Dotdigital’s Information Security Management System (ISMS) has been built around the ISO 27001:2013 framework; designed to preserve the Confidentiality, Integrity, and Availability (CIA) of Information. This is managed by a dedicated Information Security Team and is bolstered by Data Protection, Privacy, and Compliance programs which are overseen by our Data Protection Officer (DPO). Set out below are some of the controls and measures we take in the protection of information:
Pseudonymisation and Encryption
- Data is transferred over TLS.
- Data is secured at rest using AES encryption.
- Emails campaigns are sent using opportunistic TLS, using authentication and validation systems such as DKIM and DMARC
- Platform passwords are one-way hashed.
- Email addresses are hashed when written to MTA logs
Confidentiality
- Network Firewalls rules govern what can access our infrastructure.
- Web Application Firewalls detect and block malicious web requests.
- Role-based permissions are used to control staff access to systems and data.
- Our web login page and API enforce rate limiting to protect against brute force attacks.
- Web portal login can be further protected by optional two-factor authentication.
- Staff administrative access to infrastructure is tightly controlled and employs multi-factor authentication protection.
- A monthly patching cycle is in place to ensure the latest security updates have been applied
- Your account access rights (import, export, read, write and send) are configurable to your needs and managed by your administrator user.
- All your users are set up in the platform by your administrator. Verification is by email and SMS.
- Annual independent penetration testing is performed by Crest Accredited security consultancies.
- Annual Cyber Essentials Plus audits
- An ongoing vulnerability scanning and management program is in place
- Accounts (and the data within them) are deleted 90 days after cancellation
Integrity
- All data is virus scanned when uploaded to the platform.
- Virus scan technology is implemented throughout our infrastructure.
- Machines are built from approved hardened images and verified in third party security assessments.
- Our Watchdog service constantly monitors customer contact uploads. If these change from a usual pattern it automatically stops uploading. This process also protects our customers from sending to spam traps that can affect delivery
- Employees are DBS checked
- Event logging and account auditing is in place
Availability
- Only Cloud Service Providers with industry-leading uptime SLA’s are used
- Our data centers are connected to the internet with redundant internet links and bandwidth can be easily upgraded on requirement.
- Business continuity and Disaster Recovery policies and procedures are in place and are tested.
- There is redundancy at every component and service level, as well as spare capacity, so we can scale our servers on demand. This means Dotdigital can continue to run for prolonged periods even after experiencing major component failures, and we don’t run out of space.
- We have restore points for critical data taken every 5 minutes. Backup data is securely kept in the same geographic regions, yet sufficiently distant to ensure data is not lost in the event of a disaster, whilst complying with local data protection regulations.
- The platform employs anti-DoS and DDoS technology.
