Security Controls
Daily has implemented the following measures to protect your information security and keep your data private.
Access control (premises)
Preventing unauthorized persons from gaining access to data processing systems.
- Right to access generally limited to authorized personnel
- List of authorized personnel (manager approval required)
- Lockable cabinets for all digital media
- No customer data stored on-premise
Access control (systems)
Preventing data processing systems from being used without authorization.
- On-premise systems secured by passwords and full-disc encryption
- Cloud systems secured by 2FA
- AWS IAM access logging
Access control (data)
Ensuring that persons entitled to use a data processing system have access only to the data to which they have a right of access, and that personal data cannot be read, copied, modified or removed without authorization.
- Access rights based on roles and need to know
- Approval process for access rights; periodic reviews and audits
- Anti-virus and firewall systems
- Signed confidentiality undertakings
- Secure retention and full-disc encryption for all local storage media
- Secure and certified disposal of all local storage media
Transmission control
Ensuring that personal data cannot be read, copied, modified or removed without authorization during electronic transmission or transport, and that it is possible to review and establish which bodies are to receive the personal data.
- Encrypted transfer of all data (TLS, SSH, DTLS, SRTP, SCTP)
- Encryption of in-call data and media streams: DTLS-SRTP, AES-256
Input control
Ensuring that it is possible to review and establish whether and by whom personal data have been input into data processing systems, modified or removed.
- Access rights based on roles and need to know
- Approval process for access rights; periodical reviews and audits
- Logging
Job control
Ensuring that the personal data is processed exclusively in accordance with job instructions.
- Diligently selecting (sub-)processors and other service providers
- Documenting selection procedures (privacy and security policies, audit reports, certifications)
- Backgrounds of service providers are checked; subsequent monitoring
- Standardized policies and procedures (including clear segregation of responsibilities); documentation of instructions received from datacontroller or main processor
- Specific process for urgent jobs (including subsequent written confirmation)
- Signed confidentiality undertakings
Availability control
Ensuring that personal data is protected from accidental destruction and loss.
- Redundant uninterruptible power supply (UPS)
- Air-conditioning, temperature and humidity controls (monitored 24x7)
- Disaster-proof housing (smoke detection, fire alarm, fire suppression, water detection, raised flooring, protection against severe weather conditions, pest repellent system)
- Electrical equipment monitored and logged, 24x7 support
- Daily backup snapshots of AWS Aurora MySQL database
- Disaster recovery plan
- Routinely test-running data recovery
- Anti-virus/firewall systems
Separation control
Ensuring that data collected for different purposes are processed separately.
- Separate systems for HR data and production/customer data
- Separation between production and staging/QA data
- Detailed management of access rights