At Digistorm, keeping your data safe and secure is our number one priority. As transparency is one of the key principles on which our company is built, we believe that it’s important to always provide our clients with clear information about our security practices.
If you have additional questions regarding security, we are happy to answer them. Please write to security@digistorm.com and we will respond as quickly as we can.
Company
Confidentiality
We place strict controls over our employees’ access to the data you and your users make available via the Digistorm services, as more specifically defined in your agreement with Digistorm covering the use of the Digistorm services (“Customer Data”). The operation of the Digistorm services requires that some employees have access to the systems which store and process Customer Data. For example, in order to diagnose a problem you are having with the Digistorm services, we may need to access your Customer Data. These employees are prohibited from using these permissions to view Customer Data unless it is necessary to do so.
All of our employees and contract personnel are bound by our policies regarding Customer Data and we treat these issues as matters of the highest importance within our company.
Personnel practices
All Digistorm employees are required to consent to thorough background checks before joining our team and are required to complete security training as part of their onboarding process.
Compliance
Digistorm is actively working to achieve ISO 27001 and ISO 27018 compliance.
The environment that hosts the Digistorm services maintains multiple certifications for its data centres, including ISO 27001 compliance, PCI certification and SOC reports. For more information about their certification and compliance, please visit the AWS Security website and AWS Compliance website.
External security audits
Digistorm is enrolled in a private Vulnerability Discovery Program (VDP) with Bugcrowd. Security researchers perform extensive penetration tests on our services to expose potential vulnerabilities. In response to the VDP reports, we regularly implement a number of proactive measures to harden the service’s security and reduce risk.
Incident management & response
Digistorm has firm processes in place in the event of a security breach. Digistorm will notify you immediately if there has been any unauthorised access to your Customer Data. Digistorm has incident management policies and procedures in place to handle such an event. For our Australian clients, we also opt in to the Notifiable Data Breach Scheme (NDBS), where we will submit an assessment of the breach to the OAIC.
Product
Security features for team members & administrators
In addition to the work we do at the infrastructure level, we provide Administrators of Digistorm services with additional tools to enable their own users to protect their Customer Data.
Single sign-on
Digistorm allows users to authenticate their Digistorm products using their own single sign-on identity provider, including Google Apps, Office 365 and more.
Product security practices
Our security team, working closely with our team of developers, perform a series of quality assurance checks on all new features that we add to our products. Before we deploy any new functionality or design, our code is audited with automated static analysis software and then we perform a manual peer review.
Data
Deletion of customer data
Digistorm customers can request to permanently delete Customer Data at any time. Within 48 hours of deletion request, Digistorm hard deletes all information from production systems and backups are destroyed within 30 days.
Return of customer data
We offer the ability for account owners to gain access to Customer Data through in-app export tools and API’s.
Data encryption in transit and at rest
At Digistorm, we utilise the latest recommended cypher suites and protocols ensuring encryption of data in transit and at rest. We monitor and perform regular updates to our services to respond to any cryptographic weaknesses.
Disaster recovery
We store all Customer Data in multiple locations within our hosting provider’s data centres. This ensures that our backup and restoration procedures can activate in the case of any disaster. We ensure that all Customer Data and source code is regularly backed up, and that our team will be notified in the event of a backup failure.
Architecture
Availability
We ensure we have systems in place to ensure that our infrastructure remains stable and able to withstand failures of individual servers or data centres. We regularly test our disaster recovery measures, and have a support team ready to work on any unexpected incidents.
Network protection
We have implemented two-factor authentication for all server access across our production environment. In addition, we have configured firewalls to protect our environments, and AWS security groups ensure that any unnecessary ports are blocked.
Host management
Production hosts are automatically scanned for vulnerabilities and our team responds quickly to remediate any findings that present a risk to our environment.
Logging
Digistorm keeps extensive centralised logs within its production environment. These logs contain information related to security, access, monitoring, availability and more. Automated monitoring software analyses these logs and our security team is notified of security events.
