PowerDMS has an organization-wide governance, risk, and compliance (GRC) program that identifies, assesses, mitigates, and monitors risks to our customer’s data and the infrastructure supporting our services. Here are some of our security mechanisms:
- Monthly network and system vulnerability scans and a corresponding security patching program
- Biweekly dynamic and static code analysis scans
- Annual third party penetration tests
- At-rest and in-transit encryption
- Production code library file integrity monitoring
- Perimeter firewalls and intrusion detection systems
- Security logging implemented at every level of infrastructure
- Centralized logging and monitoring application that alerts employees when security events are detected
- Enforced two factor authentication process for any employee accessing production infrastructure
PowerDMS also maintains SOC 2, CJIS, and HIPAA compliance. Reports may be available upon request. Please see our SOC 2 Type 2 summary report for a full list of implemented and assessed security mechanisms.
Is my data backed up offsite?
The PowerDMS infrastructure is load balanced across three AWS GovCloud data centers, which are designed to anticipate and tolerate failure while maintaining service levels. In case of failure, automated processes move traffic away from the affected area. Core applications are deployed to an N+1 standard, so in the event of a data center failure, there is sufficient capacity to load-balance traffic to the remaining sites. In addition, PowerDMS includes a feature that lets your site administrators extract your data from the application directly.
Is my data protected in case of a disaster occurring at a data center?
Yes. We maintain data in geographically dispersed data centers with disaster-recovery systems in place. This guarantees both data integrity and data availability in the event of any data center-wide outage. Should such an event occur, failover to data recovery systems will happen to minimize any interruption in service.
Is my data encrypted securely?
Yes. All of our customer data is encrypted in transit and at rest. We ensure a minimum AES-256bit level encryption (FIPS140-2 certified), and at no time is any customer data left in an unencrypted state, including data that has been backed-up.
How does PowerDMS keep up with the latest security threats?
We deploy industry-leading technology including IDS, IPS, Log Monitoring, and WAF, and we partner with security experts to ensure the highest level of security. We also monitor and apply necessary patches and updates to ensure our environments are secure from any exploits or attacks, following a strict patch management life cycle, which includes assessment and testing prior to applying patches. In addition to monitoring, blocking, and patching, we perform regular third-party audits and tests of all layers of our application.
How is security managed and maintained within the PowerDMS application?
The security measures listed above are directed, managed, and monitored by a governance, risk, and compliance (GRC) committee that meets quarterly to discuss upcoming security projects, review security alerts and events, and drive risk mitigation. Members of the GRC committee include our CTO, Director of Software Engineering, IT Director, Legal Counsel, DevOps Lead, and Security Officer.
Is PowerDMS’ security infrastructure assessed against industry standards?
Yes. We have been assessed by a validated third party against the following standards:
- SOC 2 Type 2
- Health Insurance Portability and Accountability Act (HIPAA)
- Criminal Justice Information Services (CJIS) Security Policy
Where does PowerDMS store and process customer data?
The PowerDMS production network and system components are managed in AWS GovCloud data centers, designed to anticipate and tolerate failure while maintaining service levels. All customer data is fully encrypted in transit and at rest. Through third-party testing of AWS GovCloud data centers, we make sure they have appropriately implemented the measures needed to obtain security certifications that support controls around security, redundancy, and all critical support elements.