Security at DPO CRM
Your data is the most important asset we hold. We treat it with the seriousness it deserves. This page outlines the technical and organisational measures we take to keep your data safe.
Certifications & compliance
- ISO 27001 certified — international standard for information security management
- SOC 2 Type II audited — annually reviewed by independent auditors
- GDPR compliant — full compliance with UK and EU data protection regulations
- PCI DSS compliant — for any payment information handled through our integrations
Data encryption
At rest
All customer data is encrypted at rest using AES-256 encryption. Encryption keys are managed via AWS KMS with strict access controls and key rotation.
In transit
All connections to DPO CRM use TLS 1.3 with strong cipher suites. We enforce HTTPS-only connections and use HSTS headers to prevent downgrade attacks.
Infrastructure
- Hosted on AWS in EU (Frankfurt) and UK (London) regions
- Multi-AZ deployment for high availability
- Automated daily backups, retained for 30 days
- Disaster recovery plan with RTO <4 hours and RPO <1 hour
- DDoS protection via AWS Shield
Access controls
- Role-based access control (RBAC) for all customer accounts
- Single Sign-On (SSO) via SAML 2.0 for Enterprise customers
- Two-factor authentication (2FA) available for all accounts
- Session timeout and IP allowlisting available
- Internal access to customer data restricted to authorised personnel and audit-logged
Application security
- OWASP Top 10 protections built in
- Regular penetration testing by independent security firms
- Automated vulnerability scanning of dependencies
- Secure software development lifecycle (SSDLC)
- Bug bounty programme for responsible disclosure
Operational security
- 24/7 security monitoring and incident response
- All employees undergo background checks and security training
- Principle of least privilege enforced across all systems
- Mandatory MFA for all employee accounts
- Endpoint protection on all company devices
Data residency
Customer data is stored in EU and UK data centres. Enterprise customers can request specific data residency arrangements. We do not transfer data outside these regions without explicit consent and appropriate safeguards (Standard Contractual Clauses).
Subprocessors
We use a limited number of trusted subprocessors to operate our service. A current list is available at security@dpo.finance upon request. We notify customers of any changes to subprocessors.
Incident response
In the event of a security incident affecting customer data, we will:
- Notify affected customers within 72 hours of confirmation
- Provide details of what happened and what we are doing about it
- Cooperate with regulatory authorities as required
- Conduct a thorough post-incident review
Reporting a vulnerability
Found a security issue? We appreciate responsible disclosure.
Email: security@dpo.finance
PGP key available on request.
We respond to all security reports within 24 hours.
Questions?
For security questionnaires, vendor assessments, or any other security-related inquiries, please contact security@dpo.finance.