Diligent Security Overview

Every person, team, and organization using Diligent applications and services expects their data to be secure, available, and handled according to strict confidentiality and privacy principles at all times — and we understand how important this is.

We have built our global business on the trust our customers place in our ability to safeguard their data, and continue to maintain that trust through our security and compliance initiatives and culture of continuous improvement.

Security

We have a dedicated Security department consisting of over a dozen security professionals focusing on product security, security operations, incident response, risk management, and compliance.

Our multi-layered security environment follows the principles of least privilege, separation of duties, defense in depth, and usability

 

Security Principles and Controls
Highbond Security Controls
Diligent Boards Security Controls
Data Protection

Our security program is founded on the controls we have built into our service to protect customer data.

We regularly assess risk, monitor our controls, evaluate potential threats, and use this information to update our controls framework from policies and procedures to encryption protocols.

 

Data Protection
Highbond Data Regions and Privacy 
Diligent Boards Data Regions and Privacy
Reliability

We actively monitor our solutions for availability and performance to a 99.5%+ average uptime. Identifying and resolving performance issues is a key part of providing high value SaaS based subscription to our customers. Furthermore, it is a top priority of Diligent that we provide responsive and effective customer support.

 

Reliability
Policies, Practices and Processes
Diligent’s security policies set the tone and direction for the organization, assign and delegate roles and responsibilities for information security, establish control objectives, and demonstrate commitment and accountability to all stakeholders, including employees, business partners, and customers.

 

Policies, Practices and Processes
Cloud Based Delivery
Our products are designed to take advantage of the efficiency and accessibility of a cloud-based, software as a service (SaaS) delivery model which provides organizations with independence and agility along with a low and predictable total cost of ownership.

 

Cloud Based Delivery Benefits
Reporting Security Concerns
We recognize that the decision to store data in a cloud- based platform raises important questions about security. If you have any questions or concerns about the security, privacy, or integrity of your data, contact our support team.

 

Report a Concern or Vulnerability
Support

We are committed to providing a robust and secure service that protects our customers’ data.

Diligent’s Security Program is governed based on NIST Cybersecurity Framework and Diligent follows ISO/IEC 27001 standards to keep information assets secureby implementing an Information Security Management System (ISMS).



Frequently Asked Questions

  • What type of security and controls are in place for data centers and sub service organizations?

    Our system control environment is designed to provide confidentiality, availability, and integrity for our SaaS offerings. Controls that are audited at least annually under SSAE-18 include:

    • Data Protection
    • Access Control/Logical
    • Access Change Management
    • Data Security
    • Backup and Recovery
    • Incident Management

    These controls and supporting policies provide us and our customers with operational assurance.

  • Is a SOC audit report available?

    Yes, we have current SOC 2 reports for specific products prepared by third-party auditors. The reports are comprehensive assessments of the internal controls and information security related to our service.

    Upon request and subject to customer’s execution of our standard non-disclosure agreement (NDA), we will provide a copy of a current SOC 2 report.

  • Do you conduct vulnerability assessments and penetration tests?

    In addition to internal security testing, we use third-party independent penetration testing to assess our service for security vulnerabilities. These tests are performed by an organizations specializing in software security, and are used to probe our environment for vulnerabilities and OWASP Top 10 web application risks, such as:

    • Cross-site scripting
    • SQL Injection
    • Session and cookie management
    • API abuse
    • Denial of service

    We ensure exploitable vulnerabilities are resolved in a timely fashion based on severity and impact. Subject to an NDA, we can provide a copy of the most recent penetration test.

  • What type of security and controls does Diligent have in place?

    Our system control environment is designed to provide confidentiality, availability, and integrity for our SaaS offerings. Controls that are audited at least annually under SSAE-18 include:

    • Data Protection
    • Access Control/Logical
    • Access Change Management
    • Data Security
    • Backup and Recovery
    • Incident Management

    These controls and supporting policies provide us and our customers with operational assurance.

  • Where will my data be stored?
    Systems that rely on our IaaS provider are available in regions in the United States, Canada, Europe, Australia, South Africa, South America, and Asia. Systems that rely on our colocation data centers are available in United States, United Kingdom, Canada, Germany, and Australia to provide options for where data is stored and to help our customers comply with data privacy location requirements.
  • How do you protect Personally Identifiable Information (PII)?

    PII is limited by our customer subscription agreements, sub service organization agreements, corresponding controls, and segregation built into our SaaS design.

    This ensures that any PII is isolated and protected in the system and that each customer has access to its data only

  • Who will have ownership of my data?
    You will continue to retain all rights over your data and we will not use your data except for the purpose of providing the services in your subscription.