Exceeding clients’ expectations is our top priority. Dauntless Discovery is committed to maintaining trust with every client through security and transparency. The following information includes compliance, privacy, and operations security practices at Dauntless Discovery.
ISO 27001, an internationally recognized specification for an Information Security Management System (ISMS), is the only auditable standard that deals with the overall management of information security, rather than just which technical controls to implement. Dauntless has obtained ISO 27001 certification for its commitment to establishing and following security policies and procedures. A copy of our certificate can be accessed here.
Dauntless compliance certifications and attestations are available under NDA. For more information about Dauntless Discovery’s compliance certifications and programs, please reach out to your Dauntless account representative or [email protected].
Dauntless Discovery has a dedicated CISO who reports to the President and COO, with responsibilities focused on enterprise security, awareness and training, vulnerability management, incident management, secure logging and monitoring, security risk management, supplier risk management, and identity and access management.
Background checks are performed on all Dauntless Discovery staff based in the U.S. and within our international review center. All personnel are required to sign confidentiality agreements upon hire.
Dauntless has developed security policies and procedures based on ISO 27001. All employees are required to acknowledge an understanding of these policies upon hire and through annual mandated training.
All employees must complete annual security and privacy awareness training on hire and annually thereafter.
Dauntless Discovery uses a defined, tier-based security model to evaluate all prospective vendors’ criticality and exposed residual risk. These evaluations involve a combination of security questionnaires and cybersecurity certification reviews with all third parties.
Dauntless Discovery monitors all activity logs and alerts are generated for anomalies which are investigated by the security team.
Dauntless Discovery participates in the Department of Homeland Security’s CyberHygiene program and conducts annual penetration testing for all internet-facing assets. Our IT team regularly performs patch management activities on servers, workstations, and networking devices. Additionally, secure endpoint configurations are determined and approved for all user work activities.
Responsible vulnerability disclosure channels are available for external security researchers to submit information to at [email protected].
In addition to vulnerability management security testing, Dauntless Discovery contracts with a third-party firm to perform annual penetration tests.
Dauntless Discovery employs the principle of least privilege, restricting access to client data repositories to authorized users on a need-to-know basis. Client data is logically isolated with strict access controls to prevent data leakage.
Dauntless Discovery has a defined incident response policy and plan that prescribes appropriate actions for triage and escalation of all potential incidents. Dauntless Discovery also performs tabletop exercises with key stakeholders to ensure all relevant staff understand their roles and responsibilities in supporting the incident response plan.
In Transit
Dauntless Discovery encrypts all communications with industry-standard HTTPS/TLS 1.2/1.3+ between public networks and Dauntless Discovery clients to protect all data.
At Rest
Dauntless Discovery employs full-disk encryption (FDE) to protect data-at-rest.
Dauntless Discovery’s business continuity and disaster recovery plans are designed with the safety and security of our client data in mind. All data backups are replicated for high availability and redundancy to datacenters that are accredited under ISO 27001, SOC 1 and SOC 2, PCI Level 1, FISMA Moderate, and Sarbanes-Oxley.
Dauntless Discovery maintains a privacy program that monitors regulatory requirements with oversight from dedicated privacy personnel. Dauntless Discovery’s privacy policy can be found here.
