Dataminr embeds privacy and security throughout its systems and software design life cycle to ensure that controls are well designed and operating effectively. Privacy and security controls are documented and enforced by dedicated internal teams as well as verified by qualified, internationally accredited third-party auditors to provide assurance to customers.
The integrated privacy and security program at Dataminr is managed by our Cybersecurity & Trust and Legal teams. Dataminr has a dedicated internal privacy counsel and a Data Protection Oﬃcer (DPO). Additionally, Dataminr maintains a 24/7/365 security operations center (SOC) to ensure continuous customer protection.
We have developed processes for conducting privacy impact assessments, data processing impact assessments and other applicable assessments.
We operate a vendor onboarding process that includes conducting risk assessments and performing proper due diligence prior to entering into contractual agreements with vendors.
Dataminr is headquartered in the United States with subsidiaries in the United Kingdom, Ireland, France, Germany, Denmark and Australia. Dataminr’s platform is currently hosted on AWS in Northern Virginia, United States.
We apply, as appropriate, data protection and privacy principles to Dataminr’s data processing activities, including, without limitation, those addressing confidentiality, limitations on data access and use, data minimization, data security and purpose limitation.
Dataminr’s dedicated privacy and security professionals hold numerous certifications from key organizations such as the Information Systems Audit and Control Association (ISACA) and the International Association of Privacy Professionals (IAPP). Dataminr is a corporate member of the IAPP.
Dataminr has implemented numerous processes and technologies to ensure compliance with GDPR.
Dataminr uses a data processing addendum, where appropriate, to address relevant responsibilities, restrictions and obligations when Dataminr is acting in the data processing role or in the capacity of a processor (or other similar terms).
We apply rigorous data transfer principles and a mechanism(s) for international transfers of personal data.
Dataminr has procedures to assist customers in satisfying data subject requests. Dataminr maintains and enforces documented DSR procedures and has established clearly defined responsibilities for ensuring requests are processed appropriately and promptly.
Since Dataminr conducts business in the state of California, we are also subject to the California Consumer Privacy Act (CCPA). Dataminr has policies, procedures, and defined responsibilities to ensure compliance with CCPA, as well as mechanisms for appropriate, prompt processing of requests from California residents.
Dataminr has implemented a NIST and SANS-based incident response plan that includes clearly defined roles and responsibilities, communication requirements, as well as procedures for incident preparation, detection/identification, escalation, containment, eradication, recovery, and lessons learned. Appropriate channels for reporting incidents are communicated and maintained.
Dataminr has implemented a multi-tiered approach to DLP covering both engineering and corporate information resources. Dataminr’s DLP solution enables systematic detection and prevention of suspicious or inappropriate data handling, creating an additional layer of protection for personal and otherwise confidential data.
Dataminr utilizes a multi-layered approach to security with extensive use of security groups configured to implicitly deny all traffic and explicitly allow only well-defined, permitted traffic. Additionally, industry standard WAF technology is maintained to protect Dataminr’s customer applications.
Dataminr conducts infrastructure and application logging utilizing industry standard software solutions. Intrusion prevention and detection systems are monitored by Dataminr’s 24/7/365 SOC.
Dataminr leverages industry standard encryption technologies to ensure that the confidentiality of personal data is protected. Customer data is encrypted both at rest, utilizing AES-256, and in transit via TLS 1.2.
Dataminr utilizes third-party threat intelligence services together with internal analysis to increase awareness and assess relevance to Dataminr’s platform for potential remediation. Real-time threat intelligence information includes, but is not limited to, denial of service, zero day, public exploits and actively exploited vulnerabilities.
Internal and external application and network scans are conducted utilizing industry standard software solutions. Any needed risk treatments are promptly identified, documented, and prioritized according to risk level by qualified personnel.
Dataminr maintains business continuity and disaster recovery (BCDR) plans that outline the procedures to be followed in the event of an incident. Redundant availability zones within Dataminr’s AWS infrastructure help to safeguard availability. BCDR testing is conducted at least annually, including a lessons learned component, to inform enhancements as needed.
Dataminr utilizes cloud infrastructure as a service (IaaS), leveraging modern containerized micro-service architecture, zero trust network segmentation and industry standard encryption practices. All data centers incorporate biometric access controls, extensive security cameras, 24/7 security personnel and maintain a complete log of access events. Access controls are maintained via an automated provisioning system to help ensure current information.
Dataminr utilizes a strictly need-based approach to managing user access. Unique user identifiers (UUIDs) are required for each individual accessing the platform. Access to Dataminr’s production environment is protected by a VPN with multi-factor authentication (MFA). Dataminr fully supports SAML 2.0 for integration with customer single sign-on (SSO) solutions.
Dataminr conducts comprehensive annual security risk assessments that cover a broad range of domains. Additionally, a security risk register is continuously maintained to document new risks and treatment actions as they surface. The results of risk assessment activities are presented to top management for full visibility.
Dataminr maintains architecture diagrams and a complete inventory of assets covering hardware, software, and data resources. Assets have clear owners responsible for protecting the confidentiality, integrity and availability of assigned resources throughout the complete life cycle.
Dataminr maintains a third-party risk program that includes, but is not limited to, privacy and security assessments of proposed and existing suppliers. Vendor and partner platforms are assessed and validated to ensure comprehensive privacy, security and compliance programs.
Employees must complete privacy, security and compliance awareness training as new employees and on an annual basis. This training also includes information on specific privacy laws and regulations such as GDPR. Phishing simulations are conducted at least quarterly.
Dataminr takes a privacy-and-security-by-design approach throughout the systems and software development life cycle (SDLC). Approval processes, segregation of duties, peer code review, static code analysis, and QA are incorporated as part of the SDLC to help prevent unauthorized or otherwise harmful changes. Dataminr maintains separate test and production environments; client data is not permitted in Dataminr’s test environment.
Configuration baselines are clearly established and enforced throughout the platform, and hardening standards are consistently applied. Reviews and updates of baseline configurations are regularly conducted, and solutions have been implemented to prevent deviations.