Putting privacy and security at the

CORE OF OUR BUSINESS

d2o use enterprise class security features to ensure that your data is always protected.

Compliance   Certifications

d2o Production and Development environments undergo routine audits. Compliance is continuously monitored and managed within the Microsoft Azure environment.

A SOC 2 Type 2 attestation is performed under:

  • SSAE No. 18, Attestation Standards: Clarification and Recodification, which includes AT-C section 105, Concepts Common to All Attestation Engagements, and AT-C section 205, Examination Engagements (AICPA, Professional Standards).
  • SOC 2 Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (AICPA Guide).
  • TSP section 100, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (AICPA, 2017 Trust Services Criteria).

d2o Production and Development environments undergo routine audits. Compliance is continuously monitored and managed within the Microsoft Azure environment.

ISO/IEC 27001  standard for information security management. It specifies requirements and provides guidance for a Privacy Information Management System (PIMS), making the implementation of PIMS a helpful compliance extension for the many organizations that rely on ISO/IEC 27001, as well as creating a strong integration point for aligning security and privacy controls. ISO/IEC 27701 accomplishes this integration through a framework for managing personal data that can be used by both data controllers and data processors, a key distinction for General Data Protection Regulation (GDPR) compliance.

d2o Production and Development environments undergo routine audits. Compliance is continuously monitored and managed within the Microsoft Azure environment.

The Payment Card Industry (PCI) Data Security Standards (DSS) is a global information security standard designed to prevent fraud through increased control of credit card data. Microsoft Azure maintains a PCI DSS validation using an approved Qualified Security Assessor (QSA), and is certified as compliant under PCI DSS version 3.2.1 at Service Provider Level 1. Azure Policy regulatory compliance built-in initiative for PCI DSS maps to PCI DSS compliance domains and controls.

d2o Production and Development environments undergo routine audits. Compliance is continuously monitored and managed within the Microsoft Azure environment.

The National Institute of Standards and Technology (NIST) SP 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations provides guidelines for the protection of controlled unclassified information (CUI) in nonfederal information systems and organizations.

d2o Production and Development environments undergo routine audits. Compliance is continuously monitored and managed within the Microsoft Azure environment.

The Azure Security Benchmark (ASB) provides prescriptive best practices and recommendations to help improve the security of workloads, data, and services on Azure. The Azure Security Benchmark focuses on cloud-centric control areas. These controls are consistent with well-known security benchmarks, such as those described by the Center for Internet Security (CIS) Controls, National Institute of Standards and Technology (NIST), and Payment Card Industry Data Security Standard (PCI-DSS).

Cloud   Security

d2o leverages Azure data centers in United States, Europe and East Asia. Main data centers for PMI customers resides in North Europe (Ireland) and West Europe (Netherlands).

Azure has 58 regions worldwide, and have data centers available in 140 countries. Microsoft takes a layered approach to physical security, to reduce the risk of unauthorised users gaining physical access to data and the datacenter resources. Datacenters managed by Microsoft have extensive layers of protection: access approval at the facility’s perimeter, at the building’s perimeter, inside the building, and on the datacenter floor.

Azure geographically dispersed datacenters comply with key industry standards, such as ISO/IEC 27001:2013 and NIST SP 800-53, for security and reliability. Azure comes with 90+ compliance offerings with the most comprehensive compliance coverage of any cloud service provider.

d2o minimises risks associated with third-party vendors by performing security reviews on vendors with any level of access to our systems or Service Data.

Dedicated Security Team

The d2o security team has members stationed in North Europe and West Asia and is on call 24/7 to respond to security alerts and events.

Protection

Our network is protected through the use of key Azure security services, integration with edge protection networks, regular audits, and network intelligence technologies, which monitor and/or block known malicious traffic and network attacks.

Architecture

Our network security architecture is segmented and consists of multiple security zones. Depending on the zone, additional security monitoring and access controls will apply.

Network Vulnerability Scanning

Network security scanning gives us deep insight for quick identification of out-of-compliance or potentially vulnerable systems. Microsoft Defender for Cloud provides advanced threat protection across the workloads in the cloud. Vulnerability scanning is performed on server operating systems, databases, and network devices. Blue and Red-team exercises are also performed and the results are used to make security improvements.

Intrusion Detection, Prevention and Incident Event Management

The secure score within Microsoft Azure continually assesses the security posture and track new security opportunities and efforts. It defends the workloads in real-time and makes it possible to immediately prevent security events from developing.

DDoS Mitigation

Azure DDoS Protection Standard provides enhanced DDoS mitigation features to defend against DDoS attacks.

Logical Access

Access to the d2o Production Network is restricted on an explicit need-to-know basis, utilizes least privilege, is frequently audited and monitored, and is controlled by our Operations Team. Employees accessing the d2o Production Network are required to use multiple factors of authentication.

Security Incident Response

In case of a system alert, events are escalated to our 24/7 teams providing Operations, Network Engineering, and Security coverage.

Encryption in Transit

All communications with d2o UI and APIs are encrypted via industry standard HTTPS/TLS (TLS 1.2 or higher) over public networks. This ensures that all traffic between you and PMI is secure during transit.

Encryption at Rest

Service Data is encrypted at rest in Azure using AES-256 key encryption.

Uptime

Microsoft Azure guarantees uptime availability of at least 99.06% for their services depending of resource and configuration. Here is a summary of Azure  SLA for each service.

Redundancy

d2o employs service clustering and network redundancies to eliminate single points of failure. Azure Enhanced Disaster Recovery service offering allows us to deliver a high level of service availability, as Service Data is replicated across availability zones.

Disaster Recovery

Our Disaster Recovery program ensures that our services remain available and are easily recoverable in the case of a disaster. This is accomplished through building a robust technical environment, creating Disaster Recovery plans, and testing activities.

Due to Azures powerful global networking backbone, d2o can replicate and fail over applications to any Azure region around the globe (zone-to-zone disaster recovery, within-continent disaster recovery, and global disaster recovery).

Application   Security