All communications with SDK servers are encrypted
We encrypt via TSL all communications between client and server and between our own systems.
Data are encrypted at rest
Our database instances leverage “encryption at rest” which essentially means the data are encrypted at the server level and if the server were to be compromised for any reason the intruder would need a “key” to decrypt the contents. We use the industry standard AES-256 encryption algorithm to encrypt your data. Once your data are stored with Secure Data Kit, authentication and decryption of your data transparently with a minimal impact on performance.
We keep a detailed log of access, updates, or deletes of data. We capture the user performing the action, the IP address, and the date / time of the action. All of this data is available within your account.
We carefully control who has access to all aspects of our system ranging from the physical servers (accessed via SSH) to our database (no direct access allowed) to our software (which has multiple layers of security).
All data collected at the enterprise and project level are owned by the client and will not be reused, sold, or presented without the express written permission of the client. Additionally, we offer a number of ways that countries can maintain ownership of their data while still using the Secure Data Kit platform. Read more here
Systems regularly monitored, updated and patched
Our DevOps team has a series of low and high level monitors in place that keep us aware of system stability at all times. We have a monthly plan to review our servers to determine whether they need to be patched or not.
Data backup plans
Our system has automatic backups that are retained for 7 days.
Incident response plan
We have a detailed incident response plan that involves several core areas:
- Intrusion detection - we constantly monitor our systems for abnormal behavior or inappropriate access to our underlying data systems.
- Understanding when an incident occurs - if an intrusion or potential hack occurs, we start by understanding the nature of the issue or outage. Was any data stolen? What crashed the system? We compile the information in real time so we can diagnose the issue once normal business operations are resumed.
- Alert clients / partners - if an issue has been identified, we work quickly to identify affected clients / partners and inform of them of the issue.
- Resume normal business operations as quickly as possible - this may include stabilizing the system, rotating passwords, changing keys, or restoring from backup.
- Document and diagnose the issue - once business operations have resumed we thoroughly document the issue internally and store in our own internal “error log” that keeps a running list of any outages, intrusions, or potential hacks.
- Send final analysis to clients / partners - we prefer to keep our clients / partners as informed as possible. Once we have a thorough grasp on what happened, to whom, when it started, and when it ended we will distribute a final report.