Where does PowerDMS store and process customer data?
PowerDMS production network and system components are managed in AWS GovCloud data centers designed to anticipate and tolerate failure while maintaining service levels. Third-party testing of AWS GovCloud data centers ensures AWS GovCloud has appropriately implemented security measures aligned to established rules needed to obtain security certifications that support controls around security, redundancy, and all critical support elements.
How does PowerDMS protect my data?
PowerDMS has implemented an organization-wide governance, risk, and compliance (GRC) program that identifies, assesses, mitigates, and monitors risks to our customer’s data and infrastructure supporting our services. Security mechanisms include:
- Monthly network and system vulnerability scans and corresponding security patching program
- Biweekly dynamic and static code analysis sans
- Annual third party penetration tests
- At-rest and in-transit encryption
- Production code library file integrity monitoring
- Perimeter firewalls and intrusion detection systems
- Security logging implemented at every level of infrastructure
- Centralized logging and monitoring application that alerts employees when security events are detected
- Enforced two factor authentication process for any employee accessing production infrastructure
- Annual third party assessments including SOC 2 and HIPAA AT 101
Please see our SOC 2 report for a full list of implemented and assessed security mechanisms.
Is PowerDMS’s security infrastructure assessed against industry standards?
Yes, PowerDMS has been assessed by a validated third party against the following:
- SOC 2 Type 2
- Health Insurance Portability and Accountability Act (HIPAA)
- Criminal Justice Information Services (CJIS) Security Policy
Is my data backed up? Is it backed up offsite?
Our instance is load balanced across three AWS GovCloud data centers which are designed to anticipate and tolerate failure while maintaining service levels. In case of failure, automated processes move traffic away from the affected area. Core applications are deployed to an N+1 standard, so that in the event of a data center failure, there is sufficient capacity to enable traffic to be load-balanced to the remaining sites. In addition, PowerDMS.com includes a feature that allows your site administrators to extract your data from directly within the application.
Is my data protected in case of a disaster occurring at a data center?
Yes. PowerDMS maintains its data in geographically dispersed data centers with disaster-recovery systems in place. This guarantees both data integrity and data availability in the event of any data center-wide outage. Should such an event occur, failover to data recovery systems will happen to minimize any interruption in service.
PowerDMS has been assessed against the CJIS Security Policy. What does that mean for my organization?
PowerDMS has taken steps necessary to protect criminal justice information (CJI) maintained by government and civilian agencies. Through data encryption (both in transit and at rest), internal background checks, and physical safeguards to protect data, our customers can be assured that PowerDMS meets nationally-recognized guidelines for the protection, transmission, storage, and generation of CJI.
Is my data encrypted securely?
Yes. All PowerDMS customer data is encrypted in transit and at rest. We ensure a minimum AES-256bit level encryption (FIPS140-2 certified) and at no time is any customer data left in an unencrypted state, including data that has been backed-up.
Does PowerDMS.com support single sign-on?
Yes. PowerDMS supports single sign-on from any third-party identity provider that supports SAML or WS-Federation protocols (e.g. ADFS, Ping, Okta). Logins to PowerDMS over OAuth/OpenID Connect is not allowed at this time. Please contact us for additional information.
Click here for instructions on configuring Microsoft ADFS 2.0 for PowerDMS Federation
Click here for instructions on configuring SAML for PowerDMS
Does PowerDMS.com integrate with any common authentication systems for user account synchronization?
Yes. PowerDMS provides a tool, free of charge, to sync user and group information to PowerDMS.com – securely over SSL – on a one-time or scheduled basis. PowerDMS SYNC can import data from either .CSV files or via LDAP (with Active Directory, for example).
Does PowerDMS.com provide an open API to allow for custom user account management?
Not at this time, however a static API is currently in beta.
Is any additional software required to use PowerDMS.com?
Only a modern web browser (e.g. Internet Explorer, Chrome or Firefox) is required to use the core functionality of PowerDMS.com. However, PowerDMS.com does include two advanced features which require additional software in order to be utilized. The first feature is for IT administrators who wish to synchronize user and group information to PowerDMS.com. This requires a tool – provided by PowerDMS – which can be installed and run on a single server within your network. This does not affect end user environments. The second feature allows end-users to edit documents stored in PowerDMS.com locally on their computer with all changes saved back to PowerDMS.com seamlessly. Each end user who wishes to utilize this feature must install a software plugin on their local computer that can be downloaded directly from PowerDMS.com. Installing this plugin requires administrative privileges. A document editor, such as Microsoft Word, is also required to use this feature and is not provided by PowerDMS. Both the IT tool and end-user plugin are provided by PowerDMS free of charge and are supported for Microsoft Windows only with an additional dependency on the Microsoft .NET Framework.
How does PowerDMS keep up with the latest security threats?
PowerDMS deploys industry-leading technology including IDS, IPS, Log Monitoring, and WAF as well as partners with security experts to ensure the highest level of security. We also monitor and apply necessary patches and updates to ensure our environments are secure from any exploits or attacks, following a strict patch management life cycle, which includes assessment and testing prior to applying patches. In addition to monitoring, blocking, and patching, we also perform regular third-party audits and tests of all layers of our application.
How is security managed within the PowerDMS application?
The security measures listed above are directed, managed, and monitored by a governance, risk, and compliance (GRC) committee that meets quarterly to discuss upcoming security projects, review security alerts and events, and drive risk mitigation.
What physical security controls does PowerDMS maintain?
Production systems for PowerDMS are housed at AWS GovCloud SOC 2 assessed data centers. They are monitored 24 hours a day by security personnel and include a full suite of physical and environmental controls.
Didn’t find the answers you were looking for?
Send us your question here.