Compliance - DataLocker Inc.

SIMPLY SECURE
COMPLIANCE WITH
DATALOCKER

Security runs through everything we do. Every industry has its own set of stringent regulations, policies, mandates and procedures that dictate how businesses manage and control data. Enabling control of data regardless of where it lives, setting individual permissions, and locking down sensitive data when needed is what sets DataLocker apart as a partner.

COMPLIANCE USE CASES

Companies in the most heavily regulated industries turn to DataLocker to ensure compliance with some of the strictest governmental regulations.

Healthcare
Health Insurance Portability and Accountability Act (HIPAA), Health Information Technology for Economic and Clinical Health Act (HITECH)

Government
Criminal Justice Information Services (CJIP)

Legal
Federal Rules of Civil Procedure (FRCP)

Financial Services
Payment Card Industry Data Security Standard (PCI DSS), Sarbanes-Oxley Compliance (SOX), Gramm-Leach-Bliley Act (GLBA), Federal Financial Institutions Examination Council (FFIEC)

Energy
Comprehensive Environmental Response, Compensation, and Liability Act (CERCLA or Superfund), Resource Conservation and Recovery Act (RCRA), Clean Water Act, Clean Air Act

Manufacturing
FDA – Good Manufacturing Practices (GMP); For those in manufacturing sectors regulated by the FDA, these solutions must be compliant with Title 21 CFR Part 11 and Part 820. International industry standards include: ISO 9001, ISO 13845, IEC 61215, IEC 61646.

CMMC (Cybersecurity Maturity Model Certification)

Ensures defense contractors implement adequate cybersecurity practices. DataLocker’s SafeConsole DeviceControl and PortBlocker, along with hardware-encrypted USB storage, help maintain data security in accordance with CMMC requirements by managing and protecting sensitive defense information.

HIPAA (Health Insurance Portability and Accountability Act)

Regulates the handling of protected health information (PHI) in the healthcare sector. DataLocker’s solutions ensure secure storage, transfer, and access to PHI, meeting HIPAA’s strict privacy and security rules.

SOX (Sarbanes-Oxley Act)

Mandates the secure retention and management of financial data. DataLocker’s SafeConsole DeviceControl, PortBlocker, and hardware-encrypted USB storage safeguard financial information, helping organizations maintain SOX compliance.

SOC2 (Service Organization Control 2)

Sets criteria for managing customer data based on security, availability, processing integrity, confidentiality, and privacy. DataLocker’s solutions support SOC2 compliance by providing secure data management and protection.

ISO 27001

An international standard for information security management systems (ISMS). DataLocker’s products align with ISO 27001’s risk management and security controls, ensuring a comprehensive ISMS.

NIS2 (Network and Information Systems Directive 2)

Aims to protect essential services and digital service providers from cyber threats. DataLocker’s solutions help organizations adhere to NIS2 by securing sensitive data and maintaining robust cybersecurity practices.

CCPA (California Consumer Privacy Act)

Regulates the handling of California residents’ personal information. DataLocker’s products support CCPA compliance by safeguarding personal data and preventing unauthorized access.

GDPR (General Data Protection Regulation)

Protects EU citizens’ personal data and privacy. DataLocker’s solutions facilitate GDPR compliance by ensuring secure data storage, transfer, and access while upholding data subjects’ rights.

FISMA (Federal Information Security Management Act)

Requires federal agencies to secure their information systems. DataLocker’s products help agencies meet FISMA requirements by safeguarding sensitive information and maintaining secure information systems.

GLBA (Gramm-Leach-Bliley Act)

Regulates the protection of consumer financial information by financial institutions. DataLocker’s solutions ensure secure data storage and access, meeting GLBA’s privacy and safeguard rules.

PIPEDA (Personal Information Protection and Electronic Documents Act)

Governs the collection, use, and disclosure of personal information in Canada. DataLocker’s products support PIPEDA compliance by securely managing and protecting personal data.

POPIA (Protection of Personal Information Act)

Regulates the processing of personal information in South Africa. DataLocker’s solutions help organizations comply with POPIA by ensuring secure data storage, transfer, and access.

PDPA (Personal Data Protection Act)

Protects individuals’ personal data in Singapore. DataLocker’s products facilitate PDPA compliance by securely managing and protecting personal data while upholding individuals’ rights.

UK GDPR (UK General Data Protection Regulation)

Following Brexit, the UK adopted its own version of GDPR, which aligns closely with the EU GDPR. The UK GDPR protects UK citizens’ personal data and privacy. DataLocker’s solutions facilitate UK GDPR compliance by ensuring secure data storage, transfer, and access while upholding data subjects’ rights.

DPA (Data Protection Act)

2018 The DPA 2018 supplements the UK GDPR by providing additional regulations regarding data processing, protection, and privacy. DataLocker’s products support DPA 2018 compliance by securely managing and protecting personal data in line with the act’s requirements.

HITECH (Health Information Technology for Economic and Clinical Health) Act

A US regulation that complements HIPAA and promotes the adoption of health information technology. DataLocker’s solutions support HITECH compliance by securing electronic protected health information (ePHI) and maintaining the privacy and security provisions outlined in the act.

DATA CENTER SECURITY

We understand that our information security practices are important to you and we want you to have confidence in how we secure the data you entrust to us. Below, you will find further detail on how we are protecting one of your greatest assets: your data.

Compliance SafeConsole Cloud
All SafeConsole data centers meet the following compliance standards: CSA, ISO 9001, ISO 27001, ISO 27017, ISO 27081, PCI DSS Level 1, SOC 1, SOC 2, SOC 3. Also, please note that SafeConsole Cloud is a single-tenant solution, meaning that only your company’s service is hosted on that specific virtual server. Note also that no actual data from the storage products is saved on the cloud. Only SafeConsole, the management console, is hosted on the cloud.

SafeConsole data centers are located in the following locations:

• US East (Ohio)
• US East (N. Virginia)
• Canada (Central)
• Asia Pacific (Singapore)
• Europe (Ireland)
• Europe (London)

 

 

Compliance IronKey EMS Cloud
The IronKey EMS Cloud data centers have been certified by national and/or international security standards. No actual data from the storage products is saved on the cloud. Only IronKey EMS Cloud, the management console, is hosted on the cloud.

• The California USA facilities are SSAE16 SOC-2 Type II certified.
• The Virginia USA facilities are SSAE16 SOC-2 Type II certified.
• The Kansas City, Kansas, USA facility is SSAE16 SOC-2 Type II certified.

General Data Center Protection
• DataLocker has completed a SOC 2 Audit.
• Our data centers manage physical security 24/7 with access controls.
• We have DDOS mitigation in place at all of our data centers.
• We have a documented disaster recovery infrastructure continuity plan.
• All network traffic is encrypted.

Protection from Data Loss and Data Corruption
• All databases are kept separate and dedicated to preventing corruption and overlap. We have multiple layers of logic that segregate user accounts from each other for our multi-tenant environment.
• Account and instance data is mirrored and regularly backed up off-site.

Application Level Security
• DataLocker account passwords are hashed. Our own staff can’t even view them. If you lose your password, it can’t be retrieved—it must be reset.
• All login pages (from our website and mobile website) pass data via TLS.
• Login pages have brute force protection. We perform regular security penetration tests throughout the year.

Internal IT Security
• DataLocker offices are secured by biometrics, keycard and or key access, and they are monitored 24/7 with infrared cameras throughout.
• Our office network is heavily segmented and centrally monitored.
• We have an internal security team that constantly monitors our environment for vulnerabilities. They perform penetration testing and social engineering exercises on our environment and our employees. Our security team includes CISSP certified members.

Internal Procedures and Education
• We continuously train employees on best security practices, including how to identify social engineering, phishing scams, and hackers.
• Employees on teams that have access to customer data (such as tech support and our engineers) undergo criminal history and credit background checks prior to employment.
• All employees sign an agreement outlining their responsibility in protecting customer data.

Most DataLocker products are FIPS 140-2 validated, issued by the National Institute of Standards and Technology (NIST). FIPS validated DataLocker products are a cost-effective way to comply with directives that require data encryption.

DataLocker’s mobile security products are used by the world’s most security conscious and demanding organizations. To make sure these products exceed the security and reliability expectations of customers, DataLocker places significant importance on achieving the highest level of certifications, validation, and industry compliance. DataLocker continues to update and maintain certifications. This page includes updates and links for DataLocker certifications and industry compliance.

Device Certificate
DataLocker DL2 Declaration of Conformity
DataLocker DL3 Declaration of Conformity
DataLocker DL3 FE Declaration of Conformity
DataLocker DL4 FE Declaration of Conformity
DataLocker(IronKey) H100 Declaration of Conformity
DataLocker(IronKey) H200 Declaration of Conformity
DataLocker(IronKey) H300 Declaration of Comformity
DataLocker(IronKey) H350 Declaration of Comformity
DataLocker Sentry K300 Declaration of Conformity
DataLocker Sentry K350 Declaration of Conformity
DataLocker Sentry 3 Declaration of Conformity
DataLocker Sentry 5 Declaration of Conformity
DataLocker Sentry FIPS Declaration of Conformity
DataLocker Sentry EMS Declaration of Conformity
DataLocker Sentry ONE Declaration of Conformity
DataLocker Sentry SafeStick Declaration of Conformity
DataLocker Sentry EncryptDisc Declaration of Conformity
DataLocker Sentry AlphaCam Declaration of Conformity
Device FIPS Level FIPS 140 -2 Certificate #
DataLocker DL2 FIPS 140-2 level 1 #1504
DataLocker DL3 FE FIPS 140-2 level 1 validated crypto chip #1472
DataLocker DL4 FE FIPS 140-3 Level 3 certified (pending)* device MIP and IUT
DataLocker Sentry K350 FIPS 140-3 Level 3 certified (pending)* device MIP and IUT
DataLocker Sentry 5 FIPS 140-3 Level 3 certified (pending)* device MIP and IUT
DataLocker Sentry EMS FIPS 140-2 level 3 #2929
DataLocker Sentry 3 FIPS FIPS 140-2 level 3 #2753
DataLocker Sentry ONE FIPS 140-2 level 3 #2929
DataLocker Sentry K300 FIPS 197 Approved Algorithms AES (Cert. #5695) and SHS (Cert. #4565)
DataLocker EncryptDisc FIPS 140-2 Level 1 256-bit AES encryption #819
DataLocker(IronKey) H100 Contains the FIPS 140-2 Level 3 Validated Bluefly Security Processor* #1269
DataLocker(IronKey) H200 Biometric Contains the FIPS 140-2 Level 3 Validated Bluefly Security Processor* #1269
DataLocker(IronKey) H350 FIPS 140-2 Level 3 certified device #2826
DataLocker SafeCrypt FIPS 140-2 Level 1 #2768
Device CSPN Level Certificate Number
DataLocker Sentry ONE First level security certification CSPN-2022/07
Device BSI Level Further information
DataLocker Sentry ONE The CSPN certificate is recognized by the BSI as comparable to a certificate according to the Beschleunigte Sicherheitszertifizierung (BSZ) scheme. BSI Press Release