Deepwatch Trust Center

Deepwatch identities and credentials are issued (and revoked) via an automated solution triggered by the onboarding of new employees via our Human Resources Information System (HRIS), which has custom role-based attributes pre-defined; access changes and terminations are managed via the same mechanism. Access to specific applications is managed via our Identity and Access Management (IAM) Provider and is based on the defined role in our HRIS.

Single Sign-On and Multi-factor authentication is required for all accounts that access the Deepwatch Platform. Additionally, identities and credentials are audited and verified on a quarterly basis in accordance with the industry best practices.

Customer access is generated via the same mechanism. Federated customers are permitted to utilize their own password requirements and security controls.

Deepwatch performs a multi-pronged approach to personnel security including identity/citizenship verification, background checks, credit checks, and drug screenings. Each of these checks is performed by a third party prior to an employee's onboarding into the organization.

After onboarding, Deepwatch employees are read into and bound by non-disclosure and confidentiality agreements and various trainings related to Sexual Harassment, Diversity and Inclusion, Anti-Discrimination, and Cybersecurity Awareness.

In addition, Deepwatch has implemented a comprehensive phishing program to raise awareness about the threat of phishing and social engineering.

Data at Rest

All Deepwatch data is hosted in AWS, unless negotiated by the customer, and is isolated into customer-specific VPC's . This data is stored within AWS's Elastic Block Storage (EBS) volumes, EC2 Instances, and S3 Buckets are all encrypted using keys managed by the AWS Key Management Service (KMS). Each instance uses AES-256 bit encryption.

Data in Transit

All Deepwatch employees connect to the production environment via a zero-trust application, which provides point-to-point application-level access to customer resources. Customer data transmitted on the network is encrypted over Transport Layer Security (TLS) 1.2.

Laptops at Deepwatch are configured in an MDM solution based on a standard baseline that enforces various controls including, but not limited to password requirements, device encryption, auto-lock/screensavers, and A/V and EDR tool deployment.

Cloud Solution Provider systems are configured based on established standards, which are deployed automatically via playbooks.

Deepwatch has established a risk management program including a formal risk management standard and a comprehensive risk register which includes input from numerous internal and external technical resources, tabletop exercises, audits, and other sources. The Risk Management Board meets at least quarterly to conduct risk assessments and review the risk register.

Deepwatch has a comprehensive suite of security policies, standards, and procedures covering topics including, but not limited to: Change Management, Data Classification, Asset Management, Incident Response, Privacy, and Third Party Risk Management. Each document is readily available on the company's intranet. All Deepwatch employees and contractors are accountable to reading, understanding, and adhering to the guidance set forth in the policies and attest as such.

A governance structure for the Security, Risk, and Compliance (SRC) team at Deepwatch has also been established with our CIO/CISO as the executive leader responsible for overseeing the program. The SRC team is responsible for all tasks relating to Security Operations in addition to Governance, Risk Management, and Compliance; it works with stakeholders across the organization to attain its goals.

Deepwatch aims to reduce the risk of security bugs and other vulnerabilities via vulnerability assessments, penetration tests, and code reviews. The findings from each of these activities is used to inform

Vulnerability Assessment

Deepwatch currently performs internal vulnerability scans on a daily basis, which will necessarily include scanning after significant changes to the Deepwatch networks. VM agents are installed as part of our default configuration on both laptops and servers.

Penetration Testing

Deepwatch utilizes both internal resources and independent third-party penetration testing firms to conduct penetration testing, both internal and external, on its systems components. The testing included an External Penetration Test of internet-facing network assets and Internal and Segmentation Penetration Tests for Deepwatch's Cloud SecOps Platform Services environment.

Code Reviews

Deepwatch conducts code reviews via a continuous integration process on every merge into a branch across all repositories. Code is tested (via Static & Dynamic Analysis, Unit Test, Integration Test, Functional Test, Performance, and Security) throughout every step of the development process.

In addition, we engage third party auditors and penetration testers to perform security reviews on our products.

Deepwatch has a limited physical presence due to its nature as a remote-first organization. Staff with a valid business case and role are granted access to the facilities they require to perform their job via a centrally managed access control system. In addition, Deepwatch maintains CCTV Surveillance Systems and visitor controls in each office.

Deepwatch's SecOps platform and associated technologies are all hosted with cloud infrastructure providers, each of which maintainSOC 2 Type II and ISO 27001 certifications, among others, to affirm their physical security stature.

As part of our commitment to Privacy, Deepwatch retains two PECB-certified Data Protection Officers on staff full-time. These individuals, including the Data Protection Officer (DPO), are responsible for all aspects of the Privacy Program including responding to Data Subject Rights requests and maintaining the Record of Processing Activity.

Deepwatch has created and maintains a Record of Processing Activity (ROPA). This ensures we handle that data responsibly, transparently, and keep data processing to the minimum necessary.

Deepwatch takes advantage of the scalability and redundancy of AWS and other best-in-class technologies to ensure our infrastructure is consistently available and performing optimally for our customers.

It's easy to stay informed on the performance of the Deepwatch Cloud SecOps Platform; to do so visit the Deepwatch Status Page which provides the real-time and historical status of the platform and scheduled maintenance of the products that make up our platform. Customers can subscribe to this page and receive updates via email whenever the page is updated.

We offer a credit-backed SLA for both uptime (99.9%) and Initial Response and Update so you can focus on your core business processes. Details can be found here.

Deepwatch has documented the responsibilities between the customer and itself for each of our products. These documents can be obtained from your assigned Customer Success Manager (CSM).

Yes. All Deepwatch employees are US-based.

Yes! In the event that Deepwatch is a party to an Individual Rights Request, we are happy to assist. Connect with your CSM, who will reach out to the privacy team.

While there is no real "certification" for HIPAA compliance, Deepwatch does align its security and privacy program to the HIPAA Security Rule and the HIPAA Privacy Rule. Due to our status as an IT Security Service Provider, Deepwatch is legally prohibited from accessing the HITRUST Cyber Security Framework and becoming a Licensee.

Customer data is accessible to only those who are responsible for providing our products and services; we do not sell customer data to third parties under any circumstances. For more information, please see our Privacy Policy.

Keeping in line with common industry practices, Deepwatch invites its own internal and external auditors to regularly undertake audits against a variety of standards and frameworks as mentioned above. The results of these audits can be shared with customers via their CSM.

While we understand some customers may be a covered entity, Deepwatch is not a "business associate" as defined as Deepwatch does not help carry out any health care activities or functions on behalf of our Customers. Deepwatch does not furnish, bill or receive payment for healthcare nor do we transmit or process any covered transactions as described under the CMS guidelines. We take privacy and confidentiality seriously and our SOC2 Type 2, and TRUSTe certification speaks to our security hygiene and compliance with HIPAA requirements. It is important to understand customer's are in control of data logs filtered and transmitted to Deepwatch for analysis and such logs should never include any PHI or other HIPAA related material.