We are committed to the security and privacy of your data.
SOC 2 Type 1 Compliant, Type 2 in Progress
We are proud to be SOC 2 Type 1 compliant, and we are actively working towards achieving Type 2 compliance. Our comprehensive report demonstrates the utmost security, accessibility, and confidentiality of your data. Please reach out to us to request a copy.
If you are a resident of the European Union or the United Kingdom, you are entitled to certain information and have certain rights under the General Data Protection Regulation (Regulation (EU) 2016/679) and the equivalent laws of the United Kingdom (the “GDPR”). Those rights include:
- The right of access to your information.
- The right to rectify your information if it is incorrect or incomplete.
- The right to have your information erased (“right to be forgotten”) if certain grounds are met.
- The right to withdraw your consent to our processing of your information at any time (if our processing is based on consent).
- The right to object to our processing of your information (if processing is based on legitimate interests).
- The right to object to our processing of your information for direct marketing purposes.
- The right to receive your information from us in a structured, commonly used and machine-readable format, and the right to transmit your information to another controller without hindrance from us (data portability).
If you are located in the European Union or United Kingdom and you are or have been a user of our services, we may send you marketing communications based on our legitimate interests, subject always to your right to opt out of such communications. Further, if you are located in the European Union or United Kingdom, we will never share your information with a third party for such third party’s marketing purposes, unless you have specifically consented to us doing so.
You may contact us at email@example.com to exercise any of the above rights. We may request specific information from you to confirm your identity, and in some circumstances, we may charge a reasonable fee for access to your information.
Furthermore, if you believe that our processing of your information is inconsistent with your data protection rights under the GDPR and we have not adequately addressed your concerns, you have the right to lodge a complaint with the data protection supervisory authority of your country.
If we will be processing personal data on your behalf that is subject to the GDPR, we will enter into a Data Processing Addendum (DPA) with you in compliance with GDPR requirements. Please contact us for a copy of our DPA.
We adhere to the OWASP guidelines throughout the entire SDLC process, incorporating industry-standard security practices. Our expert team has extensive experience in identifying, addressing, and mitigating common vulnerabilities, ensuring that your applications are developed with security at the forefront.
A. Authentication: Duetto uses role-based security architecture and requires users of the system to be identified and authenticated prior to the use of any system resources. Resources are protected through the use of native system security and add-on software products that identify and authenticate users and validate access requests against the users’ authorized roles in access control lists. All personnel accessing production systems are required to use a token-based, two-factor authentication system.
Customers access Duetto resources through the Internet using HTTPS. Users must supply a valid user ID and password or use single sign-on (SSO).
B. Access: We limit access strictly on a need-to-know basis. Only an approved and extremely restricted number of personnel have direct access to production servers and administrative features such as impersonation. We otherwise provision a default read-only access to Duetto personnel. Privileged access to our infrastructure and backend follows the least privileged policy.
- Tenant Isolation: Our SaaS product ensures robust isolation between tenants, providing each user with a secure and independent environment.
- RS1 - Mongo MetaData: We employ advanced techniques, such as RS1 - Mongo MetaData, to enhance the security of our product's data storage and management.
- Individual Logins: Each user is granted a unique login, enabling personalized access and authentication, thereby reinforcing the overall security of the system.
- Encryption at Rest and in Transit: Our product implements comprehensive encryption measures to safeguard data both while it is stored (at rest) and during transmission (in transit).
- User Roles and Permissions: Our product incorporates a hierarchical user management system, allowing for distinct roles such as SuperAdmins, Admins, and Users. Each role is assigned specific privileges and permissions to ensure proper access control.
- Configurable Security Settings: Our product provides the flexibility to configure and customize security settings at various levels, including individual users, groups, hotels, or other user-defined entities.
- By implementing these robust security measures, our SaaS product ensures the protection of sensitive data and offers a customizable security framework to cater to the unique needs of your organization or user groups.
- Duetto uses the Elastic Load Balancer within AWS to distribute incoming traffic across multiple healthy targets and increase application and network availability. To enhance the security of our Application Load Balancers (ALBs) and Network Load Balancers (NLBs), we require that all load balancers that accept HTTPS traffic use at least TLS 1.2.
- Older TLS versions and legacy SSL protocols have known fatal security flaws and don't provide protection for data in transit. Duetto also follows the AWS Well-Architected Framework to achieve best practices related to operational excellence, security, reliability, performance efficiency, and cost optimization.
- We use the following best practices for protecting data in transit:
- Enforcing encryption in transit.
- Authenticating network communications.
- Automating detection of unintended data access.
- Using AWS Private Link if required.
How We Secure and Protect Your Information
Our number one priority is to ensure that all customer data is handled securely and responsibly. Our data protection approach is informed by regulations, standards, and industry best practices, which are translated into our internal policies that govern how we operate.
Duetto securely retains customer data in accordance with the Master Service Agreement (MSA) and the agreed-upon terms. Our commitment to data protection is upheld through our utilization of the AWS platform for hosting our data infrastructure, employing robust encryption measures both at rest and during transit.
Storing data with AWS provides an additional layer of security for our customers. AWS maintains a highly secure and compliant environment, adhering to industry-leading security standards and regulations. Their infrastructure is designed with multiple layers of protection, including advanced firewalls, intrusion detection systems, and regular security audits.
Moreover, AWS offers a wide array of security features and services, such as Identity and Access Management (IAM) for controlling access to data, Virtual Private Clouds (VPCs) for network isolation, and comprehensive monitoring and logging capabilities. These measures help safeguard customer data from unauthorized access, ensuring its confidentiality, integrity, and availability.
Below we detail key aspects of our data protection and security practices:
- General Program Overview: Our information security and privacy practices are overseen by our Chief Product Officer. We have developed an Information Security Policy, aligned to industry standards such as SOC 2 and NIST.
- Authentication: Duetto uses role-based security architecture and requires users of the system to be identified and authenticated prior to the use of any system resources. Resources are protected through the use of native system security and add-on software products that identify and authenticate users and validate access requests against the users’ authorized roles in access control lists. All personnel accessing production systems are required to use a token-based, two-factor authentication system.
- Customers access Duetto resources through the Internet using HTTPS. Users must supply a valid user ID and password or use single sign-on (SSO).
- Access: We limit access strictly on a need-to-know basis. Only an approved and extremely restricted number of personnel have direct access to production servers and administrative features such as impersonation. We otherwise provision a default read-only access to Duetto personnel. Privileged access to our infrastructure and backend administrative features is reviewed periodically on a monthly basis.
- Encryption: Data is only stored in two places - our customer’s internet data warehouse and a single data bucket (e.g., S3, etc.). Duetto utilizes server-side encryption on AWS S3 (AES 256) by default to ensure that temporary (e.g., cache) storage is encrypted. Data in transit is encrypted using the latest stable, secure version of TLS (v1.2+).
- Vulnerability Management: We utilize Laceworks which enables governance, compliance, operational auditing, and risk auditing along with Laceworks. We also use Laceworks for threat detection and also perform annual penetration testing through a contracted third-party.
- Retention: Our product strictly adheres to the data retention policies outlined in our Master Services Agreement (MSA) and contractual terms. Data is stored in accordance with AWS security standards, employing robust encryption measures. Furthermore, we maintain a rigorous daily backup routine, ensuring data preservation in long-term storage. Access to data is meticulously controlled, restricted to authorized individuals on a need-to-know basis, safeguarding confidentiality and privacy.
- Personnel Security: All Duetto personnel sign confidentiality agreements and undergo a background check prior to them joining Duetto. As part of onboarding, personnel receive security awareness training on key topics such as phishing, network security, email security, PII, HIPAA compliance, and etc, training upon hire and at least annually thereafter.
- Secure Software Development: Duetto incorporates security into every phase of the software development life cycle (SDLC). Security becomes part of the planning phase and the RFP, long before a single line of code is written. We start testing our code and application early and test often. We employ Laceworks security platform for finding vulnerabilities in the source code throughout the development process. We also effectively train our people through an annual secure software development training.
- Backup: We store metadata about our customers' usage within AWS RDS, which is automatically backed up by AWS and tested manually on a quarterly basis.
- Incident or Breach Response: We Employ Lacework, AWS CloudTrail and Cloudwatch enable reviewing and monitoring of logs to investigate security incidents. We notify our customers within 12 hours of becoming aware of a confirmed security incident or breach. We test our incident response plan yearly.
- Current State of Audits and Certifications (Primarily SOC 2): Duetto is SOC 2 Type 1 Compliant for security, availability, and confidentiality. Our business practices are also aligned to the requirements within GDPR, and CCPA. To see our reports or our DPA (Data Processing Addendum), contact us at Security@duettocloud.com.