Security & IT Standards

to support your security and it due diligence processes, we’ve summarized our current protocols, certifications, and controls below these standards apply across all client environments supported by the clearsquare and domo infrastructure 🔐 data encryption in transit yes, all data in transit is encrypted using industry standard tls protocols tls versions supported tls 1 2, tls 1 3 cipher suites common secure suites include ecdhe rsa aes256 gcm sha384 and ecdhe ecdsa aes128 gcm sha256 access url provided at time of onboarding for each client’s portal instance 🧱 data separation client data is logically separated and securely isolated database each client has a logically isolated schema on digitalocean managed databases network hosted within dedicated vpc/subnet files stored in client specific aws s3 buckets with strict iam based access controls application layer shared, with strict tenant based access controls and logical separation 🛡️ infrastructure hardening our infrastructure is hardened to meet modern protection standards malware & patch management automated and managed by digitalocean and aws firewall network level firewalls with "deny all by default" and explicit port rules (https only) security practices no unnecessary components or services restricted system tools regular vulnerability scans and patching principle of least privilege enforced 💾 backup security encryption all backups are encrypted at rest with aes 256 digitalocean managed dbs encrypted automatic backups aws s3 encrypted with sse s3 or sse kms access controlled by role based permissions and access logs 📘 system management standards we align our system management with itil and iso 20000 principles ci/cd workflows and automated deployment pipelines provider level incident management and rollback support 🔐 information security compliance infrastructure partners (digitalocean, aws, github) hold certifications including iso/iec 27001, soc 2 type ii, and more digitalocean trust center aws compliance github security 📉 activity & privileged access monitoring admin activity logged using native tools (e g , cloudtrail, guardduty, github logs) privileged access no shared accounts, mfa enforced, access is logged and permission controlled data export controls usb, email, or unauthorized exports are restricted 🔍 security event logging threat monitoring aws guardduty digitalocean system logs github dependency & secret scanning detection & response alerts for unusual behavior, brute force attempts, and suspicious activity ☁️ hosting providers digitalocean (app platform, managed dbs) aws (s3 file storage) both providers are iso 27001 certified and undergo soc 2 type ii audits 🧪 penetration testing & sdlc security annual third party network penetration tests secure software development lifecycle includes code reviews sast & dast tools ci/cd pipelines with secret scanning 🔐 supplier & dependency security we only use vendors that meet industry standard sdlc security practices automated dependency scanning (e g , github dependabot) secure build pipelines with encrypted secrets 🛠 pre deployment reviews all deployments undergo code reviews for best practices dependency vulnerability scanning manual and automated qa testing 🗄 data encryption at rest all data is encrypted using aes 256 encryption app platform encrypted disk volumes managed dbs encrypted database storage and backups aws s3 encrypted with sse s3 or sse kms 🔑 key management aws kms for server side encryption github encrypted secrets for application secrets access is tightly scoped and rotated regularly (quarterly or automated where supported) 🧑‍💼 admin controls & audit logs role management multi tiered access controls (super admins, admins, users) activity logging user logins/logouts permission changes page/workspace changes logs exportable as domo datasets or in xls/csv 🧃 data loss prevention (dlp) amazon guardduty for s3 threat detection iam policies and private buckets enforce access restrictions 🔐 sso & password security sso support saml 2 0 via providers like okta, azure ad, salesforce, etc password hashing bcrypt with automatic salting 📉 business continuity & disaster recovery a formal response will be provided upon request by our operations team 🔐 security with hosting providers shared responsibility model digitalocean firewalls, automated patching aws guardduty, iam, encryption github private repos, mfa, encrypted secrets 🔍 vulnerability & patch management scanning cadence continuous (application), automated (infrastructure) patch slas critical 24–48 hrs high 2–3 business days medium 4–5 business days 🔥 firewall rules monthly reviews deny all default, only https opened iam controlled s3 and ci/cd access via secure https 🛡 intrusion detection (ids/ips) guardduty serves as our ids/ips ml powered anomaly detection across vpc, iam, s3 no agent installation required 🧰 os & console security os hardening fully managed by digitalocean client devices access is enforced via mfa and scoped permissions admin consoles hardened by provider defaults (e g , timeouts, mfa, access logs) 🧬 antivirus / malware protection all systems have real time malware protection, managed by infrastructure providers, with routine updates and monitoring let us know if you’d like supporting documents (e g , certifications, penetration test summaries) or would like to schedule a security review call contact support\@clearsquare co portal site https //clearsquare co