Information and Data Security Statement

Last updated 06/02/2017

This statement exclusively covers Dialog’s policies and practices regarding information and data security. It's not a recapitulation of the law, nor does it attempt to define good conduct outside of the security context.

Operational Security

Dialog is a software-as-a-service (Saas) business. The company has a dedicated operations team that is responsible for ensuring the safe operation of Dialog’s websites. Members of this team are carefully vetted for reliability and responsibility, and are trained to be knowledgeable and aware of sensitive information.

Production Passwords and Credentials

All passwords and credentials that enable access to Dialog’s production system are stored in secure systems that are only accessible to authorized staff.

Production Access

Only authorized staff has direct access to production machines. Development staff members have limited access to production services for debugging purposes, and only select authorized individuals have access to Dialog’s data stores for analytics purposes (see Data Security, below).

Change Management

Dialog uses automated configuration management to ensure that all changes are applied in a deliberate manner. Every change to production, except in cases of emergency, go through the following stages:

  1. The change is implemented and tested in a sandbox environment;
  2. The change is committed to configuration management and applied to the testing environment;
  3. The change is reviewed by one or more authorized staff members, and the testing environment is vetted to ensure that the change is effective;
  4. The change is applied to the production environment;
  5. Changes with operational impact are only applied during pre-announced maintenance windows.

General Security Practices

  • All access to production systems is via channels secured by virtual private network (VPN) or secure shell (ssh).
  • No node or service is allowed to communicate with other services without credentials.
  • Only services intended for general consumption are publicly available.
  • All systems log to a central repository for analysis and change tracking.
  • Continuous backups of data are made and stored in redundant locations.
  • Only authorized personnel may access or restore any data from the backup data sets.
  • Configuration of systems and services is performed automatically by programs vetted for security deficits.
  • Dialog continuously monitors and responds to active and emerging security threats, especially the Open Web Applications Security Project (OWASP) top 10 and Community Emergency Response Teams (CERT) advisories.
  • Security updates are applied within seven (7) days in non-emergency cases or more rapidly in the case of an urgent threat.

Data Security

Securing data in Dialog’s platform includes securing relational databases, online caches, and backups.

  • All live data storage systems are separate from other services, can only be accessed via randomly generated credentials managed by authorized personnel, and are rotated quarterly.
  • All systems with live data storage restrict direct access to authorized personnel.
  • Backups use at-rest encryption and only the nodes performing backups and authorized personnel have access to credentials.

Data Access

A select group of Dialog staff have limited, read-only access to real-time data for analytics purposes. The need for this access is reviewed on a quarterly basis.

Only data that does not contain any personally identifiable information (PII) may be sent to third-party services for business intelligence analysis Platform Security

Dialog’s platform also contains a number of security measures to ensure the secure performance of its services.

  • SSL everywhere. All access to the platform happens through secure HTTPS connections.
  • Access control lists define the behavior of any user of the platform, and limit them to authorized behaviors.
  • All usage activity is extensively logged to enable tracing any security issues.

Workplace Security

Secrets, Passwords, and Credentials

Keeping passwords and credentials secure for services used by Dialog is essential. Dialog uses a centralized, secure method for storing and disseminating passwords. Every Dialog employee and consultant is required to use this system for storing secure information.

Generating Passwords

Dialog requires the use of randomly generated passwords at least 20 characters long for all services. In rare instances, passwords may be shorter if the service provider does not allow 20 characters.

Sharing Passwords

When services require access by multiple users, but do not offer multiple sign-in, credentials may be securely shared via our centralized system to enable team access. Sharing credentials by other means is not permitted.

Storing Secrets

Other secure information, like credit card information or secure tokens, must be stored in Dialog’s centralized store. It is not permitted to store such information in any other format.

Dialog Issued Equipment

Dialog provides all employees with an Apple laptop to effectively perform work.

Provisioning Profile

All company-issued laptops are equipped with a provisioning profile.

This profile:

  • Ensures that laptops are encrypted
  • Requires password entry when waking from sleep mode
  • Allows Dialog to remotely wipe the machine in the event of theft or loss
  • Allows Dialog to automatically apply OS and software security updates

Data Storage Protocols

All documents, files, and data must be stored in the company’s file storage accounts, revision control systems, or otherwise stored in a company-provided external system. Files may not be stored locally on laptops only. When a Dialog employee or contractor terminates employment, all data stored on company-issued laptops is destroyed.

Data Security Policies and Training for Dialog Employees and Contractors

All employees are issued an Employee Handbook, which includes policies regarding information and data security.