Security sits at the heart of everything we do
Our commitment to improving our customers’ regulatory compliance starts with ensuring the highest levels of protection for your systems and data.
Evaluated by independent, third-party auditors
- Annual SOC-2 certification audits
- Annual penetration testing
- Bi-monthly legal evaluation of data accuracy
DiploAI’s Security and Privacy teams establish policies and controls, monitor compliance with those controls, and prove our security and compliance to third-party auditors.
Our policies are based on the following foundational principles:
Security protocols should be layered and constructed based on a multi-tiered safeguarding approach.
The deployment of safeguards should be an ongoing process, progressively optimized to improve functionality, ensure transparency, and reduce barriers.
Access should be allocated solely to individuals with a valid operational requirement, following the principle of restricted permissions.
Protective measures should be enforced uniformly across all segments of the organization.
Data Protection & Encryption
Data at Rest
All datastores with customer data are encrypted at rest. Sensitive collections and tables also use row-level encryption.
All encryption keys are AWS-managed and are regularly rotated according to industry best practice.
Data in Transit
Daptic uses TLS 1.2 or higher everywhere data is transmitted over potentially insecure networks. We also use features such as HSTS (HTTP Strict Transport Security) to maximize the security of our data in transit.
Server TLS keys and certificates are managed by AWS.
Secret Management
Daptic uses AWS Key Management System (KMS) and AWS Secrets Manager (SM) to securely store, rotate, and access encryption keys and secrets. Role Based Access Control (RBAC) policies are in place to prevent direct access by any individuals without an operational requirement (including employees of Daptic).
All keys are rotated automatically every 60 days.
Secure Product Architecture
Penetration Testing
Daptic engages with one of the best penetration testing consulting firms in the industry at least annually.
Our current preferred penetration testing partner is Thoropass, one of the leading experts in SaaS security compliance.
Vulnerability Scanning
Daptic requires vulnerability scanning at key stages of our Secure Development Lifecycle (SDLC):
- Software composition analysis (SCA) to identify known vulnerabilities in our software supply chain
- External attack surface management (EASM) continuously running to discover new external-facing assets
- Dynamic analysis (DAST) of running applications
- Periodic network vulnerability scanning
Enterprise Security & Governance
Endpoint protection
All corporate devices are centrally managed and are equipped with mobile device management software and anti-malware protection. Endpoint security alerts are monitored with 24/7/365 coverage. We use MDM software to enforce secure configuration of endpoints, such as disk encryption, screen lock configuration, and software updates.
Secure remote access
Daptic secures remote access to internal resources using Tailscale, a modern VPN platform built on WireGuard. We also use malware-blocking DNS servers to protect employees and their endpoints while browsing the internet.
Vendor Security
Daptic uses a risk-based approach to vendor security. Factors which influence the inherent risk rating of a vendor include:
- Access to customer and corporate data
- Integration with production environments
- Potential damage to the Daptic brand.
Once the inherent risk rating has been determined, the security of the vendor is evaluated in order to determine a residual risk rating and an approval decision for the vendor.
