Compliance is a critical part of security – and a giant headache for most companies. For example, a Capgemini study found that only one out of three companies believed they are fully compliant with the General Data Protection (GDPR), the EU regulation that came into effect in 2018.
But it’s not just GDPR, or the California Consumer Privacy Act (CCPA), two critical pieces of consumer privacy regulation, that keep CISOs up at night.
Every industry has its own set of stringent regulations, policies, mandates and procedures that dictate how businesses manage and control data. Enabling control of data regardless of where it lives, setting individual permissions, and locking down sensitive data when needed is what sets DataLocker apart as a partner. Companies in the most heavily regulated industries turn to DataLocker to ensure compliance with some of the strictest governmental regulations.
Health Insurance Portability and Accountability Act (HIPAA), Health Information Technology for Economic and Clinical Health Act (HITECH)
Criminal Justice Information Services (CJIP)
Federal Rules of Civil Procedure (FRCP)
Payment Card Industry Data Security Standard (PCI DSS), Sarbanes-Oxley Compliance (SOX), Gramm-Leach-Bliley Act (GLBA), Federal Financial Institutions Examination Council (FFIEC)
Comprehensive Environmental Response, Compensation, and Liability Act (CERCLA or Superfund), Resource Conservation and Recovery Act (RCRA), Clean Water Act, Clean Air Act
FDA – Good Manufacturing Practices (GMP); For those in manufacturing sectors regulated by the FDA, these solutions must be compliant with Title 21 CFR Part 11 and Part 820. International industry standards include: ISO 9001, ISO 13845, IEC 61215, IEC 61646.
Most DataLocker products are FIPS 140-2 validated, issued by the National Institute of Standards and Technology (NIST). FIPS validated DataLocker products are a cost-effective way to comply with directives that require data encryption.
Compliance is not just lip service for DataLocker
Security runs through everything we do.
While we enable you to keep up with the latest in data encryption regulations, we also take the same painstaking approach to your data. We often go beyond what any standard requires in terms of security, because we can and because there is a purpose to it. From our product portfolio, the DL3 FE hard drives is a great example of our commitment. It is the first and only encrypted external hard drive to feature dual crypto processors. Your data undergoes two passes of 256-bit encryption, using two different independently generated random keys for unsurpassed security.
We understand that our information security practices are important to you and we want you to have confidence in how we secure the data you entrust to us. Below, you will find further detail on how we are protecting one of your greatest assets: your data.
Data Center Security
Our data centers have been certified by national and/or international security standards. Also, please note that SafeConsole Cloud is a single-tenant solution, meaning that only your company’s service is hosted that specific virtual server. Also, no actual data from the storage products is saved on the cloud. Only SafeConsole, the management console, is hosted on the cloud.
- The New York facility is SSAE16 SOC-1 Type II certified.
- The Amsterdam facility is ISO27001:2005 and ISO9001 certified.
- The San Francisco facility is SSAE16 SOC-1 Type II certified.
- The Singapore facility is ISO27001:2005 certified.
- The London facility is ISO9001:2008, ISO27001, and SSAE16 / ISAE 3402 certified.
The IronKey EMS Cloud data centers have been certified by national and/or international security standards. No actual data from the storage products is saved on the cloud. Only IronKey EMS Cloud, the management console, is hosted on the cloud.
The California USA facilities are SSAE16 SOC-2 Type II certified.
The Virginia USA facilities are SSAE16 SOC-2 Type II certified.
The Kansas City, Kansas, USA facility is SSAE16 SOC-2 Type II certified.
Our data centers manage physical security 24/7 with access controls.
We have DDOS mitigation in place at all of our data centers.
We have a documented disaster recovery infrastructure continuity plan.
All network traffic is encrypted.
- All databases are kept separate and dedicated to preventing corruption and overlap. We have multiple layers of logic that segregate user accounts from each other for our multi-tenant environment.
- Account and instance data is mirrored and regularly backed up off-site.
- DataLocker account passwords are hashed. Our own staff can’t even view them. If you lose your password, it can’t be retrieved—it must be reset.
- All login pages (from our website and mobile website) pass data via TLS.
- Login pages have brute force protection.
- We perform regular security penetration tests throughout the year.
- DataLocker offices are secured by biometrics, keycard and or key access, and they are monitored 24/7 with infrared cameras throughout.
- Our office network is heavily segmented and centrally monitored.
- We have an internal security team that constantly monitors our environment for vulnerabilities. They perform penetration testing and social engineering exercises on our environment and our employees. Our security team includes CISSP certified members.
- We continuously train employees on best security practices, including how to identify social engineering, phishing scams, and hackers.
- Employees on teams that have access to customer data (such as tech support and our engineers) undergo criminal history and credit background checks prior to employment.
- All employees sign an agreement outlining their responsibility in protecting customer data.
Protecting Customer Instances and Accounts
To complete the protection we offer you powerful tools:
- We monitor accounts for signs of abuse.
- We make 2-Factor Authentication available to our customers.
- We provide the ability to establish tiered-levels of access within accounts.
We Care About Your Privacy
- Our legal team partners with our developers and engineers to make sure our products and features comply with applicable international privacy laws.
- We have a local entity and office in the UK that that provides guidance on our work on EU privacy issues and GDPR compliance.