Security & Compliance
Last Updated on 22-01-2021
Application Level Security
We prevent single points of failure. Even if there is an interruption to one system, the rest of our services stay up and secure. All login pages pass data via SSL/TLS for public and private networks, and only support certificates signed by well-known Certificate Authorities (CAs). All personally identifiable information (PII) is encrypted while in transit using state of the art encryption to ensure the security of user IDs and passwords. Pulsitive application passwords are hashed and even our own staff can’t retrieve them. A lost password must be reset.
ISO27001 and GDPR Readiness
The European Union’s General Data Protection Regulation (GDPR) is an unprecedented privacy regulation in terms of its breadth, depth, and impact. The GDPR has taken effect on May 25, 2018, and we’re naturally compliant. The GDPR extends the reach of the European Union’s data protection laws and establishes many new requirements for organizations that fall under its scope. Our team is ready to meet and exceed these new requirements.
A few of the major GDPR changes:
- The GDPR gives EU residents the "right to be forgotten" by controllers and processors. If a data subject requests their data to be removed, controllers are responsible for securely deleting the data from their systems and ensuring processors delete data as well.
- The GDPR outlines specific requirements for notifications in the event of a data breach. Organizations who experience a data breach must notify data protection authorities, and in certain cases, they must also notify the data subject.
- The GDPR now extends to organizations who monitor the behavior of EU residents online. This includes e-mail tracking as well as tracking of user behavior on an organization’s website.
- The GDPR centralizes the regulation of processing of EU resident data. All processing of personal data belonging to residents of the EU will be governed by the GDPR, regardless of the member state in which the data subject resides.
DigitalOcean is certified in the international standard ISO/IEC 27001:2013. By achieving compliance with this globally recognized information security controls framework, audited by a third-party, DigitalOcean has demonstrated a commitment to protecting sensitive customer and company information. That commitment doesn’t end with a compliance framework, but is necessary baseline for security. In addition to this Digital Ocean holds SOC 1, SOC 2 and PCI-DSS Certifications for it’s Amsterdam Infrastructure.
Data Centers
Pulsitive’s products run on world-class infrastructure hosted by Digital Ocean. Our data center is located in Amsterdam, The Netherlands and data never leaves Europe. Digital Ocean’s infrastructure is co-located in some of the most respected datacenter facility providers in the world. We leverage all of the capabilities of these providers including physical security and environmental controls to secure our infrastructure from physical threat or impact. Each site is staffed 24/7/365 with on-site physical security to protect against unauthorized entry. Security controls provided by our datacenter facilities includes but is not limited to:
- 24/7 Physical security guard services
- Physical entry restrictions to the property and the facility
- Physical entry restrictions to our co-located datacenter within the facility
- Full CCTV coverage externally and internally for the facility
- Biometric readers with two-factor authentication
- Facilities are unmarked as to not draw attention from the outside
- Battery and generator backup
- Generator fuel carrier redundancy
- Secure loading zones for delivery of equipment
Infrastructure Security
DigitalOcean's infrastructure is secured through a defense-in-depth layered approach. Access to the management network infrastructure is provided through multi-factor authentication points which restrict network-level access to infrastructure based on job function utilizing the principle of least privilege. All access to the ingress points are closely monitored, and are subject to stringent change control mechanisms.
Systems are protected through key-based authentication and access is limited by Role-Based Access Control (RBAC). RBAC ensures that only the users who require access to a system are able to login. We consider any system which houses customer data that we collect, or systems which house the data customers store with us to be of the highest sensitivity. As such, access to these systems is extremely limited and closely monitored.
Additionally, hard drives and infrastructure are securely erased before being decommissioned or reused to ensure that your data remains secure.
Access Logging
Systems controlling the management network at DigitalOcean log to our centralized logging environment to allow for performance and security monitoring. Our logging includes system actions as well as the logins and commands issued by our system administrators.
Security Monitoring
DigitalOcean's Security team utilizes monitoring and analytics capabilities to identify potentially malicious activity within our infrastructure. User and system behaviors are monitored for suspicious activity, and investigations are performed following our incident reporting and response procedures.
Network Security
Your data is protected between you and our systems. We take multiple steps to prevent eavesdropping between you and our systems, as well as within our infrastructure. All network traffic runs over SSL/HTTPS, the most common and trusted communications protocol on the Internet. Internal infrastructure is isolated using strict firewalls and network access lists. Each system is designated to a firewall security group by its function. By default, all access is denied and only explicitly allowed ports are exposed. Persistence and storage layers are encrypted and secured behind VPN & VPC firewalls.
Restricted Access
Only people who need access, get access. Production system access is limited to key members of the Pulsitive engineering team and use of passwords is expressly forbidden. We solely use public/private key pairs to authenticate with our servers.
Data Protection, Continuity and Retention
We backup and test our systems, just in case. Production data is automatically backed up daily. We test our recovery procedures regularly by restoring from backup and simulating recovery of a production database. Our backup retention for all systems is thirty (30) days. In case of termination of the contract with a customer, we delete all customer and personal data within 30 days.
Address
Bredaseweg 8,
Breda, 4844 CL,
Netherlands