DroneDeploy

Security and Compliance

Effective: April 7th, 2018

We take security, compliance, and the protection of our customers data very seriously at DroneDeploy. We are committed to securing your data and earning your trust. We use a variety of industry-standard technologies and best practices to secure our customers data.

As a company, we value transparency as a core principle and as such share details about how we handle security at DroneDeploy. If you have any questions regarding security, we are happy to answer them at support@dronedeploy.com.

Compliance

The following security-related audits, certifications, regulations are applicable to DroneDeploy:

PCI/DSS

DroneDeploy's payment and credit card information is handled by Stripe and Chargify. Stripe and Chargify have been audited by an independent PCI Qualified Security Assessor (QSA) and are certified as a PCI Level 1 Service Provider. This is the most stringent level of certification available in the payments industry.

We are a PCI Level 4 Merchant and have completed the Payment Card Industry Data Security Standard’s SAQ-A, allowing us to use a third party to process your credit card information securely.

Privacy Shield

For information that we receive from the European Union, DroneDeploy has certified its compliance with the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information from European Union countries and Switzerland. We have certified that we adhere to all key Privacy Shield Principles when transferring and processing personal information from the EU in the U.S. and Switzerland and the US:

  • Notice
  • Choice
  • Accountability for Onward Transfer
  • Security
  • Data Integrity & Purpose Limitation
  • Recourse, Enforcement & Liability

GDPR

DroneDeploy is committed to complying with the General Data Protection and Regulation (GDPR). The GDPR privacy law takes affect on May 25, 2018. DroneDeploy is working diligently to follow the guidance from privacy-related regulatory bodies in the EU leading up to the effective date and following continued changes in the regulations.

Because of our commitment to the privacy and security of all of our customers data, we are applying the privacy and security controls necessary for GDPR compliance across the board to all DroneDeploy customers at no additional cost.

For customers processing information on behalf of EU and Swiss citizens, DroneDeploy offers a Data Processing Addendum. DroneDeploy is a processor of your customers and you are the controller. In order to make sure that you are in compliance, you should take the following steps:

  • Perform your own research and seek legal advice on how GPDR regulations apply to your business
  • Contact privacy@dronedeploy.com for additional information on executing the data processing addendum (a self service process will be available on May 10th)
  • Update your EU contact details within your account settings in DroneDeploy (available May 10th)
  • Accept the latest Terms and Conditions and Privacy Policy within your accounts settings in DroneDeploy (available May 10th).

Infrastructure

Data Encryption In Transit and At Rest

All data is sent securely to DroneDeploy via the HTTPS protocol using the latest recommended ciphers and TLS protocol. All customer data encrypted at rest on DroneDeploy servers.

Physical Access

DroneDeploy hosts its data in Amazon Web Services and Google Cloud. DroneDeploy employees do not have physical access to the Amazon or Google data centers, servers, network equipment, or storage.

DroneDeploy currently uses a 3rd party colocation data center for compute resources to run some batch jobs for a subset of customers. The data center is audited annually by 3rd party auditors and has achieved SOC2, HIPAA, and PCI/DSS compliance. DroneDeploy employees do not have physical access to the datacenter. The data center is in the process of being de-provisioned and will no longer be in service in the summer of 2018. No customer data is hosted at rest in the data center.

AWS provides physical data center access only to approved employees. All employees who need data center access must first apply for access and provide a valid business justification. These requests are granted based on the principle of least privilege, where requests must specify to which layer of the data center the individual needs access, and are time-bound. Requests are reviewed and approved by authorized personnel, and access is revoked after the requested time expires. Once granted admittance, individuals are restricted to areas specified in their permissions.

According to the Google Security Whitepaper: “The data center floor features laser beam intrusion detection. Data centers are monitored 24/7 by high-resolution interior and exterior cameras that can detect and track intruders. Access logs, activity records, and camera footage are reviewed in case an incident occurs. Data centers are also routinely patrolled by professional security guards who have undergone rigorous background checks and training.”

Penetration Testing

DroneDeploy undergoes annual network and system level penetration tests from an outside security vendor to test for vulnerabilities. In the event of a vulnerability, the issue is tracked in an internal issue tracking management system with SLAs for resolution depending on the severity of the issue.

Application Security

Login Security

In addition to password based logins, DroneDeploy provides Google single sign on for all accounts allowing you to use Google or GSuite accounts to authenticate users requiring two factor authentication. Google logins can be protected by multiple 2FA mechanisms including access codes or security keys.

Single Sign-On

Enterprise users can use Single Sign On functionality to authenticate against multiple provider types including Active Directory Federation Services, Google Apps, Microsoft Office 365, PingFederate, and Azure Active Directory. DroneDeploy also provides integration via SAML2.0 compliant identity providers.

Audit Controls

Enterprise administrations have the ability to view and export audit logs of activity that occurs within their DroneDeploy. The activity log contains data on primary interactions with functionality within the users organization including the action, object type, details, and date of the interaction.

Enterprise administrators also have the ability to view any data that has been created across their organization and view any outside sharing that has occurred in their account for data loss prevention purposes.

Corporate Security

Workstation and Mobile Management

All workstations used to access DroneDeploy systems must are configured to comply with our internal standards for security. Our default configuration requires all devices to have full-disk encryption, strong passwords, and by locked when idle. Workstations are required to be kept up to date with the latest system security patches.

All mobile devices connecting to DroneDeploy internal networks are protected by Mobile Device Management. DroneDeploy employs a number of security standards for all mobile devices accessing the internal network including all users must authenticate with multi-factor authentication, devices must be kept up to date with manufacturer or network provided patches, and all devices must have encrypted storage.

Risk Management

DroneDeploy utilizes ISO/IEC 27005:2011, Information technology - Security techniques - Information security risk management, to guide the company’s risk assessment activities as specified by the company's Risk Management Policy. DroneDeploy’s risk assessment framework follows a 9 step procedure for dealing with risks including the identification, evaluation, and mitigation of risks.

Records of the risk assessment are kept by DroneDeploy’s Information Security Council.

Information Security Policies

DroneDeploy follows an internal set of security policies and controls that are reviewed annually by the Information Security Steering Committee. The following policies can be made available to DroneDeploy Enterprise customers upon request:

  • Information Security
  • Remote Acesss
  • Mobile Device Security
  • Incident Management
  • Risk Assessment
  • Information Security Scope and Organization
  • Asset Management

Disclosure Policy

DroneDeploy follows the incident handling and response process recommended by SANS, which includes identifying, containing, eradicating, recovering from, communicating, and documenting security events. DroneDeploy notifies customers of any data breaches as soon as possible via email or phone call. DroneDeploy Enterprise plans include a dedicated customer success manager who holds responsibility for customer communication.

DroneDeploy provides a report of operational uptime via status.dronedeploy.com. Users can subscribe to updates via email from the status page.

Security and Compliance

Effective: April 7th, 2018