensitive personal data to be processed

In PMI, a customer can process the following non-sensitive personal data (which is necessary for the purposes of the legitimate interests (art. 6(1)(f) stated in the Main Service Agreement): First and last name, e-mail, job title and employee number, and payroll cost, which are all encrypted when in motion and at rest. The categories of data subjects are limited to PMI system end-user and employees.

With these commitments and the type of data in mind – organisational and technical measures – d2o has taken to become GDPR compliant. For more details about d2o GDPR orientation click here.

Personal data access outside EEA

d2o complies with GDPR and EDPB recommendations:

  • d2o does not move data outside EU
  • Encryption of personal data which technically prevent all d2o processors outside EEA to identify natural persons (be it on screen, print screen or otherwise)
  • The privileges are managed by authorized personnel based within EEA

Legal Information

Agreements

Our agreements and policies provide our customers and partners transparency and detailed information about d2o’s Services, which in turn support our customers in meeting their own legal and compliance standards.

Third party disclosure

Service Providers

d2o may share Data about d2o Clients and Data about d2o Attendees with the Company’s contracted service providers so that these service providers can provide services on our behalf. Unless described in this Privacy Statement, d2o does not share, sell, rent, or trade any information with third parties for their promotional purposes.


Affiliates

The Company may share Data about d2o Clients with other companies in order to work with them, including affiliates of the d2o corporate group. For example, the Company may need to share Data about d2o Clients for customer relationship management purposes.


Business Partners

From time to time, d2o may partner with other companies to jointly offer products or services. If you purchase or specifically express interest in a jointly offered product or service from d2o, the Company may share Data about d2o Clients collected in connection with your purchase or expression of interest with our joint promotion partner(s). d2o does not control our business partners’ use of the Data about d2o Clients we collect, and their use of the information will be in accordance with their own privacy policies. If you do not wish for your information to be shared in this manner, you may opt not to purchase or specifically express interest in a jointly offered product or service.


Third Parties

This Privacy Statement sets forth the information d2o collects on the Company’s Websites and the information we share with third parties. d2o does not authorise the collection of personal information by third parties through advertising technologies deployed on the Company’s Websites, nor do we share personal information with any third parties collected from the Company’s Websites, except as provided in this Privacy Statement.


Compelled Disclosure

d2o reserves the right to use or disclose information provided if required by law or if the Company reasonably believes that use or disclosure is necessary to protect the Company’s rights and/or to comply with a judicial proceeding, court order, or legal process.

Unlock your full potential!

Power your team with PMI.

Manage your productivity in new and insightful ways!