Security at Darwinium
Platform & Network Security
We understand that businesses place a high level of trust in Darwinium to manage mission critical infrastructure. The security of customer data, of our products, and our services are our top priority. Darwinium’s best-in-class security starts at the foundational level and includes internal threat models, routine internal and external security assessments, and secure software development.
Encryption at the Edge
- Darwinium encrypts all user data on the edge, meaning businesses retain full control of customer data within their own infrastructure, and it is never seen in the clear by Darwinium.
- We use Hybrid Public Key Encryption (HKPE) to store your data.
Darwinium’s tools and automated processes only have access to your organization’s public key. This means that we can only encrypt - but not decrypt - sensitive information without your input.
Your Data on Your Infrastructure
- Darwinium provides the ability to store collected data, encrypted, on your own S3 infrastructure, giving you additional surety around data storage and residency.
- Customer data is not shared outside of an organization, or across borders, for ultimate user privacy and security.
Fine-Grained Access Control and Single Sign-On
- Darwinium can be configured to support login using your own identity provider such as Okta or PingFederate.
- We provide role-based permissions that enforce:
- Whether a user can view event data.
- Whether a user can update journey definitions.
- Whether a user can manage deployments.
Darwinium respects your privacy and is committed to protecting your Personally Identifiable Information (PII) - any information that relates to an identified or identifiable individual. Our belief is that any PII provided to us by you is just that: personal and private.
We do not rent, sell or trade your PII.
We appreciate any effort to discover and coordinate the disclosure of security vulnerabilities. Darwinium does not currently operate a public bug bounty program or offer monetary rewards for vulnerability reports, but individuals may be acknowledged in product security bulletins as appropriate.
If you would like to report a vulnerability in one of our products or services, or have security concerns regarding Darwinium software or systems, please email [email protected]
To support a timely and effective response to your report, please include any of the following:
- Steps to reproduce or proof-of-concept.
- Any relevant tools, including versions used.
- Tool output.
Darwinium takes all vulnerability reports very seriously and aims to rapidly respond and verify the vulnerability before taking the necessary steps to address it. After an initial reply to your disclosure, directly after receiving it, we will update you periodically with our response and remediation status.
Security issues related to Darwinium-owned domains/properties that we have already assessed for risk and will address in future include:
- HTTPS configuration, including supported TLS versions & ciphersuites.
- HTTP headers, for purposes including Strict Transport Security, Content Security Policy, and clickjacking/XSS protection.
- DNS records including those related to email (SPF, DKIM, DMARC) and certificate issuance (CAA).