Security

DATPROF’s mission is to make sure that software teams’ working lives are once again centered upon delivering or validating the quality of software, instead of worrying about test data bottlenecks. In this mission, especially from a compliancy perspective we believe that we should take care of security and this is one of our responsibilities.

In addition to the details presented on this page, information on the protection of information security is contained in our Information Security Policy which is available on request in electronic form.

Organizational Security

DATPROF’s security program is based on the concept of securing our organization and our software. Our security program is aligned with the ISO 27001 principles and is constantly evolving with updated guidance and new industry best practices.

Our security team is led by our Security Officer. The security team is responsible for the implementation and management of our Information Security Management System. The Security Officer is supported by the Board in the performance of his duties. He is the point of contact for employees in case of security breaches.

Data security

The focus of DATPROF’s security program is to prevent unauthorized access to internal DATPROF data (contract, HR files) and delivering secure software to customers. To this end, we take measures to identify and mitigate risks, implement best practices, and constantly develop ways to improve.

Secure development

DATPROF security program has built a robust secure development lifecycle, founded upon Gitlab. In this secure software development process we’ve identified six major steps. In one of the final steps within Gitlab we execute Static Application Security Testing (SAST) and dependency scanning and in the final step we execute Dynamic Security Testing (DAST). If the software passes all quality gates we’ve set, an executable can be delivered.

Network security

The network of DATPROF can only be used by employees of DATPROF. Dependent on the reason for using, employees may have access to specific directories. Guest can use the guest network of DATPROF. Systems and servers supporting the development and testing activities are hosted on a separate server. Servers and systems are hardened by removing unnecessary functions and/or functions are disabled, and default passwords are removed.

Network access to DATPROF’s production environment from open, public networks is protected by our VPN and firewalls. Connecting via our VPN can only be established if users are activated in our AD group which give them rights to use VPN.

Endpoint security

All workstations issued to DATPROF personnel are configured by DATPROF to comply with our standards for security. These standards require all workstations to be properly configured and updated. DATPROF’s standards configuration sets up workstations to have strong passwords, and lock when idle when working with customer data. Workstations run up-to-date monitoring software to report potential malware, unauthorized software, and mobile storage devices. Mobile devices that are used to engage in company business are required to be enrolled in the appropriate mobile asset management system.

Access control

To minimize the risk of data exposure, DATPROF adopted the principles of least privilege and role-based permissions when provisioning access – workers are only authorized to access data that they reasonably must handle in order to fulfill their responsibilities. All production access is reviewed at least biannually.

To further reduce the risk of unauthorized access to data, DATPROF enforces a multi-factor authentication for all access to systems with highly classified data.

System monitoring, logging and alerting

DATPROF monitors servers, workstations and mobile devices to retain and analyze a comprehensive view of the security state of its production infrastructure. VPN Access calls on all servers in DATPROF’s production network are logged. Analysis of logs is automated to the extent practical to detect potential issues and alert responsible personnel. 

Disaster recovery and business continuity plan

DATPROF retains a backup of our production systems and environments in a separate location significantly different from the location of the primary operating environments. Backups are saved to this remote location at least once per day. DATPROF tests backups at least biannually to ensure they can be successfully restored.

The DATPROF software is also backed up to the separate location. Additionally we also deliver our source code, documentation and executables to a notary quarterly. On a yearly basis we deposit our software code to an escrow agent.

Vendor management

To run efficiently, DATPROF relies on sub-service organizations. Where those sub-service organizations may impact the security of DATPROF’s production environment, we take appropriate steps to ensure our security posture is maintained by establishing agreements that require service organizations to adhere to confidentiality commitments we have made. DATPROF monitors the effective operation of the organization’s safeguards by conducting reviews of all
service organizations’ controls before use and at least annually.

External validation

  • Security compliance

DATPROF is continuously monitoring, auditing, and improving the design and operating effectiveness of our security controls. These activities are regularly performed by both third-party credentialed assessors and DATPROF’s internal auditor. Audit results are shared with senior management and all findings are tracked to resolution in a timely manner.

  • Penetration testing

In addition to our compliance audits, DATPROF engages independent entities to conduct application-level and infrastructure-level penetration tests at least annually. Results of these tests are shared with senior management and are triaged, prioritized, and remediated in a timely manner.

  • Customer driven penetration tests

Our customers are welcomed to perform either security controls assessments or penetration testing on DATPROF’s applications. Please contact your account executive to learn about  options for scheduling these activities

Conclusion

We have an interest in protecting our software and therefor our and your data. Every person, team, and organization expects – and deserves – that their data is confidential and secured.. Safeguarding our software and executable is a responsibility we have to our customers, and we never stop working hard to maintain that trust. Please contact your account executive if you have any questions or concerns.