d2o Production and Development environments undergo routine audits. Compliance is continuously monitored and managed within the Microsoft Azure environment.

ISO/IEC 27001  standard for information security management. It specifies requirements and provides guidance for a Privacy Information Management System (PIMS), making the implementation of PIMS a helpful compliance extension for the many organizations that rely on ISO/IEC 27001, as well as creating a strong integration point for aligning security and privacy controls. ISO/IEC 27701 accomplishes this integration through a framework for managing personal data that can be used by both data controllers and data processors, a key distinction for General Data Protection Regulation (GDPR) compliance.

d2o Production and Development environments undergo routine audits. Compliance is continuously monitored and managed within the Microsoft Azure environment.

The Payment Card Industry (PCI) Data Security Standards (DSS) is a global information security standard designed to prevent fraud through increased control of credit card data. Microsoft Azure maintains a PCI DSS validation using an approved Qualified Security Assessor (QSA), and is certified as compliant under PCI DSS version 3.2.1 at Service Provider Level 1. Azure Policy regulatory compliance built-in initiative for PCI DSS maps to PCI DSS compliance domains and controls.

d2o Production and Development environments undergo routine audits. Compliance is continuously monitored and managed within the Microsoft Azure environment.

The National Institute of Standards and Technology (NIST) SP 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations provides guidelines for the protection of controlled unclassified information (CUI) in nonfederal information systems and organizations.

d2o Production and Development environments undergo routine audits. Compliance is continuously monitored and managed within the Microsoft Azure environment.

The Azure Security Benchmark (ASB) provides prescriptive best practices and recommendations to help improve the security of workloads, data, and services on Azure. The Azure Security Benchmark focuses on cloud-centric control areas. These controls are consistent with well-known security benchmarks, such as those described by the Center for Internet Security (CIS) Controls, National Institute of Standards and Technology (NIST), and Payment Card Industry Data Security Standard (PCI-DSS).

d2o minimises risks associated with third-party vendors by performing security reviews on vendors with any level of access to our systems or Service Data.

Dedicated Security Team

The d2o security team has members stationed in North Europe and West Asia and is on call 24/7 to respond to security alerts and events.

Protection

Our network is protected through the use of key Azure security services, integration with edge protection networks, regular audits, and network intelligence technologies, which monitor and/or block known malicious traffic and network attacks.

Architecture

Our network security architecture is segmented and consists of multiple security zones. Depending on the zone, additional security monitoring and access controls will apply.

Network Vulnerability Scanning

Network security scanning gives us deep insight for quick identification of out-of-compliance or potentially vulnerable systems. Microsoft Defender for Cloud provides advanced threat protection across the workloads in the cloud. Vulnerability scanning is performed on server operating systems, databases, and network devices. Blue and Red-team exercises are also performed and the results are used to make security improvements.

Intrusion Detection, Prevention and Incident Event Management

The secure score within Microsoft Azure continually assesses the security posture and track new security opportunities and efforts. It defends the workloads in real-time and makes it possible to immediately prevent security events from developing.

DDoS Mitigation

Azure DDoS Protection Standard provides enhanced DDoS mitigation features to defend against DDoS attacks.

Logical Access

Access to the d2o Production Network is restricted on an explicit need-to-know basis, utilizes least privilege, is frequently audited and monitored, and is controlled by our Operations Team. Employees accessing the d2o Production Network are required to use multiple factors of authentication.

Security Incident Response

In case of a system alert, events are escalated to our 24/7 teams providing Operations, Network Engineering, and Security coverage.

Encryption in Transit

All communications with d2o UI and APIs are encrypted via industry standard HTTPS/TLS (TLS 1.2 or higher) over public networks. This ensures that all traffic between you and PMI is secure during transit.

Encryption at Rest

Service Data is encrypted at rest in Azure using AES-256 key encryption.

Uptime

Microsoft Azure guarantees uptime availability of at least 99.06% for their services depending of resource and configuration. Here is a summary of Azure  SLA for each service.

Redundancy

d2o employs service clustering and network redundancies to eliminate single points of failure. Azure Enhanced Disaster Recovery service offering allows us to deliver a high level of service availability, as Service Data is replicated across availability zones.

Disaster Recovery

Our Disaster Recovery program ensures that our services remain available and are easily recoverable in the case of a disaster. This is accomplished through building a robust technical environment, creating Disaster Recovery plans, and testing activities.

Due to Azures powerful global networking backbone, d2o can replicate and fail over applications to any Azure region around the globe (zone-to-zone disaster recovery, within-continent disaster recovery, and global disaster recovery).

Secure Code Training

d2o provide secure code training for engineers, based on OWASP Top Ten  security risks. d2o also employ Red and Blue team training with regular intervals.

Framework Security Controls

d2o leverages modern and secure open-source frameworks with security controls to limit exposure to OWASP Top 10 security risks. These inherent controls reduce our exposure to SQL Injection (SQLi), Cross Site Scripting (XSS), and Cross Site Request Forgery (CSRF), among others.

Quality Assurance

Our Quality Assurance department reviews and tests our code base. Dedicated personnel test, and triage security vulnerabilities in code.

Triage process should divide all issues identified into three categories: Fix, Acknowledge and Investigate. Vulnerability Management guidance by NCSC

Separate Environments

Test environments is logically separated from the Production environment.

Dedicated Security Team

The d2o security team has members stationed in North Europe and West Asia and is on call 24/7 to respond to security alerts and events.

Protection

Our network is protected through the use of key Azure security services, integration with edge protection networks, regular audits, and network intelligence technologies, which monitor and/or block known malicious traffic and network attacks.

Architecture

Our network security architecture is segmented and consists of multiple security zones. Depending on the zone, additional security monitoring and access controls will apply.

Network Vulnerability Scanning

Network security scanning gives us deep insight for quick identification of out-of-compliance or potentially vulnerable systems. Microsoft Defender for Cloud provides advanced threat protection across the workloads in the cloud. Vulnerability scanning is performed on server operating systems, databases, and network devices. Blue and Red-team exercises are also performed and the results are used to make security improvements.

Intrusion Detection, Prevention and Incident Event Management

The secure score within Microsoft Azure continually assesses the security posture and track new security opportunities and efforts. It defends the workloads in real-time and makes it possible to immediately prevent security events from developing.

DDoS Mitigation

Azure DDoS Protection Standard provides enhanced DDoS mitigation features to defend against DDoS attacks.

Logical Access

Access to the d2o Production Network is restricted on an explicit need-to-know basis, utilizes least privilege, is frequently audited and monitored, and is controlled by our Operations Team. Employees accessing the d2o Production Network are required to use multiple factors of authentication.

Security Incident Response

In case of a system alert, events are escalated to our 24/7 teams providing Operations, Network Engineering, and Security coverage.

Role-Based Access Controls

Access to data within PMI applications is governed by role-based access control (RBAC) and can be configured to define granular access privileges. PMI supports various permission levels for users (owner, admin, agent, end-user, etc.).

Audit Logs

d2o offers Audit Logs. These logs include account changes, user changes, activity and settings changes. A redacted Audit Log is available within PMI for any specific customer. Complete Audit logs for production resources are available within the Azure framework.

Redaction

d2o use  manual redaction for removing sensitive data. Manual redaction provides the ability to redact or remove sensitive data to protect confidential information for a user. Manually initiated  redaction allows for automatic redaction of all historic data for any specific user. When enabled, user names and activities are anonymised. They are also redacted from logs and database entries. This is inline with GDPR initiative.

Background Checks

d2o performs background checks on all new employees in accordance with local laws. These checks are also required for contractors. The background check includes criminal, education, and employment verification.

Confidentiality Agreements

All new hires are required to sign Non-Disclosure and Confidentiality agreements.

When expressing an interest in obtaining additional information about the Services or registering to use the Services, the Company requires you to provide personal contact information, such as name, company name, address, phone number, and email address (“Required Contact Information”).

As you navigate the Company’s websites, d2o may also collect information through the use of commonly used information-gathering tools, such as cookies.

When you register for or attend corporate events, the Company will ask you to provide basic contact information, and information on your participation in the events on d2o’s Websites.

PMI Solution Integration (Client Specific Source Data)

The Company may, on Clients request, collect Source System Data from Clients or Client specific Integration Partners or Systems. Source System Integration may be with systems such as:

• • Points of Sale (POS)
  • F&B Reservation Systems (FRS)
  • Table Reservation System (TRS)
  • Time Keeping/Management System (TKS/TMS)
  • Property Management System (PMS)
  • Revenue Management System (RMS)
  • Sales & Catering Management System (S&C)
  • Accounting Management System (AMS)

Source data integration is important for Clients in order for specific PMI products and Services to work optimally. Source data is encrypted after import when stored for backup.

PMI Account

The Company directly collects information when you are:

• • enrolled as a PMI user (name, username, email address, title and employee number)
  • actively editing and submitting information within your specific PMI portal
  • submit a support request

The way to have an account removed is to send an email to support@d2o.com with the username and/or email address of the user(s) you would like to be removed. d2o will only honor account removal requests from known contacts at client organisations. If the removal, due to database dependencies, is not possible the username in question will be else anonymized.

d2o uses cookies to make interactions with the Company’s Websites easy and meaningful. When you visit one of the Company’s Websites, d2o.com’s servers send a cookie to your computer. Standing alone, cookies do not personally identify you; they merely recognize your Web browser. Unless you choose to identify yourself to d2o, either by responding to a promotional offer, opening an account, or filling out a Web form (such as a “Contact Me”), you remain anonymous to the Company.

d2o uses cookies that are session-based and persistent-based. Session cookies exist only during one session. They disappear from your computer when you close your browser software or turn off your computer.

Persistent cookies remain on your computer after you close your browser or turn off your computer. Please note that if you disable your Web browser’s ability to accept cookies, you will be able to navigate the Company’s Websites, but you might not be able to successfully use all the Services.

Essential Cookies

Essential cookies (First Party Cookies) are sometimes called “strictly necessary” as without them we cannot provide many services that you need on the Website. For example, essential cookies help remember your preferences as you move around the Website.

Analytics Cookies

These cookies track information about visits to the Websites so that we can make improvements and report our performance. For example: analyze visitor and user behavior so as to provide more relevant content or suggest certain activities. They collect information about how visitors use the Websites, which site the user came from, the number of each user’s visits and how long a user stays on the Websites. We might also use analytics cookies to test new ads, pages, or features to see how users react to them.

Functionality or Preference Cookies

During your visit to the Websites, cookies are used to remember information you have entered or choices you make (such as your username, language or your region) on the Websites. They also store your preferences when personalizing the Websites to optimize your use of PMI, for example, your preferred language. These preferences are remembered, through the use of the persistent cookies, and the next time you visit the Websites you will not have to set them again.

IP Addresses and Social Media Features

The websites include third party social media features, such as the Facebook Like button, and third-party widgets, such as the ‘Share This’ button or interactive mini-programs that run on the websites. These features may collect your IP address, which page you are visiting on the websites, and set a cookie to enable the feature to function properly. Your interaction with these features is governed by the privacy policy of the third-party company providing it.

The Company primarily stores Data about d2o Clients and Data about d2o.com Attendees in Norway. To facilitate d2o’s global operations, the Company may transfer and access such information from around the world, including from other countries in which the Company has operations. A list of the Company’s global offices is available here. this privacy statement shall apply even if d2o transfers data about d2o clients or data about d2o attendees to other countries.

Occasionally, at our discretion, we may include or offer third party products or services on our website. These third-party sites have separate and independent privacy policies. We therefore have no responsibility or liability for the content and activities of these linked sites. Nonetheless, we seek to protect the integrity of our site and welcome any feedback about these sites.

d2o complies with GDPR and EDPB recommendations:

• d2o does not move data outside EU
• Encryption of personal data which technically prevent all d2o processors outside EEA to identify natural persons (be it on screen, print screen or otherwise)
• The privileges are managed by authorized personnel based within EEA

Service Providers

d2o may share Data about d2o Clients and Data about d2o Attendees with the Company’s contracted service providers so that these service providers can provide services on our behalf. Unless described in this Privacy Statement, d2o does not share, sell, rent, or trade any information with third parties for their promotional purposes.

Affiliates

The Company may share Data about d2o Clients with other companies in order to work with them, including affiliates of the d2o corporate group. For example, the Company may need to share Data about d2o Clients for customer relationship management purposes.

Business Partners

From time to time, d2o may partner with other companies to jointly offer products or services. If you purchase or specifically express interest in a jointly offered product or service from d2o, the Company may share Data about d2o Clients collected in connection with your purchase or expression of interest with our joint promotion partner(s). d2o does not control our business partners’ use of the Data about d2o Clients we collect, and their use of the information will be in accordance with their own privacy policies. If you do not wish for your information to be shared in this manner, you may opt not to purchase or specifically express interest in a jointly offered product or service.

Third Parties

This Privacy Statement sets forth the information d2o collects on the Company’s Websites and the information we share with third parties. d2o does not authorise the collection of personal information by third parties through advertising technologies deployed on the Company’s Websites, nor do we share personal information with any third parties collected from the Company’s Websites, except as provided in this Privacy Statement.

Compelled Disclosure

d2o reserves the right to use or disclose information provided if required by law or if the Company reasonably believes that use or disclosure is necessary to protect the Company’s rights and/or to comply with a judicial proceeding, court order, or legal process.