Commitment to Our Clients
Exceeding clients’ expectations is our top priority. Dstillery is committed to maintaining trust with every client through security and transparency. The following information summaries our compliance, privacy, and operations practices for managing Dstillery’s security posture toward people, processes and technology.
Compliance Program and Reports
SOC 2 is a defined criteria for managing customer data and is based on five trust service principles, security, availability, processing integrity, confidentiality, and privacy. Dstillery has obtained SOC 2 Type 1 attestation, validating the design of our security processes.
Details around our security program are available under NDA. For more information about Dstillery’s compliance certifications and programs, please reach out to your Dstillery Account Executive or email firstname.lastname@example.org.
Control Environment, Communication and Information
Dstillery is committed to integrity, ethical values, and security.
Dstillery has a dedicated CISO who reports to the CEO, with responsibilities focused on enterprise security, awareness and training, vulnerability management, incident management, secure logging and monitoring, security risk management, supplier risk management, and identity and access management.
Reporting relationships and organizational structures are reviewed at least annually by senior management and adjusted as needed based on changing entity commitments and requirements.
Management has documented and maintains policies and procedures, including an Information Security Policy that is available to employees via an intranet site. Policies are reviewed at least annually and updated as needed.
The employee handbook specifies guidance for workplace behavior, code of conduct, incident reporting, and complaint resolution. New employees are required to acknowledge receipt of the employee handbook during the onboarding process.
New employees are required to sign the NDA agreement, which includes commitment to confidentiality.
New employees are subject to criminal background checks, as performed by a third-party vendor.
Educational qualifications, certifications, and experience is considered during the hiring process through the review of a resume and application.
Security awareness training is performed for new employees and annually thereafter.
The Board of Directors is governed by documented bylaws.
An independent Board of Directors meets quarterly. On at least an annual basis, the meetings will include operations, internal controls and any related deficiencies, risk assessment, and fraud considerations.
The Board of Directors includes members with expertise and experience in relevant fields and includes members independent of management.
For critical vendor relationships Management reviews third-party attestation reports annually for exceptions and complementary user entity controls to ensure appropriate controls are in place to meet management’s commitments.
Management utilizes a Master Services Agreement and Statement of Work for all new customer relationships.
Security commitments are communicated as part of the MSA/SOW/EUA/public facing website.
Management conducts a risk assessment at least annually to identify, and analyze, internal and external risks including financial, operational, cybersecurity, compliance, fraud, and other risks relevant to Dstillery. The mitigation plan is reviewed and approved by management.
Monitoring, Controls and Access Restrictions
The Dstillery production environment has a footprint that combines an on-premises datacenter with a public cloud, allowing data and applications to be shared between them.
Traffic to the production environment is restricted. Management utilizes monitoring software to alert management when defined thresholds are exceeded for network, host, and processing components of the production environment.
Management engages a third-party to perform continuous vulnerability scans with weekly reporting. Remediation of identified critical and high-risk vulnerabilities is tracked via tickets.
Management monitors alerts and actionable items are tracked in tickets through resolution.
Management reviews appropriateness of physical access to the data center on a semi-annual basis.
Internal system access for new hires must be approved by management prior to provisioning.
Access modification requests must be approved by the appropriate business approval.
Logical and physical access to the internal environment is revoked upon termination of employees and contractors.
Management conducts a review of user access appropriateness on a semi-annual basis.
Management conducts a review of administrative access appropriateness on a semi-annual basis.
Logical and Physical Access Controls
Authorized users are identified using unique usernames and authenticate using complex passwords.
Management has multi-factor authentication enabled for access to the production environment and infrastructure.
Access to the environment is restricted by job role and responsibility.
To ensure system availability, the data center employs UPS power systems, air conditioning systems, fire detection and suppression systems, environmental monitoring, and alert notification systems.
The datacenter’s physical security measures include:
- 24/7 onsite manned surveillance with perimeter patrols
- Video camera surveillance network
- Card reader systems
- Biometric ingress and egress points
- Anti-vehicle protections
The company’s data centers have committed to providing service levels that exceed the Tier 4 (highest) standard defined by the Uptime Institute.
Access to the company’s datacenters is limited to authorized personnel based on job function.
Employees are issued key cards which they are required to scan upon entering the office building.
An internal vulnerability scan is run every month to identify and qualitatively risk rate system patches. Management manually implements applicable patches.
Management maintains updated network diagrams detailing the various infrastructure components and assets within the boundaries of the system.
Management utilizes an advanced Web Application Firewall (WAF) to restrict and protect the perimeter of the production environment.
Management has in place anti-malware protection for deployed end-points.
Management has a documented change management and SDLC policy in place.
Management maintains separate development, test, and production environments.
Change tickets are documented in a ticketing tool and follow the Change Management Process for internal software, data, and infrastructure changes.
Changes are tested prior to migration to the production environment. The results of testing are retained within the ticketing system.
Management requires peer review and approval of code in order to complete a pull request to merge changes to the main branch.
Changes are approved prior to deployment into the production environment.
For changes that may cause system downtime or impact system commitments, an impact analysis and approvals are documented prior to scheduling downtime.
Backout plans are documented for releases and can be used in the event that any issues are encountered in the implementation of the change.
Data Classification, Retention and Security
Management has a documented data classification and retention policy.
Management has implemented tools to enforce the retention policy within the production environment. Records are purged in accordance with corporate retention periods.
All communication between the data center and the public cloud is via a dedicated (not public internet) secure link.
Application, database and administrative connections are secured with SSL.
Data entering the boundaries of the system (ingress) and data leaving the boundaries of the system (egress) are encrypted using SSL (e.g. HTTPS or SFTP).
Data at rest (e.g. database data and bulk storage data) are protected with user accounts, meaning only authorized accounts can access the data. Cloud SQL database data is encrypted when stored in database tables, temporary files, and backups. Large backups, residing in cloud storage, are encrypted at rest.
Daily incremental backups are encrypted and maintained for 30 days at an offsite facility.
Service accounts are used for inter-service communications between the database and application tiers and are not tied to individual users. Statements issued by individual accounts are logged for auditing purposes.
Management utilizes a third-party service to securely dispose of decommissioned hardware – including hard drives. A certificate of secure disposal is obtained.
Security Incident Response – Risk Mitigation, Problem Management
Management maintains appropriate levels of insurance coverage including but not limited to cyber liability insurance.
Management has a documented Incident Response Policy in place.
Customers have the ability to initiate a service request informing management of suspected incidents that affect service commitments. Management investigates suspected incidents and tracks through resolution.
Dstillery deploys various monitoring, logging, and alerting solutions to monitor logs and generate alerts for anomalies.
Management has a documented Business Continuity and Disaster Recovery Policy.
Management performs a tabletop test of its Disaster Recovery plan at least annually. Results are documented and lessons formalized.
Management performs restoration testing to test the viability of backups on an annual basis.
Management utilizes redundant infrastructure to ensure resiliency of the production environment.
Dstillery formally acknowledges those that have helped in the improvement of our overall security program through the responsible disclosure of vulnerabilities and are credited here.