Security and Compliance
Dimension Four users and customers trust us to keep their data safe. We take security very seriously and aim to be as clear and open as possible about the way we handle security.
If you would like to report a security concern or a potential vulnerability, please contact firstname.lastname@example.org.
GDPR and CCPA Compliance
Dimension Four is fully compliant with the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). We follow industry best practices for security and privacy, and we handle our customers’ personal data with great care, as detailed in our Data Processing Agreement. Our third-party processors are carefully selected and also fully compliant.
Infrastructure Compliance and Security
Amazon Web Services (AWS)
Global certifications include: CSA (Cloud Security Alliance Controls), PCI DSS Level 1 (Payment Card Standards), ISO 9001 (Global Quality Standard), SOC 1 (Audit Controls Report), ISO 27001 (Security Management Controls), SOC 2 (Security, Availability, & Confidentiality Report), ISO 27017 (Cloud Specific Controls), SOC 3 (General Controls Report), ISO 27018 (Personal Data Protection).
For a full list of infrastructure certifications, please refer to the AWS Compliance Programs.
Dimension Four employees do not have physical access to data centres, nor do they have any access to the underlying Amazon infrastructure.
For physical and environmental details, network and data security is described in the Amazon Web Services Security White paper
- Network isolation and access
- Encryption in flight and at rest
- Granular database auditing
MongoDB Atlas undergoes independent verification of platform security, privacy, and compliance controls.
Learn more about MongoDB Atlas’ security controls and features, including data storage, access controls, and application security, in their white paper.
- Virtual machines
- Project security
- Data encryption
- Networking security
- Networking with VPC peering
- Granular database auditing
We keep all your data private and safe.
Access Control Management
All access to our infrastructure is based on the principle of least privilege. Only a hand-picked and experienced group of employees has access to production servers. As part of our Corporate Security measures, this access is renewed and revoked following the employees' lifecycle in the company.
All access to the DimensionFour user interface and API is encrypted with HTTPS transport layer security (TLS). The use of HTTPS websites also safeguards your important data and credentials against unauthorized third-party access.
All our data, including Amazon S3 buckets and databases, is backed up:
- hourly, retained for one day
- daily, retained for 7 days
- weekly, retained for a month
- monthly, retained for a year
Development and Releases
We follow a strict testing procedure (with and without automation) for every release of new versions and components.
We keep our code secure. Our developers are constantly trained and obliged to follow industry best practices for software development and security, such as OWASP.
All employees at Dimension Four have signed confidentiality agreements.
Access to data is extremely restricted. Employees are only given access to systems they require for their roles. We have strict and secure onboarding and offboarding processes for employees.
There are no passwords stored in plaintext in any of the tools that we are using. We use 1Password as a password management service to store sensitive information such as website credentials in encrypted vaults.
Multi-factor authentication is enforced throughout the main services DimensionFour employees rely on.
Code Peer Review and Quality Assurance (QA)
Our development process follows a strict Github flow based on GitHub’s pull request. Our continuous integration/continuous development (CI/CD) practices protect against regression, and our engineers review pull requests in pair programming to effectively merge features with the fewest possible bugs and vulnerabilities.
Each new feature is first deployed to our staging environments (which do not contain any production data) to perform QA and testing.