At Bright Interactive we take the security of your data seriously. This is why we are an ISO/IEC 27001:2013 (ISO 27001) certified supplier.
ISO 27001 is the international standard that describes best practice for an information security management system (ISMS). Certification to ISO 27001 demonstrates a company is following information security best practice, backed by an independent, expert assessment of whether your data is properly protected.
To help you understand the measures that we have in place to keep your data secure we've put together the answers to some common questions here.
Where is my Dash data hosted?
Your application and all of your digital assets are hosted in the cloud with Amazon Web Services (AWS). AWS is a leading cloud hosting provider and adheres to many different compliance programs. All assets in your live Dash account are located in AWS EU (Ireland) and backups are located in AWS EU (Stockholm).
As well as the security provided by AWS itself, our own hosting infrastructure provides the additional security you would expect at the server and application level.
How is the cloud-hosted infrastructure architected?
A cluster of Amazon EC2 servers, in our Virtual Private Cloud, is used to host the application, along with a set of RDS databases storing account-related data and asset metadata, and S3 storage to store your digital assets.
Dash uses system accounts to communicate with its database and S3. Each Dash account has its own set of users and they only have permission to view their own database and assets, providing a layer of logical separation.
What technical security controls are in place for my data?
Because you access Dash from your web browser, this is the only method of communication that is allowed between Dash and the internet. Any time you use Dash, you will see that the URL begins with https. This means that all information is encrypted, so that information like your login details are kept safe. When Dash needs to communicate with S3, we also use TLS (https) to encrypt any data in transit.
As well as encrypting data when it is in transit, we also encrypt it at rest. This means that all of your digital assets in the S3 bucket are encrypted, and we also encrypt your database to protect all of the information it contains.
To maintain a high standard of security, there are certain controls that we have in place. We regularly run an industry-leading (Qualys) penetration test against our servers and the Dash application itself. We then assess those results and take any action necessary.
Monitoring and logging
To ensure that your Dash continues to run smoothly and effectively, we have automated real-time monitoring and logging about how the service is operating. This means that if there is an issue, our Infrastructure team are alerted immediately and can respond quickly.
Server access and specification
Our hosting environment is protected by industry-standard access controls, ensuring only those people that are authorised to can access your data. Access to our cloud infrastructure is restricted to individual named accounts and all servers benefit from the same secure support and infrastructure. All servers are regularly updated with Amazon security updates.
Our developers follow industry best practices (OWASP) to ensure any changes to the application are secure. All changes to the application are subject to an end-to-end testing process and review before being released to any production environment.
We check for security vulnerabilities in all our application libraries on a daily basis and apply security patches promptly when they become available.
How is my data backed up?
There are many levels of our backups to ensure that we can always restore your data.
Your digital assets are protected by versioning in S3 - this means that even when you delete an asset from Dash, it will continue to exist in S3. We backup every asset to a different AWS region within the EU as soon as it is uploaded to Dash.
Our RDS databases are backed up on a rolling basis, giving us the ability to rewind the database to a specific point-in-time over the previous 30 days.
All of our backups are encrypted in transit and at rest.
What happens to my data if I cancel my subscription?
If you were to stop using Dash, all assets and metadata in your live and backed-up Dash account will be deleted within 90 days of that date, in a manner that makes it non-recoverable.
You own your data and retain the IRP to it at all times. We can export your data, to make sure you can get your up-to-date files and metadata.
Do you have disaster recovery plans in place?
Yes. In the event of an issue that means we need to recover from a disaster, we are able to restore Dash accounts directly from our backups. We test all of our disaster recovery plans at least annually.
What happens if there is a security or service incident?
Each of these types of incidents has their own, comprehensive process which is communicated across the business. To date we have never had a security incident affect our customers' Dash accounts, however, we treat all potential security incidents with the highest priority. Our incident management process includes notification, resolution and mitigation procedures, with a focus on high levels of customer communication and speed to resolution.
Our incident management procedure has recently been updated to include notification requirements under GDPR. We treat all of our customers' data as potentially personal data under GDPR and so any security incident leading to a data breach would be notified to our customers under this procedure. This includes a commitment to notify our customers within 24 hours of becoming aware of the incident.