What has Dash done to ensure it is GDPR compliant?
We have undertaken a cross-company program to ensure we are compliant and can support our customers with their compliance. This includes a comprehensive organisation-wide audit and gap analysis, and carrying out a detailed action plan of changes we need to implement. This has included process changes, security and product improvements, supplier reviews and ensuring we have compliant contracts in place. We've provided a summary of our activity here.
Where do we store customer data?
All customer assets added to a Dash account are hosted in the Amazon Web Services ("AWS") EU (Ireland) region. Backups are stored in the AWS EU (Stockholm) region.
See the Dash Security Overview article for more information about our hosting and security policies.
Will my data ever be transferred outside of the EU?
Our EU data centres ensure that the main hosting of your Dash data remains in the EU. We use a select number of suppliers to help us provide our support and consultancy services to you and some of these providers are based outside of the EU. For transfers outside of the EU the GDPR requires that appropriate safeguards are in place to protect that data - all of our industry leading suppliers offer the required safeguards so that these transfers are suitably protected.
More details on our carefully selected suppliers and international data transfer can be found on our Sub-Processors and International Data Transfer page.
Data is transferred to our offices in the UK as part of our support and consultancy work. International transfer of data is covered under the relevant GDPR rules. Our Terms and Conditions include the required contracting commitments to ensure such transfer is fully compliant.
What security measures does Dash have in place to protect customer data?
Our data centres are provided by Amazon Web Services ("AWS") which is an industry leading supplier of hosting services for organisations across the globe. AWS have extensive security in place along with a robust approach to compliance - more details on AWS's policies can be found here.
We are ISO27001:2013 certified and security of data is a consideration for each aspect of our products and services. Our hosting infrastructure, as well as being protected by AWSs services, includes several layers of protection, including data encryption, backups, regular security patching and strong access controls. Security is a key consideration in our product development and we're also rolling out improvements to security when we transfer your data outside of Asset Bank.
Our Dash Security Overview article has more information on how we protect your data.
Can we audit your compliance and will you complete a security questionnaire for us?
We are committed to ensuring that our customers can be confident in our compliance and provide several resources to support an audit of our security and practices, all inline with GDPR requirements.
For those seeking detailed information about our specific security practices, we can provide on request:
A pre-populated security questionnaire that covers a range of information organisations typically need to find out in order to assess our services.
Our Information Security Policy and Data Protection Policy
Evidence of the independent external audits of our security practices, demonstrating our ISO27001:2013 compliance and our GDPR compliance.
Our aim is for these sources to provide sufficient information for our customers to assess our security and consider if our practices meet their requirements. Where further details are required our support team will be happy to answer specific questions.
Our Data Processing Agreement makes additional allowances for us to support our customers with any further auditing, as an additional chargeable service.
Do you have a GDPR Data Processing Agreement or compliant contract I can sign up to?
Our Data Processing Agreement and the Standard Contractual Clauses are both included in our Dash Terms and Conditions.
Will you only process our data in accordance with our instructions, and for the purpose of providing your services to us?
Yes - We will only ever process your data for the purposes of providing our services to you. Specifically, for the purposes of providing your Dash, along with any support services or consultancy that you may ask us to provide. We will never use your data for any other purposes without your written instructions or permission.
Is access to our data restricted to only those people who need it?
Yes - access to our customers data is carefully controlled. Only those within the company who need access to provide our services to you are able to access Asset Banks. Access to the infrastructure of our cloud hosting services is additionally strictly limited to members of our infrastructure team. We never use client data in our testing or development process.