Data security at Dataro
Like you, we take the security of your donor data very seriously. Dataro is committed to the highest standards of data security, privacy, and ethics.
Data Security
Data Security is integrated into the core of our system architecture and complies with stringent standards, ensuring that your data remains secure both in transit and at rest.
Donor Confidentiality
We understand the crucial role that data security plays in maintaining the trust of your donors, and we incorporate donor privacy at every level of our systems.
AI Transparency
AI shouldn’t be a “black box.” Dataro is committed to ethical, explainable AI, ensuring full transparency regarding the data used by our models.
How we ensure the safety of your organisation and your donors
For more detailed technical information, please select a category.
Data storage and encryption
All client data is stored at rest in Amazon Web Services (AWS) S3 Buckets, which are by default industry-standard AES-256 Encrypted and Private.
Modelling metadata and app-related outputs (outputs for display in the Dataro platform) are stored in an AWS Aurora Postgres database that exists in a private subnet in our own AWS VPC and is not directly accessible from the internet.
Data is processed in virtual machine images (Docker containers) on dynamically allocated compute instances (AWS Batch). As such, there are no standing instances to access or compromise. This dramatically reduces our potential attack surface.
Dataro’s web application is architected using a ‘serverless’ framework where backend requests are processed using abstracted compute units (AWS Lambda) instead of standing instances.
AWS is a top-tier cloud vendor, and in the cases above, there are huge security benefits to using their managed services (Batch, S3, Lambda) instead of managing our own servers. Issues such as patching, disaster recovery, backups, configuration, and so forth are handled by AWS as part of their managed service offering.
Confidentiality & access control
We have implemented stringent controls governing this data.
Awareness training is provided to all employees during the induction process which covers the importance of and best practices for handling customer data. Access to the production buckets is provisioned using AWS Identity and Access Management (IAM) and is currently directly accessible to the production processing system and Dataro’s CTO (Chief Technical Officer) and senior engineering staff.
Access to Dataro environments within Dataro is limited only to the most senior employees who have been trained in our security protocols. Control measures include access restriction to privileged groups with additional authentication requiring 2FA and password strength requirements in line with best practice.
Dataro adopts a risk-based approach to processing, in particular, from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to information.
Data security during transit
Data is collected from Customer systems using the Customer’s CRM vendor’s API or it is sent to Dataro directly using best practice Secure File Transfer Protocol (SFTP).
Physical security measures
Physical security controls in our offices ensure robust physical security appropriate to the nature of our business. All Dataro resources are hosted in secure facilities (in Australia, the UK, or US, based on client preference) provided by AWS. AWS has best-in-market data centre controls: https://aws.amazon.com/compliance/data-center/controls/
System updates and security
We deploy updates to our system using a rigorous CI/CD (Continuous Integration and Continuous Delivery) process which includes automated testing for a number of security risks, including static and dynamic analysis of the code and deployed systems.
Data processing
Contact persons and project managers are identified for all projects. All Dataro employees receive appropriate privacy and annual data security training and are required to comply with Dataro’s IT security policy.
Data modelling & Personal Identifiable Information
We strive to adhere to privacy by design principles and, as such, with respect to data concerning our Customers’ donors, we only capture information that the Customer has consented to and directly pertains to our capability to deliver our service and product. While Dataro stores four types of Personally Identifiable Information (PII): email address, phone number, postal address, and surname, we do not utilise any PII for modelling. Our proprietary data models are trained on non-personal data within our global data set (the Dataro data pool).
Data integrity and business continuity
Administration activities on servers are only carried out by trained personnel who are the most senior at Dataro. 2FA is compulsory for all activities involving access to customer data stored by Dataro. We care about the resilience of our products and appreciate that disruptions can happen, so have developed our Business Continuity Plan appropriate to the size of Dataro and scope of products supplied. Key processes include: annual business continuity plan reviews, including key risks and contingencies, plus building services to utilise redundancy capabilities of our cloud services providers.
Data retention
At the end of your subscription, we delete all the raw data we are holding for your organisation, including all personal data.
