Security | Dataform

Security

Overview

Keeping our customers' data protected at all times is our highest priority. This security overview provides a high-level overview of the security practices we have put in place to achieve that objective.

Infrastructure

All of our services run in the cloud. We don’t host or run our own routers, load balancers, DNS servers, or physical servers; instead, our service is built on Google Cloud Platform, which provides strong security measures to protect our infrastructure and are compliant with most certifications. You can read more about GCP security practices here: Google Cloud Platform.

Network level security monitoring and protection

Our network security architecture consists of multiple security zones. We monitor and protect our network, to make sure no unauthorized access is performed using:

  • A virtual private cloud (VPC), a bastion host or VPN with network access control lists (ACL’s) and no public IP addresses.
  • A firewall that monitors and controls incoming and outgoing network traffic.
  • An Intrusion Detection and/or Prevention (IDS/IPS) solution that monitors and blocks potential malicious packets.

Data encryption

Encryption in transit: All data sent to or from our infrastructure is encrypted in transit via industry best-practices using Transport Layer Security (TLS). We maintain an A+ rating from ssllabs.

Encryption at rest: All our user data (including passwords) is encrypted using battle-hardened encryption algorithms.

Business continuity and disaster recovery

We back up all of our critical assets and regularly attempt to restore the backup to guarantee a fast recovery in case of disaster. All our backups are encrypted.

Application security monitoring

  • We use automation to monitor exceptions, logs, and detect anomalies in our applications.
  • We collect and store logs to retain an audit trail of all activity on our applications.
  • We use monitoring tools such as open tracing in our microservices.

Responsible disclosure

Dataform is committed to working with security experts across the world to stay up to date with the latest security techniques. As we are part of Google, please check out our common rules of engagement, eligibility and security contact for reporting vulnerabilities at https://www.google.com/about/appsecurity/reward-program/.

User protection

All user authentication is safely outsourced to Auth0. You can find more information on Auth0 security at auth0.com/security.

Compliance

GDPR

We’re compliant with the General Data Protection Regulation (GDPR). The purpose of GDPR is to protect the private information of EU citizens and give them more control over their personal data.

Payment information

All payment instrument processing is safely outsourced to Stripe which is certified as a PCI Level 1 Service Provider. We do not collect any payment information and are therefore not subject to PCI obligations.

Employee access

  • Our strict internal procedures prevent any employee or administrator from gaining access to user data. Limited exceptions may be made for the provision of customer support services.
  • All our employees sign a Non-Disclosure and Confidentiality Agreement when joining the company to protect our customers' sensitive information.