Subcontractors do not have access to customer data - with the exception of AWS whose security processes are outlined in the AWS SOC2 Report.

SecureDawn periodically evaluates its compliance with security standards, by conducting security risk assessments.

SecureDawn conducts a documented assessment of security controls at least annually. The assessment is conducted to determine the extent to which controls are implemented correctly, operating as intended, and producing the desired outcome. Technical and non-technical evaluations are also conducted periodically to identify any new risks or to determine the effectiveness of the Security Policies and Procedures.

SecureDawn configures all systems housing customer data to encrypt data at rest.  Data is encrypted using the AES-256 encryption algorithm with encryption keys managed by a key management solution.

Customer data is removed from SecureDawn systems within 30 days of account deletion.

SecureDawn currently supports GSuite authentication integration.

Our team is currently investigating implementing SAML.

A service level agreement is available to enterprise tier customers.  Contact support@securedawn.com for more information.

All data transmitted and received by the SecureDawn platform in encrypted in transit utilizing TLS 1.2.

Vulnerabilities that are discovered they are patched according to criticality and the schedule below:

• Critical - within 24 hours

• High - within 24 hours

• Medium - within 7 days

Penetration testing is performed annually by the SecureDawn red team.

SecureDawn does not collect Protected Health Information.

Our product collects a minimal set of information needed to setup user accounts that utilize the SecureDawn suite of products, as well as for potential customers that request information about your security program.  We will never sell or share your information.

For user accounts, and customers requesting information about your security posture, we collect the following information:

• First and Last Name

• Email address

The SecureDawn team utilizes an industry leading intrusion detection, prevention, and EDR solution on all endpoint devices.

The SecureDawn team utilizes an industry leading intrusion detection, prevention, and EDR solution on all endpoint devices.

SecureDawn configures restrictive AWS the use of private subnets and Security Groups internally and externally to ensure systems cannot communicate with unintended systems.  

Customer data is not stored on mobile devices.

End user devices run a best in class endpoint protection solution which reports threats and policy violations to a cloud dashboard managed by the endpoint solution vendor.  Issues generate email alerts which are sent to the SecureDawn security team to be classified and prioritized.

SecureDawn's recovery point objective is 24 hours.

SecureDawn has documented policy for business continuity and disaster recovery that has been approved by management.

SecureDawn's recovery time objective is 24 hours.

SecureDawn has a formal Incident Response Process that can be viewed upon request.

All web traffic in and out of SecureDawn is encrypted using HTTPS TLS 1.2

Changes can only be applied to our production environment by select senior members of our engineering team and must be reviewed prior to deployment.

Code changes undergo internal code review for completeness and security.  All team members undergo security training provided by a senior security member of our the SecureDawn team.

SecureDawn staff are not routinely granted access to customer data.   If a customer requests a SecureDawn employee have access to their account information a written access request.

Employee access to customer accounts is reviewed quarterly by the internal compliance department.

The SecureDawn team does not share user accounts.

All SecureDawn employees and contractors are required to have a federal and local background check prior to accessing customer data.

When off-boarding an employee, the SecureDawn management team follows an employee dismissal checklist stored in our Human Resources system.

Disciplinary infractions are reviewed by the executive management which decides how the organization should respond as dictated by internal policies.

All employees and contractors must agree to an Employee Agreement and a Mutual Non-Disclosure Agreement prior to working with SecureDawn Inc.  

The SecureDawn information security policy is reviewed at least annually or if any major changes occur.

The SecureDawn information security policy is owned by the Chief Information Security Officer and approved by the Chief Executive Officer.