Updated: February 28, 2023
Here is an overview of security practices currently implemented at Two Dots
We have a data protection policy that involves:
Need-to-know access control
Sensitive data is encrypted in transit and at rest
SSNs are scrubbed from all log entries
Audit logging is used to keep a log of all mutations to database data and access to cloud resources
Accounts that control access to corporate resources are secure
For accounts with infrastructure level access to customer data, we use physical MFA via security keys that are located in our homes and office, meaning to gain access someone would need to steal the physical security keys​
For accounts that use a password, we randomly generate secure passwords and store them password manager and use additional MFA when available
We maintain a list of all devices with access to corporate resources.
BYOD smartphones are given access to a lower level communications tools
Work computers are actively monitored/controlled by industry leading software
Customer data is set to be regularly backed up in compliance with data retention policy
Regular vulnerability reviews and remediationIncident response plan, including a plan for data breach reporting
A designated security officer educated on the information security program and playbooks