Data Center Security
DemandSphere stores its data at physically secure data centers in the European Union and the United States. We use Hetzner, OVH, and Backblaze.
Data Center Compliance
All data centers have the relevant best practice certifications and attestations
Physical Security of Data Centers
Physical security of data centers is ensured through a number of measures, including strict control of personnel access to the data center premises, as well as access control of third parties. Access to data centers is regularly reviewed, activities and incidents are monitored on a 24/7 basis, CCTV recordings of physical access points to server rooms are provided, and electronic intrusion detection systems are in place.
Data centers manage climate and temperature to prevent overheating. They are equipped with automatic fire detection and suppression systems, as well as water leak detection systems. In addition, electrical and mechanical equipment are monitored. All data centers are redundant and maintainable 24/7. When user data is copied electronically by DemandSphere outside the data center, appropriate physical security is maintained, and the data is encrypted at all times.
The infrastructure providers use commercially reasonable efforts to ensure a minimum of 99.9% uptime. The providers maintain a minimum of N+1 redundancy to power, network, and HVAC services.
Back-up and replication strategies are designed to ensure redundancy and failover protections during a significant processing failure. DemandSphere data is backed up to multiple durable data stores and is replicated across multiple availability zones. DemandSphere uses commercially reasonable efforts to create frequent, encrypted back-up copies of the user data, and these are stored in geographically separate locations.
Where feasible, production databases are designed to replicate data between no less than one primary and one secondary database. All databases are backed up and maintained using industry-standard methods at a minimum.
DemandSphere conducts its business globally. We have offices in the United States, Japan, Pakistan, Poland, and Greece. Due to the distribution of offices, we take security very seriously.
All our offices are equipped with video surveillance and intrusion detection systems. Access to all office spaces is regulated by an access control system, and only employees and visitors who have registered or have temporary access cards are authorized to enter. Company policy requires that all visitors must be accompanied by responsible employees.
Remote workers are required to sign policy agreements that ensure they adhere to our strict security standards.
Each office meets all fire safety requirements and is equipped with a fire alarm and fire extinguishing systems.
Our employees and contractors are required to sign a non-disclosure agreement before starting work.
We provide security awareness training for all new employees, and all employees do this annually. Training is carried out through an electronic platform, and we display materials and posters throughout our offices.
We provide training for our product developers in accordance with OWASP best practices for secure programming.
Data in transit
DemandSphere uses TLS 1.2 or higher encryption (also referred to as HTTPS communication protocol) everywhere on the website. DemandSphere HTTPS implementation uses industry-standard algorithms and certificates.
Access to personal data
Personal data is protected by an appropriate level of security designed to prevent unauthorized data access. Personal data is limited to role-based access by personnel on a need-to-know basis.
Personal data is encrypted in transit.
All employees use a VPN to access company resources. To organize access to some resources, we use proven tools such as Google IAP to better control access and ensure the best information security.
Logging and monitoring
All infrastructure and application activities are logged, and the most critical are forwarded to a SIEM tool for monitoring. Access to audit trails and logs is restricted to authorized personnel based on roles and responsibilities.
DemandSphere has established a process of monitoring for security vulnerabilities, acquiring, testing, and regularly implementing patches (software updates) or configuration changes into the related application/systems across company infrastructure. Also, we provide periodic vulnerability scanning using an authorized QSA’s services.
Data at rest
Stored information is protected by encryption where relevant. Data centers use AES-256 encryption for secure data storage, while employees’ workstations are controlled using the MDM system. We use strong encryption methods in an effort to store information on our endpoints securely.
Network access control mechanisms are designed to prevent network traffic using unauthorized protocols from reaching the DemandSphere service infrastructure. The technical measures implemented differ between infrastructure providers and include Virtual Private Cloud (VPC) implementations, security group assignments, and traditional firewall rules. All applications that process critical data use SSO and 2FA to authenticate users.
DemandSphere has implemented a uniform password policy for its internal services and correspondent tools and features. All passwords must fulfill defined minimum requirements and are stored in encrypted form. Users who interact with the services must use a password manager to store their passwords securely.
DemandSphere has established a change management approach, which reduces the likelihood of unauthorized or destructive changes in applications/ systems. All changes are peer-reviewed, tested and logged for audit purposes prior to deployment into the production environment.
Interaction with contractors
To protect any data processed, DemandSphere maintains contractual relationships with its third-party suppliers. DemandSphere relies on contractual agreements, privacy policies, and supplier compliance procedures in order to protect any data processed or stored by suppliers.
Supplier security verification
We have a security verification process for each supplier. We continually monitor all our third-party suppliers using our cybersecurity assessment platform.
Personal data retention
A user’s personal data is deleted once no longer necessary for the stated purposes. However, we may retain copies of such data and information to the extent permitted or required by law, for archival purposes, or as created by automatic computer back-up and archived as part of normal computerized archiving systems, maintaining necessary technical and organizational measures.
DemandSphere’s products adhere to GDPR requirements effective June 1, 2018. We have adopted the following measures to be compliant with GDPR requirements:
- Collect the minimum information necessary for the provision of our services.
- Process data in a lawful manner.
- Maintain and make available to customers a list of sub-processors, as well as the purpose of their use.
- Enter into data processing addenda with our customers and vendors to reflect the respective security obligations and privacy requirements of the parties.
- Market our services to customers and prospects in a manner that respects their rights under GDPR.
We also monitor other countries’ privacy legislation such as CCPA, LGPD, and others and comply with their requirements to ensure the security of personal data.
Staging, testing, and development environments are logically separated from each other. No personal or service data is used in testing or development environments.
SDLC (Secure Software Development Lifecycle) is a process model used by organizations to build secure applications. The SDLC process defines how to integrate security into the software development process. A secure SDLC process ensures that security assurance activities such as design review, architecture analysis, code review, and penetration testing are an integral part of the development lifecycle.
DemandSphere uses DevOps culture to deliver its product. DevOps is the combination of cultural philosophies, practices, and tools that increases an organization’s ability to deliver applications and services at high velocity: evolving and improving products at a faster pace than organizations using traditional software development and infrastructure management processes.
External threats protection
Our quality assurance staff are responsible for continuous product quality testing. They also conduct basic security testing.
The Security team selectively reviews parts of code stored in DemandSphere source code repositories, checking for coding best practices and identifiable software flaws.
DemandSphere conducts penetration tests every six months. We also use a PTaaS (Pentest as a Service) vendor to provide the teams with pentest services on agile flow. The object of the penetration tests is to identify and resolve foreseeable attack vectors and potential abuse scenarios. In addition, the Security team conducts penetration tests of new features every week according to release policy.
Bug bounty program
DemandSphere has implemented a Bug Bounty program in an effort to widen the available opportunities to engage with the security community and improve the service’s defenses against sophisticated attacks. For details, contact firstname.lastname@example.org.
We have integration with SSO SAML. SSO can be enabled at any time by contacting product support.
Our Enterprise Plus plans support two-factor authentication. This can be easily enabled to make accounts more secure.
DemandSphere has designed its infrastructure to log information about system behavior, traffic received, system authentication, and other application requests. Internal systems aggregate log data and alert appropriate employees of malicious, unintended, or anomalous activities. DemandSphere personnel, including security, are responsive to handle security incidents.
Notification in case of incident
If DemandSphere becomes aware of unlawful access to data stored within its services, we notify the affected users of the incident, provide a description of the steps that are being taken to resolve the incident and provide status updates to the user, as necessary.
DemandSphere maintains a record of known security incidents that includes descriptions, dates and times of relevant activities, and incident disposition. Suspected and confirmed security incidents are investigated by security, operations, and support personnel. Appropriate resolution steps are identified and documented. For any confirmed incidents, DemandSphere takes appropriate steps to minimize user damage and unauthorized disclosure and to prevent future incidents.
Security Management and Compliance
Security policy and procedures
We have developed policies that are communicated to all staff. We also have specific policies that are communicated to the personnel they affect. Policies cover the main areas of information security.
DemandSphere has defined and implemented a risk management program that sets out the strategy to identify, analyze, evaluate, treat and review the information security risks.
Risk assessments are performed by certain teams at least annually or at any point when a major change takes place in the technological, organizational, business, or legal landscape.
The likelihood and impact of risk events are used for measuring the risk level and its significance as per the risk criterion described in Risk Assessment Methodology.