When you launch a cybersecurity startup, one of the most important priorities is to hold your product, people, and business processes to the highest standards around information security. Not only is it expected by most customers, but it’s the kind of culture you should drive internally. Your cybersecurity product comes with risks that you’re expected to manage continuously.
Protecting our product, customers, and employee data is the most important objective.
Therefore, we started the DoControl Security & Compliance program from day 1. Our people understand that customer data protection is a top priority. Our product is built with dozens of security controls from the ground up. Our production environment is being monitored, tested, and measured 24/7 even as you read this post. Most importantly, we leverage multiple 3rd party security consultants, security vendors, and top certified auditors to put our security & compliance program to the test.
Today, we’re excited to announce that DoControl is now SOC2 type II certified.
Here’s a full list of our security & compliance achievements:
This report is intended to meet the needs of a broad range of users that need detailed information and assurance about the controls at a service organization relevant to security, availability, and processing integrity of the systems the service organization uses to process users’ data and the confidentiality and privacy of the information processed by these systems. These reports can play an important role in:
Learn more on the official AICPA documentation.
ISO/IEC 27001:2013 specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. The requirements set out in ISO/IEC 27001:2013 are generic and are intended to be applicable to all organizations, regardless of type, size or nature.
Learn more on the official ISO documentation.
The Consensus Assessments Initiative Questionnaire (CAIQ) v3.1. offers an industry-accepted way to document what security controls exist in IaaS, PaaS, and SaaS services, providing security control transparency. It provides a set of Yes/No questions a cloud consumer and cloud auditor may wish to ask of a cloud provider to ascertain their compliance to the Cloud Controls Matrix (CCM).
Therefore, it helps cloud customers to gauge the security posture of prospective cloud service providers and determine if their cloud services are suitably secure. CAIQ v3.1 represents a minor update to the previous CAIQ v3.0.1. In addition to improving the clarity and accuracy, it also supports better auditability of the CCM controls. The new updated version aims to not only correct errors but also appropriately align and improve the semantics of unclear questions for corresponding CCM v3.0.1 controls. In total, 49 new questions were added, and 25 existing ones were revised.
Learn more on the official Cloud Security Alliance CAIQ documentation.
The AWS Foundational Technical Review (FTR), formerly known as Technical Baseline Review, enables you to identify and remediate risks in your products or solutions. The FTR requires you to meet a specific set of requirements based on the AWS Well-Architected Framework to ensure that your solutions follow AWS best practices related to security, reliability, and operational excellence.
The FTR is led by an AWS Partner Solutions Architect (PSA) in a one-on-one engagement. You can conduct an FTR at no cost. AWS Partners can prepare for an FTR by completing an AWS Well-Architected Review with the Foundational Technical Review Lens. All AWS Partners are highly encouraged to conduct an FTR to mitigate workload risks and deliver positive customer outcomes.
Successful completion of an FTR enables you to earn a "Reviewed by AWS" solutions badge, unlock funding benefits, and become eligible for various AWS Partner Programs. An FTR is valid for two years from the date of successful completion.
Learn more on the official AWS documentation.
We will continue to go above and beyond to protect our customers data as this is a continuous effort, not a one-off investment. In the meantime, we encourage you to challenge our security & compliance program and suggest any feedback by reaching out to email@example.com.
This stat comes from the industry report we published earlier this year: The Immense Risk of Unmanaged SaaS Data Access. It’s a great read. We recommend you check it out.
We are excited to announce our expansion of DoControl’s integrated technology partnership program to include Datadog. As a leading platform provider for monitoring and security for cloud applications, the integration with Datadog allows security operations teams to have a more holistic view of risk across the mission-critical Software as a Service (SaaS) applications being leveraged to enable business enablement and productivity.
The last time the RSA Conference was a live, in-person event was right before the world as we knew it came to a screeching halt. Every technology vendor did their best to rollout “virtual” events which were in no way comparable to the real thing. Everyone – including all of us here at DoControl – was missing the “human connection.” As a vendor that was “born out of the pandemic,” we were very excited to (for the first time!) meet face-to-face with prospects, customers, peers, partners and more to talk about all things Software as a Service (SaaS) data security.
When it comes to addressing insider risk, security starts within. Protecting sensitive company data from exfiltration and misuse requires a combination of the right people, process, and technology. Managing insider risk and preventing threats to the business is not achieved with any of these pillars individually. Modern businesses require technology that prevents and detects unauthorized access to critical assets; processes to support automated data access remediation; and people that are educated about – and watchful of – potentially risky activity who can course-correct during potentially risky activity. Modern organizations need all three pillars interconnected in order to protect their most critical assets.