DroneDeploy

Security and Compliance

Effective: April 7th, 2018

We take security, compliance, and the protection of our customers' data very seriously at DroneDeploy. We are committed to securing your data and earning your trust. We use a variety of industry-standard technologies and best practices to secure our customers' data.

As a company, we value transparency as a core principle and as such share details about how we handle security at DroneDeploy. If you have any questions regarding security, we are happy to answer them at support@dronedeploy.com.

Compliance

The following security-related audits, certifications, regulations apply to DroneDeploy:

PCI/DSS

DroneDeploy's payment and credit card information is handled by Stripe and Chargify. Stripe and Chargify have been audited by an independent PCI Qualified Security Assessor (QSA) and are certified as a PCI Level 1 Service Provider. This is the most stringent level of certification available in the payments industry.

We are a PCI Level 4 Merchant and have completed the Payment Card Industry Data Security Standard’s SAQ-A, allowing us to use a third party to process your credit card information securely.

Privacy Shield

For information that we receive from the European Union, DroneDeploy has certified its compliance with the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information from European Union countries and Switzerland. We have certified that we adhere to all key Privacy Shield Principles when transferring and processing personal information from the EU in the U.S. and Switzerland and the US:

  • Notice
  • Choice
  • Accountability for Onward Transfer
  • Security
  • Data Integrity & Purpose Limitation
  • Recourse, Enforcement & Liability

GDPR

DroneDeploy is committed to complying with the General Data Protection and Regulation (GDPR). The GDPR privacy law takes effect on May 25, 2018. DroneDeploy is working diligently to follow the guidance from privacy-related regulatory bodies in the EU leading up to the effective date and following continued changes in the regulations.

Because of our commitment to the privacy and security of all of our customers' data, we are applying the privacy and security controls necessary for GDPR compliance across the board to all DroneDeploy customers at no additional cost.

For customers processing information on behalf of EU and Swiss citizens, DroneDeploy offers a Data Processing Addendum. DroneDeploy is a processor of your customers, and you are the controller. To make sure that you are in compliance, you should take the following steps:

  • Perform your own research and seek legal advice on how GPDR regulations apply to your business
  • Contact privacy@dronedeploy.com for additional information on executing the data processing addendum (a self-service process will be available on May 10th)
  • Update your EU contact details within your account settings in DroneDeploy (available May 10th)
  • Accept the latest Terms and Conditions and Privacy Policy within your accounts settings in DroneDeploy (available May 10th).

Infrastructure

Data Encryption In Transit and At Rest

All data is sent securely to DroneDeploy via the HTTPS protocol using the latest recommended ciphers and TLS protocol. All customer data encrypted at rest on DroneDeploy servers.

Physical Access

DroneDeploy hosts its data in Amazon Web Services and Google Cloud. DroneDeploy employees do not have physical access to the Amazon or Google data centers, servers, network equipment, or storage.

AWS provides physical data center access only to approved employees. All employees who need data center access must first apply for access and provide a valid business justification. These requests are granted based on the principle of least privilege, where requests must specify to which layer of the data center the individual needs access, and are time-bound. Requests are reviewed and approved by authorized personnel, and access is revoked after the requested time expires. Once granted admittance, individuals are restricted to areas specified in their permissions.

According to the Google Security Whitepaper: “The data center floor features laser beam intrusion detection. Data centers are monitored 24/7 by high-resolution interior and exterior cameras that can detect and track intruders. Access logs, activity records, and camera footage are reviewed in case an incident occurs. Data centers are also routinely patrolled by professional security guards who have undergone rigorous background checks and training.”

Penetration Testing

DroneDeploy undergoes annual network and system level penetration tests from an outside security vendor to test for vulnerabilities. In the event of a vulnerability, the issue is tracked in an internal issue tracking management system with SLAs for resolution depending on the severity of the issue.

Application Security

Login Security

In addition to password-based logins, DroneDeploy provides Google single sign-on for all accounts allowing you to use Google or GSuite accounts to authenticate users requiring two-factor authentication. Google logins can be protected by multiple 2FA mechanisms including access codes or security keys.

Single Sign-On

Enterprise users can use Single Sign-On functionality to authenticate against multiple provider types including Active Directory Federation Services, Google Apps, Microsoft Office 365, PingFederate, and Azure Active Directory. DroneDeploy also provides integration via SAML2.0 compliant identity providers.

Audit Controls

Enterprise administrations can view and export audit logs of activity that occurs within their DroneDeploy. The activity log contains data on primary interactions with functionality within the user's organization including the action, object type, details, and date of the interaction.

Enterprise administrators also can view any data that has been created across their organization and view any outside sharing that has occurred in their account for data loss prevention purposes.

Product Security

DroneDeploy adheres to the principles of secure by design and privacy by design through our Secure Development Lifecycle. The DroneDeploy SDL incorporates key components from the industry standard Security Development Lifecycle models such as the Microsoft Security Development Lifecycle and OWASP Software Application Maturity Model.

DroneDeploy's software design phase introduces security and privacy requirements in the design phase of the project. All engineers at DroneDeploy are required to undergo application security training prior as part of their employment.

Before the completion of a software component, the component undergoes a security risk assessment which determines the level of risk for a component. The risk analysis leverages best practices from the OWASP Top 10 as well as language and infrastructure specific best practices that are unique to the DroneDeploy environment. Based on this analysis, each project has a set of requirements that must be fulfilled before the project going into production.

All features and functionality go through a security review process. Our code is audited with automated static analysis software, tested, and manually peer-reviewed prior to being deployed to production. Once deployed, our applications go through regular penetration testing to verify the security and safety of the application in production.

Corporate Security

Workstation and Mobile Management

All workstations used to access DroneDeploy systems must are configured to comply with our internal standards for security. Our default configuration requires all devices to have full-disk encryption, strong passwords, and by locked when idle. Workstations are required to be kept up to date with the latest system security patches.

All mobile devices connecting to DroneDeploy internal networks are protected by Mobile Device Management. DroneDeploy employs a number of security standards for all mobile devices accessing the internal network including all users must authenticate with multi-factor authentication, devices must be kept up to date with manufacturer or network provided patches, and all devices must have encrypted storage.

Risk Management

DroneDeploy utilizes ISO/IEC 27005:2011, Information technology - Security techniques - Information security risk management, to guide the company’s risk assessment activities as specified by the company's Risk Management Policy. DroneDeploy’s risk assessment framework follows a 9 step procedure for dealing with risks including the identification, evaluation, and mitigation of risks.

Records of the risk assessment are kept by DroneDeploy’s Information Security Council.

Information Security Policies

DroneDeploy follows an internal set of security policies and controls that are reviewed annually by the Information Security Steering Committee. The following policies can be made available to DroneDeploy Enterprise customers upon request:

  • Information Security
  • Remote Access
  • Mobile Device Security
  • Incident Management
  • Risk Assessment
  • Information Security Scope and Organization
  • Asset Management

Disclosure Policy

DroneDeploy follows the incident handling and response process recommended by SANS, which includes identifying, containing, eradicating, recovering from, communicating, and documenting security events. DroneDeploy notifies customers of any data breaches as soon as possible via email or phone call. DroneDeploy Enterprise plans include a dedicated customer success manager who holds responsibility for customer communication.

DroneDeploy provides a report of operational uptime via status.dronedeploy.com. Users can subscribe to updates via email from the status page.