Putting privacy and security at the

CORE OF OUR BUSINESS

d2o use enterprise class security features to ensure that your data is always protected.

Compliance   Certifications

d2o Production and Development environments undergo routine audits. Compliance is continuously monitored and managed within the Microsoft Azure environment.

A SOC 2 Type 2 attestation is performed under:

  • SSAE No. 18, Attestation Standards: Clarification and Recodification, which includes AT-C section 105, Concepts Common to All Attestation Engagements, and AT-C section 205, Examination Engagements (AICPA, Professional Standards).
  • SOC 2 Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (AICPA Guide).
  • TSP section 100, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (AICPA, 2017 Trust Services Criteria).

d2o Production and Development environments undergo routine audits. Compliance is continuously monitored and managed within the Microsoft Azure environment.

ISO/IEC 27001  standard for information security management. It specifies requirements and provides guidance for a Privacy Information Management System (PIMS), making the implementation of PIMS a helpful compliance extension for the many organizations that rely on ISO/IEC 27001, as well as creating a strong integration point for aligning security and privacy controls. ISO/IEC 27701 accomplishes this integration through a framework for managing personal data that can be used by both data controllers and data processors, a key distinction for General Data Protection Regulation (GDPR) compliance.

d2o Production and Development environments undergo routine audits. Compliance is continuously monitored and managed within the Microsoft Azure environment.

The Payment Card Industry (PCI) Data Security Standards (DSS) is a global information security standard designed to prevent fraud through increased control of credit card data. Microsoft Azure maintains a PCI DSS validation using an approved Qualified Security Assessor (QSA), and is certified as compliant under PCI DSS version 3.2.1 at Service Provider Level 1. Azure Policy regulatory compliance built-in initiative for PCI DSS maps to PCI DSS compliance domains and controls.

d2o Production and Development environments undergo routine audits. Compliance is continuously monitored and managed within the Microsoft Azure environment.

The National Institute of Standards and Technology (NIST) SP 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations provides guidelines for the protection of controlled unclassified information (CUI) in nonfederal information systems and organizations.

d2o Production and Development environments undergo routine audits. Compliance is continuously monitored and managed within the Microsoft Azure environment.

The Azure Security Benchmark (ASB) provides prescriptive best practices and recommendations to help improve the security of workloads, data, and services on Azure. The Azure Security Benchmark focuses on cloud-centric control areas. These controls are consistent with well-known security benchmarks, such as those described by the Center for Internet Security (CIS) Controls, National Institute of Standards and Technology (NIST), and Payment Card Industry Data Security Standard (PCI-DSS).

Cloud   Security

d2o leverages Azure data centers in United States, Europe and East Asia. Main data centers for PMI customers resides in North Europe (Ireland) and West Europe (Netherlands).

Azure has 58 regions worldwide, and have data centers available in 140 countries. Microsoft takes a layered approach to physical security, to reduce the risk of unauthorised users gaining physical access to data and the datacenter resources. Datacenters managed by Microsoft have extensive layers of protection: access approval at the facility’s perimeter, at the building’s perimeter, inside the building, and on the datacenter floor.

Azure geographically dispersed datacenters comply with key industry standards, such as ISO/IEC 27001:2013 and NIST SP 800-53, for security and reliability. Azure comes with 90+ compliance offerings with the most comprehensive compliance coverage of any cloud service provider.

d2o minimises risks associated with third-party vendors by performing security reviews on vendors with any level of access to our systems or Service Data.

Dedicated Security Team

The d2o security team has members stationed in North Europe and West Asia and is on call 24/7 to respond to security alerts and events.

Protection

Our network is protected through the use of key Azure security services, integration with edge protection networks, regular audits, and network intelligence technologies, which monitor and/or block known malicious traffic and network attacks.

Architecture

Our network security architecture is segmented and consists of multiple security zones. Depending on the zone, additional security monitoring and access controls will apply.

Network Vulnerability Scanning

Network security scanning gives us deep insight for quick identification of out-of-compliance or potentially vulnerable systems. Microsoft Defender for Cloud provides advanced threat protection across the workloads in the cloud. Vulnerability scanning is performed on server operating systems, databases, and network devices. Blue and Red-team exercises are also performed and the results are used to make security improvements.

Intrusion Detection, Prevention and Incident Event Management

The secure score within Microsoft Azure continually assesses the security posture and track new security opportunities and efforts. It defends the workloads in real-time and makes it possible to immediately prevent security events from developing.

DDoS Mitigation

Azure DDoS Protection Standard provides enhanced DDoS mitigation features to defend against DDoS attacks.

Logical Access

Access to the d2o Production Network is restricted on an explicit need-to-know basis, utilizes least privilege, is frequently audited and monitored, and is controlled by our Operations Team. Employees accessing the d2o Production Network are required to use multiple factors of authentication.

Security Incident Response

In case of a system alert, events are escalated to our 24/7 teams providing Operations, Network Engineering, and Security coverage.

Encryption in Transit

All communications with d2o UI and APIs are encrypted via industry standard HTTPS/TLS (TLS 1.2 or higher) over public networks. This ensures that all traffic between you and PMI is secure during transit.

Encryption at Rest

Service Data is encrypted at rest in Azure using AES-256 key encryption.

Uptime

Microsoft Azure guarantees uptime availability of at least 99.06% for their services depending of resource and configuration. Here is a summary of Azure  SLA for each service.

Redundancy

d2o employs service clustering and network redundancies to eliminate single points of failure. Azure Enhanced Disaster Recovery service offering allows us to deliver a high level of service availability, as Service Data is replicated across availability zones.

Disaster Recovery

Our Disaster Recovery program ensures that our services remain available and are easily recoverable in the case of a disaster. This is accomplished through building a robust technical environment, creating Disaster Recovery plans, and testing activities.

Due to Azures powerful global networking backbone, d2o can replicate and fail over applications to any Azure region around the globe (zone-to-zone disaster recovery, within-continent disaster recovery, and global disaster recovery).

Application   Security

This Privacy Policy Statement covers the information practices of PMI Solutions, including services such as:

  • PMI R&P (Revenue and Productivity)
  • PMI P&L (Profit and Loss)
  • PMI GoGreen
  • PMI Task Manager
  • PMI Plus (Extended version of R&P and P&L modules)
  • This Privacy Policy Statement covers the information practices of Websites that link to this privacy statement, including domains as:
    • *.d2o.biz
    • *.d2o.com
    • *.d2o.no

Wildcard (*) means that any subdomain is covered on any of the listed domains.

Secure Code Training

d2o provide secure code training for engineers, based on OWASP Top Ten  security risks. d2o also employ Red and Blue team training with regular intervals.

Framework Security Controls

d2o leverages modern and secure open-source frameworks with security controls to limit exposure to OWASP Top 10 security risks. These inherent controls reduce our exposure to SQL Injection (SQLi), Cross Site Scripting (XSS), and Cross Site Request Forgery (CSRF), among others.

Quality Assurance

Our Quality Assurance department reviews and tests our code base. Dedicated personnel test, and triage security vulnerabilities in code.

Triage process should divide all issues identified into three categories: Fix, Acknowledge and Investigate. Vulnerability Management guidance by NCSC

Separate Environments

Test environments is logically separated from the Production environment.

Dynamic Vulnerability Scanning

We employ third-party security tooling to continuously and dynamically scan our core applications against common web application security risks, including, but not limited to the OWASP Top 10 security risks. We maintain a dedicated in-house product security team to test and work with engineering teams to remediate any discovered issues.

Software Composition Analysis

We scan the libraries and dependencies used in our products to identify vulnerabilities and ensure the vulnerabilities are managed.

Third-Party Penetration Testing

In addition to our internal scanning and testing program, d2o employs third-party security experts to perform detailed penetration tests.

Product   Security

Authentication Options

d2o has two different authentication options. Customers can enable native PMI authentication or Enterprise Single sign-on (SSO) for Office365 for end-user and/or agent authentication.

Password Policy

The current policy requires passwords to contain at least 8 characters. The password must also contain lower case, upper case, number and special character.

2-Factor Authentication (2FA)

d2o native authentication for PMI backbone and development provide 2-factor (2FA) for BRE, agents and admins via SMS or an authenticator app.

Service Credential Storage

d2o follows secure credential storage best practices by never storing passwords in human-readable format, and only as the result of a secure, salted, one-way hash.

Role-Based Access Controls

Access to data within PMI applications is govern