Information Security and Privacy Statement
Last Updated: January 4, 2022
At Datapeople, industry best practices and trust is woven into every aspect of our business. To keep data safe, we deploy industry-leading solutions and continuously monitor our cloud-based infrastructure so that our customers can rest easy knowing that their information is protected 24/7 within our network.
Our approach includes the utilization of information security frameworks such as NIST ISO 27000 series.
Datapeople is SOC2 Type II Certified.
Datapeople is EU-US / Swiss-US Privacy Shield Certified.
Physical Security Standards
Our servers are hosted on Amazon Web Services (AWS) who provide robust physical data security and environmental controls.
Employee computers come pre-installed with enterprise-level security and device management software. Computer hard drives are encrypted, and all recycled/decommissioned hardware and media are sanitized. We actively monitor our employee computers to ensure they meet with our compliance and security best practice guidelines.
All customer data is encrypted at rest and in transit. Our databases and server hard-drives use AES 256 encryption standards for encryption at rest. All customer and API access over the public internet is encrypted with SSL/HTTPS. Customer data behind our firewall is encrypted in transit with TLS 1.2.
We only collect and process information that our customers provide us. Our customers own their own data. As part of our commitment to our customers, US/EU Privacy Shield, we maintain a Data Privacy Officer and methods for contact for any questions or concerns.
Customer data is hosted in secure databases properly hardened and secured from non-production environments. All access to the database is tightly controlled and locked down by ensuring least privilege, quarterly access reviews, and ensuring that only individuals that maintain access are properly authorized.
Our application servers are secured behind industry-standard firewalls with locked down ports. We support multiple industry level Single-Sign-on providers. Customers can designate admins who can centrally provision and deprovision users and manage role-based access permissions either on our platform or via their Applicant Tracking System if an API-based integration is put in place. Passwords are encrypted in transit and stored salted and hashed.
Application access privileges are audited on a quarterly basis.
We ensure that our internal network is properly maintained with vulnerability and patch management. We use enterprise standard key management policies with regular key rotation.
Incident Response and Disaster Recovery
We have well-defined incident response and disaster recovery policies. We do daily backups, and backups are tested on a frequent basis. In the event that any unauthorized access is discovered, Datapeople staff will:
- Activate our Incident Response Team
- Notify our CISO and Information Security Team
- Immediately reset all relevant passwords and revoke relevant keys
- Notify Datapeople Engineering, Product, and Customer Success teams
- Notify affected customers (if any) of the intrusion and if/how their data was compromised within 24-72 hours of a confirmed incident
- Conduct a system audit to identify the source of the breach
- Define system or process improvement tasks to avoid incidents in the future
- Communicate affected customers (if any) of the improvement plan, and update customers as improvements are deployed
- Hire a third-party security or data forensics firm to assist with our investigation, if needed, based on the severity
Security, Privacy Training, and Compliance
During their tenure, all Datapeople employees undergo annual security and privacy training. All employees and contractors sign confidentiality agreements and receive training on data handling policies and practices. We maintain an open channel with our employees for reporting and discussing information security knowledge for on-going training purposes.
All employees and contractors of Datapeople are required to complete a background check prior to access to any systems or services.
Information Security, Risk Management, Compliance, Privacy Management Oversight
Datapeople has selected James D Grisham as their Chief Information Security Officer and Data Privacy Officer. The CISO/DPO at Datapeople provides strategy, consulting, oversight, and governance throughout the company and is actively involved in mapping the security program to business strategy. The CISO/DPO reports to the CEO.