We recognize the importance of maintaining the confidentiality, integrity, and availability of our clients’ data and the protection of their valuable business assets and applications. Our Trust Center reflects our commitment to providing a secure environment and adopting effective security standards that exceed industry best practices in the areas of information security and compliance.
With a variety of reliable security technologies, as well as a unique combination of trained personnel, mature business processes, and regular third-party audits measured against several international and U.S. standards, we deliver a high level of security and confidence that is unmatched in the industry.
Our Trust Center describes each layer of this assurance approach to provide an overview of the compliance, data protection, and cybersecurity that we provide.
We protect the confidentiality, integrity, and availability of our clients’ data and systems, regardless of how the data is created, distributed, or stored. Our security controls are tailored accordingly so that effective controls are applied commensurate with the risk and sensitivity of the data and system, in accordance with all legal and contractual obligations.
The objective of our Information Security Program is to provide staff direction and client transparency for information security and privacy requirements that are in accordance with our business requirements, as well as relevant laws and other legal obligations for data security and privacy.
We are committed to protecting our employees, partners, and clients from damaging acts that are intentional or unintentional. Effective security is a team effort involving the participation and support of every team member and vendor that interacts with our data and/or systems. Therefore, it is our responsibility to be aware of and adhere to the information security and privacy requirements.
Protecting D3 and client data and the systems that collect, process, and maintain this data is of critical importance. Therefore, the security of systems, applications, and services include controls and safeguards to offset possible threats. Commensurate with risk, information security and privacy measures are implemented to guard against unauthorized access to, alteration, disclosure, or destruction of data and systems. This also includes protection against accidental loss or destruction.
The security of systems, applications, and services include controls and safeguards to offset possible threats, as well as controls to ensure confidentiality, integrity, availability, and safety.
The requirements of the Information Security Program, in conjunction with the scope of our Trust Center, apply to all team members and vendors that support our operations. This includes all stakeholders involved in transmitting, processing, and storing D3 and client data.
Our information security requirements are comprehensive. Therefore, we maintain a comprehensive set of information security and privacy policies, standards, procedures, and controls to protect our data, as well as our systems, applications, and services.
Our Information Security Program is reasonably designed to achieve the following objectives:
Our Information Security Program adheres to industry best practices for information security. We verify our internal and external (vendor’s) information security requirements align with our controls to ensure due care and due diligence in maintaining our information security program.
To limit confusion, we follow a standard framework for information security documentation:
We maintain controls that support an industry-recognized framework to ensure due care and due diligence in maintaining our Information Security Program.
Our information security framework is detailed into five (5) categories of controls that include: Identify, Protect, Detect, Respond, Recover.
We consider these controls as foundational for effective information security and privacy.
Our information security controls focus on implementing the appropriate safeguards to ensure the safe functionality of systems, applications, and services.
These controls focus on situational awareness to ensure the timely identification and response to potential information security or privacy incidents.
These controls focus on the processes used to act when an information security or privacy event is detected.
These controls focus on restoring capabilities or services that were impaired during an incident.
To assure that our clients’ data confidentiality, integrity, and availability are maintained, we conduct multiple internal audits and third-party audits on a scheduled basis. The written results of many of these audits are available on request.
The following table shows the types of audits and scans, plus the frequency in which they are conducted:
Our network architecture ensures that sensitive data is protected through best business practice security policies and procedures.
Hardened router configurations. Router configurations correctly route packets to their proper destinations and restrict traffic. Access Control Lists (ACLs) on the front-end routers stop common attacks.
Network segmentation. Our segmented network architecture prevents direct public contact or connection to our private network segment.
Distributed denial-of-service (DDoS) protection. A third-party service protects the availability of our services, even when they are under a distributed denial-of-service (DDoS) attack.
Activity log aggregation. Log activities from network devices and systems are aggregated through an activity log collection system. Logs are fed to a SIEM, where alarms are generated for those events that warrant immediate attention
Proactive monitoring. We continuously monitor industry communities for news of security alerts, as well as vendor and partner security changes.
VPN. Our personnel use a best-in-class VPN when connecting and processing from outside the trusted network. The VPN secure tunnel offers personnel highly secure remote connectivity to perform after-hours maintenance or troubleshooting. Multifactor authentication is required for all our personnel with direct access to production systems.
Information Services employs a hardened, approved, and standardized build for every type of server used within the production infrastructure. This procedure disables unnecessary default user IDs, closes unnecessary or potentially dangerous services and ports, and removes processes that are not required.
Servers are built, scanned for vulnerabilities, and remediated before being put into production.
All patches are tested using a standard process to ensure proper functioning within the operating environment before they are applied to the servers.
The same process is used for our cloud service providers – we control the server builds.
We use dedicated engineers to continually update, optimize, and secure the standard build procedures, while adhering to industry best practices and regulatory requirements.
Centralized logging. Events from all systems are collected and aggregated, and alerts are sent via a centralized log collection engine (SIEM) that is monitored by our security teams.
Standard change control process. All changes to any part of our infrastructure must pass a strict Change Control Process to ensure best practices and minimal service interruption for our clients.
Security information and event management. We receive real-time alerts for a variety of activities that may indicate malicious activity.
We regularly scan the network and systems for security vulnerabilities. Third-party assessments are also conducted regularly (see table of audits and scans above), including:
Background checks are performed on all candidates before hiring, including screening of education, past employment, and criminal record.
Our personnel are provided training regularly on security policies and procedures, including company policies and procedures, corporate ethics, and business standards.
We maintain a comprehensive continuity of operations strategy, complete with tactical playbooks for Disaster Recovery, Business Continuity, and Incident Response.
We use a high-availability architecture to ensure that, in the event of a failure, service performance continues to meet client expectations.
We also maintain SOC 2 Type II, which requires the production, maintenance, and testing of a Disaster Recovery Plan (DRP). The current DRP is a formal recovery procedure for recovering the entire application in a different region. The DRP is tabletop tested annually, and we also perform disaster simulations to test failover to secondary systems.