banner

Data Security Policy

 

Introduction
At DAAVIZ, we are dedicated to safeguarding the confidentiality, integrity, and availability of our clients’ data. Our Data Security Policy ensures compliance with internationally recognized standards, including ISO/IEC 27001, NIST, GDPR, and HIPAA, focusing on secure data transfer, access control, retention, and deletion practices. This policy applies to all employees, contractors, and third-party partners involved in handling sensitive client data.

1. Data Transfer Security

Secure Transfer Protocols: All data transfers between DAAVIZ and clients are conducted through Secure File Transfer Protocol (SFTP) or equivalent methods. We strongly encourage clients to use encrypted methods, ensuring protection against unauthorized access during transit.
Encryption in Transit: We use Transport Layer Security (TLS) for encrypted data transmission. This ensures that any data exchanged between our systems and clients remains secure and uncompromised.
Cloud Storage Encryption: We rely on Microsoft OneDrive for cloud-based storage, which complies with industry standards such as ISO/IEC 27018 for personal data protection. All data is encrypted at rest and during transfer.

2. Access Control

Role-Based Access Control (RBAC): Access to sensitive data is restricted based on roles. Only employees directly involved in the project are granted access, with further restrictions depending on their specific tasks within the project.
•For example, team members working on data analysis will only have access to the specific portions of the dataset relevant to their task.
Decentralized Access: Employees not involved in data analysis or outside the project team are prohibited from accessing sensitive data. By decentralizing access, we reduce the risk of accidental exposure and ensure that data security is maintained even internally.
Multi-Factor Authentication (MFA): All systems are secured using MFA, which adds an additional layer of protection against unauthorized access to sensitive information.
Biometric Security: Local storage units are biometrically secured, providing an additional level of protection for physically stored data.
Online Workspace Security: Employees are required to work with data using secure, virtual workspaces. Downloading of datasets onto personal devices is strictly prohibited to avoid local vulnerabilities.

3. Data Retention and Deletion

Standard Retention Period: As part of our general practice, datasets are retained for 90 days following project completion unless a different retention period is specified in the contract. This buffer allows for any revisions or follow-up requests from clients.
Client-Specified Retention: If a client requires us to retain their data for a longer period, explicit instructions must be provided during the project’s initial phase, including written approval. This approval can be renewed or adjusted according to the project’s needs.
Data Deletion Protocol: Upon reaching the retention period or upon the client’s request, we follow a secure deletion process that permanently removes the dataset from our system, including cloud storage and local backups. After deletion, the data cannot be retrieved.
Confirmation of Data Deletion: Clients are provided with written confirmation once data is securely deleted to ensure transparency and compliance.
Contract Closure: If a client terminates a contract, we ask that they clearly specify any requests regarding the deletion of project data. This ensures a clear and prompt response in terms of handling and removing the data.

4. Data Processing and Storage

Encryption at Rest: All client data stored in our systems, whether locally or in the cloud, is encrypted using AES-256 encryption, following industry best practices for data protection.
Cloud Storage Security: As we store data in Microsoft OneDrive, clients benefit from its industry-leading security, including advanced encryption, access control, and compliance with ISO standards.
Data Minimization: Wherever feasible, data that is not necessary for the project is removed or anonymized. This minimizes the risk associated with handling sensitive information, especially when dealing with personal or healthcare-related data.
Data Anonymization: In compliance with GDPR and HIPAA guidelines, identifiable personal data is anonymized wherever possible before analysis, reducing risks in case of exposure.

5. Compliance with Global Standards

DAAVIZ aligns with the following globally accepted standards for data security:
ISO/IEC 27001: We adhere to the ISO/IEC 27001 Information Security Management System (ISMS) standards, which ensure the continual improvement of our data security protocols.
GDPR Compliance: All data involving personal identifiers from the EU is handled in compliance with the General Data Protection Regulation (GDPR). We strictly follow principles of data minimization, transparency, and respect for individual rights.
HIPAA Compliance: For projects involving healthcare data, we follow the Health Insurance Portability and Accountability Act (HIPAA). This ensures that any Personal Health Information (PHI) is secured and that access is limited to authorized personnel only.
NIST Compliance: Our security practices are also aligned with the National Institute of Standards and Technology (NIST) cybersecurity framework to ensure the highest level of data protection.

6. Client Responsibilities

Single Point of Contact (SPOC): We request clients to designate a SPOC responsible for managing data access, transfer, and retention decisions. This ensures clear communication and avoids confusion regarding data handling.
Data Sharing and Version Control: Clients should maintain version control of datasets and ensure that data transfers occur through secure channels as specified in the Data Transfer Security section.
Data Retention/Deletion Requests: Clients must specify any specific data retention requirements and provide authorization for retaining data beyond standard periods. If data needs to be deleted immediately after the project, clients should notify us upon project completion.

7. Data Breach Notification

Immediate Notification: In the event of a data breach, we will notify clients immediately, providing details of the breach, the data affected, and the steps taken to mitigate further risks.
Breach Compliance: We adhere to all relevant data breach notification laws, including GDPR and HIPAA, ensuring that regulatory bodies are informed promptly when required.

Conclusion

At DAAVIZ, we prioritize the security of client data throughout its lifecycle. Through adherence to internationally recognized standards and best practices, we ensure that data is protected during transfer, access, retention, and deletion. Our commitment to continuous improvement means we regularly review and enhance our data security practices to stay ahead of emerging threats and regulatory requirements.