Security for DataLocker Web Services

DataLocker is a dedicated security company. Security runs through everything we do. We often go beyond what any standard requires in terms of security, because we can and because there is a purpose to it. From our product portfolio, the DL4 FE is a good example with true device level 3 certification and a Common Criteria EAL5+ certified controller. The DL4 touts an always-on hardware-based AES 256-bit XTS crypto engine that meets rigorous cryptographic standards.

We understand that our information security practices are important to you. While we don’t like to expose too much detail around our practices (as it can provide valuable information to the very people we are protecting ourselves against), we have provided some general information below to give you confidence in how we secure the data entrusted to us.

Data Center Security

Compliance SafeConsole Cloud

Our data centers have been certified by national and/or international security standards. Also, please note that SafeConsole Cloud is a single-tenant solution, meaning that only your company’s service is hosted on that specific virtual server. Also, no actual data from the storage products is saved on the cloud. Only SafeConsole, the management console, is hosted on the cloud. SafeConsole Cloud utilizes Amazon Web Services (AWS) datacenters in the United States, Canada, Asia Pacific, and Europe depending on your organization’s location and/or requirements. More information on the applicable AWS certification(s) can be found here.

Compliance IronKey EMS Cloud

The IronKey EMS Cloud data centers have been certified by national and/or international security standards. No actual data from the storage products is saved on the cloud. Only IronKey EMS Cloud, the management console, is hosted on the cloud.

  • The California USA facilities are SSAE16 SOC-2 Type II certified.
  • The Virginia USA facilities are SSAE16 SOC-2 Type II certified.

General Data Center Protection

  • Our data centers manage physical security 24/7 with access controls.
  • We have DDOS mitigation in place at all of our data centers.
  • We have a documented disaster recovery infrastructure continuity plan.
  • All network traffic is encrypted.

Protection from Data Loss and Data Corruption

  • All databases are kept separate and dedicated to preventing corruption and overlap. We have multiple layers of logic that segregate user accounts from each other for our multi-tenant environment.
  • Account and instance data is mirrored and regularly backed up off-site.

Application Level Security

  • DataLocker account passwords are hashed. Our own staff can’t even view them. If you lose your password, it can’t be retrieved—it must be reset.
  • All login pages (from our website and mobile website) pass data via TLS.
  • Login pages have brute force protection.
  • We perform regular security penetration tests throughout the year.

Internal IT Security

  • DataLocker offices are secured by biometrics, keycard and or key access, and they are monitored 24/7 with infrared cameras throughout.
  • Our office network is heavily segmented and centrally monitored.
  • We have an internal security team that constantly monitors our environment for vulnerabilities. They perform penetration testing and social engineering exercises on our environment and our employees. Our security team includes CISSP certified members.

Internal Procedures and Education

  • We continuously train employees on best security practices, including how to identify social engineering, phishing scams, and hackers.
  • Employees on teams that have access to customer data (such as tech support and our engineers) undergo criminal history and credit background checks prior to employment.
  • All employees sign an agreement outlining their responsibility in protecting customer data.

Protecting Customer Instances and Accounts

To complete the protection we offer you powerful tools:

  • We monitor accounts for signs of abuse.
  • We make 2-Factor Authentication available to our customers.
  • We provide the ability to establish tiered-levels of access within accounts.

We Care About Your Privacy

  • Our legal team partners with our developers and engineers to make sure our products and features comply with applicable international privacy laws.
  • We have a local entity and office in the Netherlands that provides guidance on our work on EU privacy issues and GDPR compliance.
  • Our privacy policy is certified for compliance with the EU-U.S./Swiss-U.S. Privacy Shield Frameworks