Deepwatch Trust Center
Trust and Security are at the foundation of our mission to protect and defend our customers, users, and data.
Trust and Security are at the foundation of our mission to protect and defend our customers, users, and data.
Check out Deepwatch's Security Portal.
The Deepwatch Trust Center provides the latest information on the security, compliance, privacy, and reliability of our products and services, including Managed Detection and Response, Vulnerability Management, and Endpoint Security. These are the standards established to build trust and meet the requirements of our customers.
Deepwatch complies with a variety of industry-standard certifications, including SOC2 Type II, PCI-DSS, and TRUSTe Enterprise Privacy and Data Governance.
Deepwatch has been audited against and certified to the AICPA's SOC2 Type II standards every year since its inception. Specifically, we are assessed against the Security, Availability, and Confidentiality domains.
Although Deepwatch will never store, process, and/or transmit cardholder data on the customers behalf, nor have direct access to systems that do, Deepwatch has agreed to implement the controls needed to meet or exceed the Payment Card Industry ("PCI") Security Standards Council ("SSC") requirements for Level 1 Service Providers. We have been certified to the PCI DSS standard since our inception.
Deepwatch proactively pursues the TRUSTe Enterprise Privacy and Data Governance Certification to ensure our business, products, and services demonstrate responsible data collection, processing and privacy management practices. This standard is based upon recognized laws and regulatory standards, such as the OECD Privacy Guidelines, the APEC Privacy Framework, the EU General Data Protection Regulation ("GDPR"), the U.S. Health Insurance Portability and Accountability Act ("HIPAA"), ISO 27001 International Standard for Information Security Management Systems and other global privacy laws and regulations. For more information, see here.
Deepwatch was designed from the ground up with security in mind. Below are a few of the controls our dedicated security team has implemented to ensure our services are secure.
Deepwatch identities and credentials are issued (and revoked) via an automated solution triggered by the onboarding of new employees via our Human Resources Information System (HRIS), which has custom role-based attributes pre-defined; access changes and terminations are managed via the same mechanism. Access to specific applications is managed via our Identity and Access Management (IAM) Provider and is based on the defined role in our HRIS.
Single Sign-On and Multi-factor authentication is required for all accounts that access the Deepwatch Platform. Additionally, identities and credentials are audited and verified on a quarterly basis in accordance with the industry best practices.
Customer access is generated via the same mechanism. Federated customers are permitted to utilize their own password requirements and security controls.
Deepwatch performs a multi-pronged approach to personnel security including identity/citizenship verification, background checks, credit checks, and drug screenings. Each of these checks is performed by a third party prior to an employee's onboarding into the organization.
After onboarding, Deepwatch employees are read into and bound by non-disclosure and confidentiality agreements and various trainings related to Sexual Harassment, Diversity and Inclusion, Anti-Discrimination, and Cybersecurity Awareness.
In addition, Deepwatch has implemented a comprehensive phishing program to raise awareness about the threat of phishing and social engineering.
All Deepwatch data is hosted in AWS, unless negotiated by the customer, and is isolated into customer-specific VPC's . This data is stored within AWS's Elastic Block Storage (EBS) volumes, EC2 Instances, and S3 Buckets are all encrypted using keys managed by the AWS Key Management Service (KMS). Each instance uses AES-256 bit encryption.
All Deepwatch employees connect to the production environment via a zero-trust application, which provides point-to-point application-level access to customer resources. Customer data transmitted on the network is encrypted over Transport Layer Security (TLS) 1.2.
Laptops at Deepwatch are configured in an MDM solution based on a standard baseline that enforces various controls including, but not limited to password requirements, device encryption, auto-lock/screensavers, and A/V and EDR tool deployment.
Cloud Solution Provider systems are configured based on established standards, which are deployed automatically via playbooks.
Deepwatch has established a risk management program including a formal risk management standard and a comprehensive risk register which includes input from numerous internal and external technical resources, tabletop exercises, audits, and other sources. The Risk Management Board meets at least quarterly to conduct risk assessments and review the risk register.
Deepwatch has a comprehensive suite of security policies, standards, and procedures covering topics including, but not limited to: Change Management, Data Classification, Asset Management, Incident Response, Privacy, and Third Party Risk Management. Each document is readily available on the company's intranet. All Deepwatch employees and contractors are accountable to reading, understanding, and adhering to the guidance set forth in the policies and attest as such.
A governance structure for the Security, Risk, and Compliance (SRC) team at Deepwatch has also been established with our CIO/CISO as the executive leader responsible for overseeing the program. The SRC team is responsible for all tasks relating to Security Operations in addition to Governance, Risk Management, and Compliance; it works with stakeholders across the organization to attain its goals.
Deepwatch aims to reduce the risk of security bugs and other vulnerabilities via vulnerability assessments, penetration tests, and code reviews. The findings from each of these activities is used to inform
Deepwatch currently performs internal vulnerability scans on a daily basis, which will necessarily include scanning after significant changes to the Deepwatch networks. VM agents are installed as part of our default configuration on both laptops and servers.
Deepwatch utilizes both internal resources and independent third-party penetration testing firms to conduct penetration testing, both internal and external, on its systems components. The testing included an External Penetration Test of internet-facing network assets and Internal and Segmentation Penetration Tests for Deepwatch's Cloud SecOps Platform Services environment.
Deepwatch conducts code reviews via a continuous integration process on every merge into a branch across all repositories. Code is tested (via Static & Dynamic Analysis, Unit Test, Integration Test, Functional Test, Performance, and Security) throughout every step of the development process.
In addition, we engage third party auditors and penetration testers to perform security reviews on our products.
Deepwatch has a limited physical presence due to its nature as a remote-first organization. Staff with a valid business case and role are granted access to the facilities they require to perform their job via a centrally managed access control system. In addition, Deepwatch maintains CCTV Surveillance Systems and visitor controls in each office.
Deepwatch's SecOps platform and associated technologies are all hosted with cloud infrastructure providers, each of which maintainSOC 2 Type II and ISO 27001 certifications, among others, to affirm their physical security stature.
Security and privacy is core to Deepwatch's primary concern. Wherever possible Deepwatch minimizes the data required to deliver our service; where this is not possible we incorporate industry best practices, contractual mandates, as well as other legal regulatory requirements to ensure that your data stays confidential, secure, and unaltered.
As part of our commitment to Privacy, Deepwatch retains two PECB-certified Data Protection Officers on staff full-time. These individuals, including the Data Protection Officer (DPO), are responsible for all aspects of the Privacy Program including responding to Data Subject Rights requests and maintaining the Record of Processing Activity.
Deepwatch has created and maintains a Record of Processing Activity (ROPA). This ensures we handle that data responsibly, transparently, and keep data processing to the minimum necessary.
Deepwatch recognizes the importance of its Cloud SecOps Platform in our customer's business and commits to delivering products and services that are stable and secure at all times.
Deepwatch takes advantage of the scalability and redundancy of AWS and other best-in-class technologies to ensure our infrastructure is consistently available and performing optimally for our customers.
It's easy to stay informed on the performance of the Deepwatch Cloud SecOps Platform; to do so visit the Deepwatch Status Page which provides the real-time and historical status of the platform and scheduled maintenance of the products that make up our platform. Customers can subscribe to this page and receive updates via email whenever the page is updated.
We offer a credit-backed SLA for both uptime (99.9%) and Initial Response and Update so you can focus on your core business processes. Details can be found here.
Deepwatch appreciates individuals that responsibly disclose any suspected vulnerabilities to our security team. If you believe you have discovered a vulnerability in Deepwatch's website or platform, please get in touch by sending an email to [email protected] with the findings and website(s)/platform(s) that are impacted. We ask that you not disclose any information publicly until the issue has been addressed.
Deepwatch has documented the responsibilities between the customer and itself for each of our products. These documents can be obtained from your assigned Customer Success Manager (CSM).
Yes. All Deepwatch employees are US-based.
Yes! In the event that Deepwatch is a party to an Individual Rights Request, we are happy to assist. Connect with your CSM, who will reach out to the privacy team.
While there is no real "certification" for HIPAA compliance, Deepwatch does align its security and privacy program to the HIPAA Security Rule and the HIPAA Privacy Rule. Due to our status as an IT Security Service Provider, Deepwatch is legally prohibited from accessing the HITRUST Cyber Security Framework and becoming a Licensee.
Keeping in line with common industry practices, Deepwatch invites its own internal and external auditors to regularly undertake audits against a variety of standards and frameworks as mentioned above. The results of these audits can be shared with customers via their CSM.
While we understand some customers may be a covered entity, Deepwatch is not a "business associate" as defined as Deepwatch does not help carry out any health care activities or functions on behalf of our Customers. Deepwatch does not furnish, bill or receive payment for healthcare nor do we transmit or process any covered transactions as described under the CMS guidelines. We take privacy and confidentiality seriously and our SOC2 Type 2, and TRUSTe certification speaks to our security hygiene and compliance with HIPAA requirements. It is important to understand customer's are in control of data logs filtered and transmitted to Deepwatch for analysis and such logs should never include any PHI or other HIPAA related material.