Data Security & Compliance

  • Data Security & Compliance is fundamental to our business

    DataBlend is a one-of-a-kind Integration Platform as a Service(iPaaS) which provides a secure environment that clients can confidently rely on. DataBlend ensures product integrity by following industry standards and best practices of auditing procedures. DataBlend best practices include but are not limited to managing high-level security, technologies, and procedures.

    Compliance
    SOC 2 Type 2 Audited

    DataBlend successfully completed a Service Organization Controls 2 ( SOC 2 ) Type 2 audit. SOC2 is published by AICPA (The American Institute of Certified Public Accountants). The SOC 2 Type 2 audit that DataBlend underwent evaluates the effectiveness of service organization’s controls. DataBlend was audited based on security, confidentiality, and availability. Audit reports are available upon request and reliant on a nondisclosure agreement.  

  • Hosting Environment and Physical Security 

    DataBlend is hosted on a public cloud service provided by Amazon Web Services (AWS). Amazon maintains high standards for security for their data centers. You can read further about AWS security here: 

    aws.amazon.com/security/ 

     Network Security 

    The DataBlend website and API are solely accessible via HTTPS. This limited access provides protection concerning privacy and integrity of data while in transit. DataBlend implements HTTPS to ensure all platform traffic is encrypted and protected from interception. Interceptions can be from a variety of sources including unauthorized third-parties or hackers. DataBlend also employs an industry standard TLS 1.2 encryption algorithms with a key length of 256 bits. 

     

    DataBlend utilizes a variety of secure protocols to communicate with necessary third-party systems. Clients will find that conveniently supported third-party systems include HTTPS and a large variety of other protocols such as SFTP. For additional security measures, clients accessing on-premise systems require an installation of an agent on-premise. The secure agent communicates to DataBlend over an encrypted link, using TLS 1.2. 

     

    DataBlend uses a specific architecture that uniquely segregates internal application systems from the public Internet. This separation provides a crucial additional layer of security to DataBlend clients. Traffic to the DataBlend website passes through a Web Application Firewall (WAF) and is then securely directed to interior systems on a variety of private subnets. Network traffic use uniquely encrypted protocols. All network access is restricted by firewall and routing rules ensuring the utmost data security. For additional security, access to the network is recorded in a centralized secure logging system. This additional layer of security allows trackability throughout the entire process. 

  • Authentication 

    Clients login to DataBlend using a unique password which is only known to them. Password length and complexity are strictly enforced to ensure the utmost safety to DataBlend clients. 

     

    DataBlend also supports signing on via Google as an external identity provider. Additionally, DataBlend automatically logs clients out after 30 minutes of inactivity. This time limit ensures that client data is safe. 

     

    DataBlend connects to remote systems using user-supplied credentials. When possible this is done using OAuth2. Clients using OAuth2 do not require username and password to be stored in the DataBlend application. In the event that a remote system requires credentials to be stored, DataBlend will safely store the credentials by utilizing an encrypted 256-bit key. 

     

    DataBlend recommends that clients use an integration specific user identity (ISU) with appropriate entitlements/scopes for connection authentication in compliance with third-party systems. 

    Application Development and Testing 

    DataBlend has a software development lifecycle process including security and privacy analysis across every stage of development. Analysis considerations include design and code reviews, unit and integration testing, as are part of DataBlend’s comprehensive software development lifecycle process. 

    Vulnerability and Penetration Testing 

    DataBlend conducts internal vulnerability testing to ensure client data is always safe. DataBlend also works with several qualified third-party vendors to conduct regular platform level vulnerability and penetration tests. The results are analyzed, and vulnerabilities are addressed immediately ensuring safety from all relevant threats. 

  • Data Privacy 

    DataBlend has a public Privacy Policy. The Privacy Policy details the types of personal information DataBlend collects, how the collected personal information is handled, and the subsequent privacy rights of the DataBlend client. 

    Data Retention and At-Rest Protection 

    DataBlend platform information is encrypted at rest and in transit. All data at rest is encrypted using a strong encryption algorithm (AES-256). This level of protection ensures that all data is highly encrypted. In addition, DataBlend encrypts collected data with group-specific keys. To ensure the highest level of data security, at the end of the configured data retention interval, the data is deleted. DataBlend’s data retention and data protection practices ensure the security of all client data.  

  • High Availability 

    DataBlend is thoughtfully designed offering high availability and resilience to service disruption. DataBlend ensures resilient, high availability services to clients by running DataBlend services in redundant clusters and continuous replication of the application database to a standby system. 

     

    Current system status and recent uptime statistics are continuously available here. 

     

    DataBlend has also implemented a Business Continuity and Disaster Recovery program. This program includes measures to ensure the high availability of DataBlend’s IT assets, but also contingency planning for natural disasters and other possible disruptions. This level of planning ensures that clients can rely on all DataBlend services regardless of circumstance.  

    Incident Response 

    DataBlend continuously monitors the security status of its systems. Automated alerts are configured for security and performance issues. In the unlikely event of a system breach, DataBlend has a robust Security Incident Response Plan, detailing roles, responsibilities and procedures in case of an actual or suspected security incident. All security and performance incident responses ensure safety within DataBlend production systems.  

  • Our Organization 

    All employees are subject to background checks. Background checks cover education, employment and criminal history, to the extent which is permitted by local and federal law. Employment at DataBlend requires written acknowledgement by employees of their roles and responsibilities with respect to protecting user data and privacy. 

     

    DataBlend applies the principle of least privilege for access across the entire organization. All access and authorization rights are reviewed both immediately and regularly to ensure the highest level of information security. Access or authorization rights can be withdrawn or modified, as appropriate, promptly upon termination or change of role. In addition, DataBlend maintains an information security training program that is mandatory for all employees on a regular basis. To ensure the highest level of security, DataBlend also employs highly knowledgeable full-time security personnel staff. 

    Vulnerability Disclosure 

    DataBlend welcomes reports of vulnerabilities or other security issues. Note that DataBlend is primarily interested in issues that may affect authenticated users of the services rather than issues relating to the public facing sites, many of which are hosted by third-parties and are unrelated to the services. Note also that DataBlend generally do not allow automated scanning of the sites and may block it if detected. 

     

    Vulnerability reports will be acknowledged and reporters kept apprised of their report’s status. Reports can be submitted to security@datablend.com.