In order to safeguard the data that is entrusted to us, Dado utilizes a defense-in-depth approach to implement layers of security controls throughout our organization. Key elements of our different control layers are outlined below.
By default, Dado encrypts data in transit (using SSL and TLS 1.2+) and at rest (using two encryption layers).
Our serverless, micro-service based architecture reduces the attack surface, and enables physical separation between services and environments, as well as granular access control.
Dado’s systems run on Google Cloud, an industry leader in providing secure cloud environments, and utilizes the broad range of security features of the platform.
Dado uses a wide range of system monitoring, logging and real-time alerting, as well as regular vulnerability and static code scans
Data in the application database and filestores is backed up for disaster recovery purposes daily. Data restoration procedures are tested annually.
Regular penetration testing
Dado commissions external security assessments and penetration testing by a vetted third party annually, and resolves any issues identified within SLAs.
People and process controls
Least privilege, role-based access
Access to all systems is granted on a least privilege model, based on role requirements, and audited quarterly. SSO and MFA are enforced where-ever available.
Employees receive security training upon starting work and annually thereafter. Software engineers receive additional training on secure coding practices.
Employees who will have access to secure systems or customer data are screened before they start work, including criminal records and reference checks.
Change management process
Dado’s structured approach to software changes requires all alterations to be reviewed from a product, technical and security perspective before release. Deployment privileges are tightly restricted.
Our vendor management program ensures all service providers meet Dado’s security and privacy standards. Vendors with a critical role in our business or with access to confidential or sensitive data are reviewed annually.
Dado conducts annual risk assessments and maintains a formal risk register. Our Risk Committee meets monthly to review policies and update and define controls and procedures.
Privacy & GDPR
Data storage and destruction
Dado is a bridging system between other tools and stores no more data than strictly necessary. In accordance with GDPR laws all other user-related information is discarded after the legally required thresholds.
Dado reviews the data protection policies and GDPR compliance of all sub-processors and maintains a list of data sub-processors.