Data Security & Compliance
-
Data Security & Compliance is fundamental to our business
DataBlend is a one-of-a-kind Integration Platform as a Service(iPaaS) which provides a secure environment that clients can confidently rely on. DataBlend ensures product integrity by following industry standards and best practices of auditing procedures. DataBlend best practices include but are not limited to managing high-level security, technologies, and procedures.
Compliance
SOC 2 Type 2 Audited
DataBlend undergoes annual System and Organization Controls 2 ( SOC 2 ) Type 2 examination. SOC 2 is based on the trust services criteria published by AICPA (The American Institute of Certified Public Accountants). DataBlend’s SOC 2 Type 2 examination evaluates the design and operating effectiveness of its controls relevant to security. Audit reports are available upon request and reliant on a nondisclosure agreement.
-
ISO 27001:2013 Certified
DataBlend is certified against internationally recognized information security standards, developed by the International Organization for Standardization (ISO).
ISO 27001:2013 focuses on information security and aligns with the guidance provided in ISO 27002 for implementing security controls. It outlines requirements for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS). The ISMS protects the confidentiality, integrity, and availability of information in an organization by applying a risk management process.
Certification audits are performed by an accredited independent third-party auditor. Conformance to these standards is evidence that DataBlend has:
- Established and continually improves (ISMS) as per the requirements of the ISO 27001:2013 standard
- Implemented information security controls and systematically evaluates and treats information security risks
-
GDPR Compliant
DataBlend is compliant with the European General Data Protection Regulation (GDPR) and will execute a Data Processing Addendum (“DPA”) for customers with GDPR obligations. Our DPA has been specifically tailored to depict our Service’s unique operational and technical controls and our business model as a multi-tenant, data agnostic iPaaS provider. In this capacity, DataBlend treats all data from all customers as confidential and has built into the subscription service controls to account for compliance with applicable data privacy laws.
-
HIPAA Compliant
DataBlend is compliant with the Health Insurance Portability and Accountability Act (HIPAA) and will execute Business Associate Agreements for customers with HIPAA obligations. Our Business Associate Agreement has been tailored to depict our Service’s unique operational and technical controls and our business model as a multi-tenant, data agnostic iPaaS provider. If you determine that a BAA is necessary for your use of DataBlend, you may engage your account manager for assistance.
-
Hosting Environment and Physical Security
DataBlend is hosted on a public cloud service provided by Amazon Web Services (AWS). Amazon maintains high standards for security for their data centers. You can read further about AWS security here:
Network Security
The DataBlend website and API are solely accessible via HTTPS. This limited access provides protection concerning privacy and integrity of data while in transit. DataBlend implements HTTPS to ensure all platform traffic is encrypted and protected from interception. Interceptions can be from a variety of sources including unauthorized third-parties or hackers. DataBlend also employs an industry standard TLS 1.2 encryption algorithms with a key length of 256 bits.
DataBlend utilizes a variety of secure protocols to communicate with necessary third-party systems. Clients will find that conveniently supported third-party systems include HTTPS and a large variety of other protocols such as SFTP. For additional security measures, clients accessing on-premise systems require an installation of an agent on-premise. The secure agent communicates to DataBlend over an encrypted link, using TLS 1.2.
DataBlend uses a specific architecture that uniquely segregates internal application systems from the public Internet. This separation provides a crucial additional layer of security to DataBlend clients. Traffic to the DataBlend website passes through a Web Application Firewall (WAF) and is then securely directed to interior systems on a variety of private subnets. Network traffic use uniquely encrypted protocols. All network access is restricted by firewall and routing rules ensuring the utmost data security. For additional security, access to the network is recorded in a centralized secure logging system. This additional layer of security allows trackability throughout the entire process.
-
Authentication
Clients login to DataBlend using a unique password which is only known to them. Password length and complexity are strictly enforced to ensure the utmost safety to DataBlend clients.
Additionally, DataBlend automatically logs clients out after 30 minutes of inactivity. This time limit ensures that client data is safe.
DataBlend connects to remote systems using user-supplied credentials. When possible this is done using OAuth2. Clients using OAuth2 do not require username and password to be stored in the DataBlend application. In the event that a remote system requires credentials to be stored, DataBlend will safely store the credentials by utilizing an encrypted 256-bit key.
DataBlend recommends that clients use an integration specific user identity (ISU) with appropriate entitlements/scopes for connection authentication in compliance with third-party systems.
Single Sign-On (SSO)
DataBlend also supports sign on via Microsoft Azure or Google as external identity providers. Once setup, users can login directly with their enterprise accounts, without having to use their DataBlend username and password.
Application Development and Testing
DataBlend has a software development lifecycle process including security and privacy analysis across every stage of development. Analysis considerations include design and code reviews, unit and integration testing, as are part of DataBlend’s comprehensive software development lifecycle process.
Vulnerability and Penetration Testing
DataBlend conducts internal vulnerability testing to ensure client data is always safe. DataBlend also works with several qualified third-party vendors to conduct regular platform level vulnerability and penetration tests. The results are analyzed, and vulnerabilities are addressed immediately ensuring safety from all relevant threats.
-
Data Privacy
DataBlend has a public Privacy Policy. The Privacy Policy details the types of personal information DataBlend collects, how the collected personal information is handled, and the subsequent privacy rights of the DataBlend client.
Data Retention and At-Rest Protection
DataBlend platform information is encrypted at rest and in transit. All data at rest is encrypted using a strong encryption algorithm (AES-256). This level of protection ensures that all data is highly encrypted. In addition, DataBlend encrypts collected data with group-specific keys. To ensure the highest level of data security, at the end of the configured data retention interval, the data is deleted. DataBlend’s data retention and data protection practices ensure the security of all client data.
-
High Availability
DataBlend is thoughtfully designed offering high availability and resilience to service disruption. DataBlend ensures resilient, high availability services to clients by running DataBlend services in redundant clusters and continuous replication of the application database to a standby system.
Current system status and recent uptime statistics are continuously available here.
DataBlend has also implemented a Business Continuity and Disaster Recovery program. This program includes measures to ensure the high availability of DataBlend’s IT assets, but also contingency planning for natural disasters and other possible disruptions. This level of planning ensures that clients can rely on all DataBlend services regardless of circumstance.
Incident Response
DataBlend continuously monitors the security status of its systems. Automated alerts are configured for security and performance issues. In the unlikely event of a system breach, DataBlend has a robust Security Incident Response Plan, detailing roles, responsibilities and procedures in case of an actual or suspected security incident. All security and performance incident responses ensure safety within DataBlend production systems.
-
Our Organization
All employees are subject to background checks. Background checks cover education, employment and criminal history, to the extent which is permitted by local and federal law. Employment at DataBlend requires written acknowledgement by employees of their roles and responsibilities with respect to protecting user data and privacy.
DataBlend applies the principle of least privilege for access across the entire organization. All access and authorization rights are reviewed both immediately and regularly to ensure the highest level of information security. Access or authorization rights can be withdrawn or modified, as appropriate, promptly upon termination or change of role. In addition, DataBlend maintains an information security training program that is mandatory for all employees on a regular basis. To ensure the highest level of security, DataBlend also employs highly knowledgeable full-time security personnel staff.
Vulnerability Disclosure
DataBlend welcomes reports of vulnerabilities or other security issues. Note that DataBlend is primarily interested in issues that may affect authenticated users of the services rather than issues relating to the public facing sites, many of which are hosted by third-parties and are unrelated to the services. Note also that DataBlend generally do not allow automated scanning of the sites and may block it if detected.
Vulnerability reports will be acknowledged and reporters kept apprised of their report’s status. Reports can be submitted to security@datablend.com.