Security

At DiligentIQ, we understand the importance of maintaining the privacy of our clients' data. Our clients trust us with their most sensitive information, and we take this responsibility seriously. We have completed our System and Organization Controls (SOC) 2 Type I Audit and are in our observation window for Type II.

Our comprehensive Information Security Program, which follows the criteria set forth by the SOC 2 Framework, is communicated throughout the organization.

Data Encryption

  • Policies: Our encryption policies are designed to comply with industry standards and regulations, ensuring that we meet or exceed the requirements for data protection and security.
    • In-Transit Encryption: All data in transit is encrypted using TLS 1.2 or higher.
    • At-Rest Encryption: All datastores housing sensitive client data are encrypted at rest using AES-256 or stronger encryption algorithms. 

Data Confidentiality and Privacy

  • Architecture model: The DiligentIQ service uses a single tenant architecture model which ensures that each client’s data is isolated from another client. 
  • Data Storage Locations: All data resides in the USA.
  • Retention: Client data is not used for training large language models (LLMs) and is subject to Zero Data Retention policies.

Authentication and Access Control

  • User Authentication:  User accounts are protected by strong passwords that must meet specific complexity requirements. We require Multi-Factor Authentication (MFA) for all privileged access to production infrastructure.
  • Role-Based Access Control (RBAC): We follow the principle of least privilege with respect to identity and access management.
  • User Access Reviews: Administrators perform periodic reviews of user, administrator, and service accounts to verify that access is limited to systems required for their job functions.

Security Monitoring 

  • Vulnerability Scanning: We perform continuous vulnerability scans to identify and remediate potential security weaknesses. The results are reviewed and addressed promptly to ensure that vulnerabilities are mitigated.
  • Logging and Monitoring: We generate and archive logs for systems and applications that store or allow access to sensitive data. These logs capture key security event types and are periodically reviewed to identify potential security incidents. Alerts are set to identify system failures, faults, or potential security incidents affecting client data.
  • Code Scanning: We use Static Application Security Testing (SAST) to identify vulnerabilities in our codebase before deployment. This automated tool scans the source code for security issues and ensures that any identified vulnerabilities are remediated prior to production release

Vulnerability Management

  • Regular Security Audits: Our team conducts thorough internal and external audits to verify compliance with our rigorous security policies and maintain the strength of our information security program.
  • Annual Penetration Testing: We engage independent third-party experts to perform penetration tests at least once a year. These tests challenge our defenses and ensure the continued integrity and resilience of our platform.
  • Continuous Improvement: Insights from our audits and tests drive ongoing enhancements to our security measures, keeping us ahead of emerging threats.

Employee Training

  • Security-First Mindset: We foster a culture where security is everyone's responsibility, empowering our employees to make informed decisions that protect our systems and client data.
  • Mandatory Training Program: All employees undergo rigorous security awareness training upon joining our team and annually thereafter.

Vendor Management

  • Risk Assessment: Before engaging with any third-party vendor, DiligentIQ conducts a thorough risk assessment to identify potential risks associated with sharing confidential data or providing access to company systems.
  • Security Requirements: We establish and agree upon relevant information security requirements with each vendor. These requirements are documented in written agreements, which include the vendor's acknowledgment of their responsibilities for the confidentiality of company and customer data
  • Access Control: Access to our systems and data by third-party vendors is strictly controlled and limited to authorized personnel only. 

Business Continuity and Disaster Recovery

  • Robust Planning: Our organization maintains a detailed Business Continuity and Disaster Recovery (BCDR) plan. This plan outlines strategies and procedures to maintain critical operations during unexpected disruptions and quickly restore full functionality if needed.
  • Regular Testing: We conduct annual tests of our BCDR plan to verify its effectiveness and identify areas for improvement. These tests simulate various scenarios to ensure we're prepared for a wide range of potential disruptions.

Incident Response

  • Structured Incident Response Plan: We maintain a formal, well-defined Incident Response plan tailored to address a wide range of potential information security events.
  • Rapid Detection: Our advanced monitoring systems and trained personnel work around the clock to quickly identify potential security incidents.
  • Coordinated Response: Upon detection, our dedicated incident response team follows established procedures to contain, investigate, and resolve security events efficiently.
  • Timely Notification: We prioritize transparency and maintain clear communication protocols to keep affected parties informed throughout the incident lifecycle.

Contact Us

If you have any questions, comments or concerns or if you wish to report a potential security issue, please contact security@diligentiq.com

POWERED BY

AI will rapidly change Private Equity due diligence

Get out ahead of the change.
Partner with a team that knows PE.
Get Started
PRIVACY POLICYTERMS OF USESUBPROCESSOR LIST


© 2024, DiligentIQ