Last Updated: September 18, 2024

DQLabs maintains a risk-based security program designed to protect Customer Data (including Personal Data) processed in connection with the Service. The measures below are representative and may be updated over time, provided DQLabs does not materially reduce the overall security of the Service.

1) Information Security Governance

• Written information security policies reviewed at least annually.
• Executive oversight of the security program and risk management.
• Security awareness training for personnel at onboarding and periodically thereafter.
• Background screening for personnel where permitted by law and appropriate to role.

2) Access Control

• Principle of least privilege and role-based access controls (RBAC).
• Unique user accounts; no shared admin accounts for DQLabs personnel.
• Multi-factor authentication (MFA) for administrative access and privileged systems.
• Joiner/Mover/Leaver process for provisioning and deprovisioning access.
• Periodic access reviews for privileged roles.

3) Encryption

• Encryption in transit using industry-standard TLS.
• Encryption at rest for production systems where supported by underlying storage.
• Secure key management practices (e.g., managed KMS/HSM where applicable).
• Secrets stored in managed secret stores; secrets rotated per policy.

4) Network Security

• Segmented network architecture for production environments.
• Firewall rules / security groups limiting inbound/outbound traffic.
• DDoS protection and traffic filtering where applicable.
• Restriction of administrative interfaces to approved networks and MFA.

5) Secure Development Lifecycle (SDLC)

• Secure coding practices and peer review for code changes.
• Automated scanning for dependencies and known vulnerabilities where applicable.
• Separation of development, staging, and production environments.
• Change management controls for production deployments.

6) Vulnerability Management

• Vulnerability identification via scanning tools and/or periodic assessments.
• Remediation based on severity and risk.
• Patch management processes for systems within DQLabs control.
• Penetration testing performed periodically by qualified parties (where applicable).

7) Logging and Monitoring

• Centralized logging for key production systems.
• Monitoring and alerting for suspicious activity and availability events.
• Audit logs for privileged operations where feasible.
• Log retention aligned to security and compliance needs.

8) Incident Response

• Documented incident response plan, including roles, escalation, and communication.
• Security incident tracking, triage, containment, eradication, and recovery steps.
• Customer notification procedures aligned with contractual and legal requirements.

9) Business Continuity and Disaster Recovery

• Backup strategies and recovery procedures for critical systems.
• Disaster recovery planning and periodic testing (as applicable).
• High availability design patterns where feasible.

10) Subprocessor and Supplier Security

• Security and privacy diligence for key subprocessors.
• Contractual requirements for confidentiality and data protection obligations.
• Ongoing review of subprocessor changes as described in the DPA.

11) Data Handling and Minimization

• Customer config controls to limit ingestion/processing where applicable.
• Data minimization and purpose limitation aligned with service delivery.
• Controlled access to Customer Data for support with logging and approvals where feasible.

12) Physical Security

• Production hosting environments are provided by reputable cloud providers that maintain physical security controls, including controlled facility access and monitoring.

13) Customer Responsibilities (Shared Responsibility)

Customer is responsible for:

• Configuring access controls, SSO/MFA where available, and user permissions.
• Maintaining security of Customer credentials and connected systems.
• Ensuring lawful collection and submission of Personal Data to the Service.