Security

Overview

Keeping our customers' data protected at all times is our highest priority. This security overview provides a high-level overview of the security practices we have put in place to achieve that objective. Have questions or feedback? Feel free to reach out to us at security@dataform.co.

Infrastructure

Cloud infrastructure

All of our services run in the cloud. We don’t host or run our own routers, load balancers, DNS servers, or physical servers; instead, our service is built on Google Cloud Platform, which provides strong security measures to protect our infrastructure and are compliant with most certifications. You can read more about GCP security practices here: Google Cloud Platform.

Network level security monitoring and protection

Our network security architecture consists of multiple security zones. We monitor and protect our network, to make sure no unauthorized access is performed using:

  • A virtual private cloud (VPC), a bastion host or VPN with network access control lists (ACL’s) and no public IP addresses.
  • A firewall that monitors and controls incoming and outgoing network traffic.
  • An Intrusion Detection and/or Prevention (IDS/IPS) solution that monitors and blocks potential malicious packets.

Data encryption

Encryption in transit: All data sent to or from our infrastructure is encrypted in transit via industry best-practices using Transport Layer Security (TLS). We maintain an A+ rating from ssllabs.

Encryption at rest: All our user data (including passwords) is encrypted using battle-hardened encryption algorithms.

Business continuity and disaster recovery

We back up all of our critical assets and regularly attempt to restore the backup to guarantee a fast recovery in case of disaster. All our backups are encrypted.

Application security monitoring

  • We use automation to monitor exceptions, logs, and detect anomalies in our applications.
  • We collect and store logs to retain an audit trail of all activity on our applications.
  • We use monitoring tools such as open tracing in our microservices.

Responsible disclosure

Dataform is committed to working with security experts across the world to stay up to date with the latest security techniques. If you believe you have found a security vulnerability, we encourage you to let us know right away by contacting security@dataform.co. We will investigate all legitimate reports and do our best to quickly fix issues.

User protection

All user authentication is safely outsourced to Auth0. You can find more information on Auth0 security at auth0.com/security.

Compliance

GDPR

We’re compliant with the General Data Protection Regulation (GDPR). The purpose of GDPR is to protect the private information of EU citizens and give them more control over their personal data. Contact us for more details on how we comply with GDPR.

PCI

If your data is subject to PCI requirements, please contact us at security@dataform.co.

HIPAA

If your data is subject to HIPAA requirements, please contact us at security@dataform.co.

Payment information

All payment instrument processing is safely outsourced to Stripe which is certified as a PCI Level 1 Service Provider. We do not collect any payment information and are therefore not subject to PCI obligations.

Employee access

  • Our strict internal procedures prevent any employee or administrator from gaining access to user data. Limited exceptions may be made for the provision of customer support services.
  • All our employees sign a Non-Disclosure and Confidentiality Agreement when joining the company to protect our customers' sensitive information.