Security and Compliance

Our customers trust Dataddo to manage and protect their sensitive data. Our commitment to data security is integral to our service, as we aim to meet and exceed the security and privacy requirements of our diverse user base. This article outlines the comprehensive security measures we employ to protect your data and ensure your trust in our platform.

Our Dedication to Data Protection

Data protection is at the core of our operations. We continuously evolve our security strategies to address the dynamic challenges of the data-driven environment.

To safeguard customer data, we implemented a robust suite of security measures, including:

• Conducting regular audits to ensure ongoing compliance and security.
• Performing thorough vulnerability assessments to detect and address potential security gaps.
• Implementing multi-factor authentication (MFA) to enhance access security.
• Encrypting confidential data to protect it from unauthorized access.
• Maintaining strict compliance with leading global standards and regulations, underscoring our commitment to data security and privacy.

Dataddo's Built-in Security Measures

Access Control and Network Security

The security of Dataddo's infrastructure is ensured through comprehensive access control and network security measures. Our infrastructure operates within a fully isolated private network, safeguarding it from external threats. Here's how we maintain the highest security levels:

• Role-Based Access Controls (RBAC): We limit system access strictly to authorized Dataddo engineers, employing RBAC to ensure that only personnel with the necessary clearance can interact with sensitive data.
• Multi-Factor Authentication (MFA) via a Secure Bastion Host: Access to our systems requires MFA, adding an extra layer of security to prevent unauthorized entry.
• Secure Bastion Host: Our secure bastion host plays a crucial role in enforcing rigorous access controls and maintaining detailed logs, making every action within our system auditable.
• Access Management: We strictly control access to user data, allowing it only in situations concerning service reliability or with explicit user permission.

Employee Access Protocols
At Dataddo, we take the access privileges of our employees seriously:

• Our engineers are carefully vetted, undergoing extensive background checks and regular security training.
• Access to client data is strictly regulated, only permitted during service reliability issues, and is meticulously logged and audited to ensure it is necessary and appropriate.

By integrating RBAC, MFA, and secure bastion host protocols, Dataddo ensures that every access instance is logged and monitored, upholding our commitment to data security and user trust.

Robust Encryption Practices

Encryption plays a pivotal role in protecting your data from unauthorized access and breaches. To achieve this, we implement various encryption methods to secure your data at every stage:

• Data "in Transit"
• Data "at Rest"
• Confidential Protection

Data "in Transit"

Data "in transit" refers to data that is currently moving between two systems over a network.

To protect moving data from potential eavesdropping or interception, we use the Transport Layer Security (TLS) encryption. TLS provides end-to-end encryption between the sender and recipient, meaning the data is protected from any unauthorized access during transmission.

Data "at Rest"

Data "at rest" refers to data stored on a device or system.

Stored data is protected using Advanced Encryption Standard (AES) 256 encryption, which is highly secure and widely used for protecting sensitive information. Encryption keys are managed by a third-party service such as:

• Amazon Web Services (AWS) Key Management Service (KMS)
• Google Cloud Key Management Service
• Azure Key Vault

The keys themselves are protected by a third-party Hardware Security Module (HSM)-backed key management service. This service stores and manages the keys in a secure environment designed to protect against attacks and unauthorized access. This ensures that your data is protected even if the underlying systems are compromised.

The security of the encryption process is further enhanced by the separation of duties between the data owner and the key custodian. The data owner retains control over their encrypted data, while the key custodian (key management service) retains control over the encryption keys. This means that there is no single point of failure and that both the data and the encryption keys are kept secure.

Credential Protection

To protect credentials (e.g. third-party services login information) from unauthorized access, we encrypt them in the same way as data "at rest".

Further network isolation of the systems that store credentials is applied. This involves:

• Separating the credential storage systems from other networked systems.
• Limiting access to the systems.
• Applying additional security measures such as firewalls and intrusion detection systems.

For more information, see our Securing Credentials article.

Granular System Auditing

Granular system auditing enables administrators to track and analyze all system activities.

Reliability Assurance

We provide an industry-leading availability guarantee for our production deployment clusters, ensuring that users can rely on Dataddo for their critical data integration tasks.

Compliance Excellence

We regularly undergo independent external verification to ensure our platform's security, privacy, and compliance. This process includes adherence to numerous international standards and regulations, demonstrating our strong commitment to security and compliance. Among these standards are:

• Service Organization Control (SOC)
• General Data Protection Regulation (GDPR)
• International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 27001
• Health Insurance Portability and Accountability Act (HIPAA)
• California Consumer Privacy Act (CCPA)
• Lei Geral de Proteção de Dados (LGPD, or General Data Protection Law)
• Protection of Personal Information Act (POPIA)

User-Controlled Security Features

Comprehensive Auditing & Logging

We provide our users with two types of logs to track account activities:

• Account-level logs
• Action-level logs

Account-Level Logs

At the account-level, Datado logs all user management and authentication-related activities:

• User login and logout events
• Password reset actions
• Permission changes

Access logs by navigating to the Notifications page, and switching to the Activity Log tab.

Action-Level Logs

At the action-level, Dataddo records all data integration activities performed by users, including data extraction operations, data transformations, and data writing operations.

Users can view detailed information about each integration operation, including:

• Source and destination systems
• Time and duration of the operation
• Errors or warnings encountered during the process

Logs are designes to help users troubleshoot any issues that arise during the data integration process, and monitor the performance of their integrations over time.

Users can access action-level logs by clicking on the three dots button next to a data source or data flow and selecting Show Logs.

Networking and Private Connectivity

We offer sophisticated tools to enhance the security of user data during transfer and control access within their network environment:

• Secure Data Transfer with SSH Tunnelling in Dataddo: Advanced users can leverage SSH tunneling to ensure the secure transmission of data to various storage destinations, whether located on-premises or in the cloud.
• Network Access Control List (ACL) Configuration: Users are in control of what connections are permitted. To allow Dataddo access to data storages, users are required to whiteliste Dataddo IP addresses in their network configuration settings.

Login Method Selection

Dataddo provides various login methods to accommodate the diverse needs of our users. Users can select from the following options based on your preference and requirements:

• Traditional Credentials: Users can opt for the traditional username and password method.
• Single Sign-On (SSO): Users can use the same credentials as other applications within your organization.

Additionally, for our enterprise customers, we provide:

• Enterprise Identity and Access Management (IAM): Enterprise customers can enhance security and convenience by integrating Dataddo with the organization's IAM system. This allows employees to use their existing work credentials for access, simplifying the login process.

These options are designed to provide flexibility and security, ensuring that users can access Dataddo in a way that best suits their own or their organization's needs.