Select theme:
Trust and Compliance.IntoneCCM is a cutting-edge enterprise Software-as-a-Service (SaaS) platform that offers Continuous Control Monitoring and comprehensive monitoring solutions for various industries and use cases. Designed to revolutionize how boards, committees, and executives navigate risk, it provides a unified and streamlined approach to risk management and decision-making.
Azure: Ensures the security of the cloud, including the global infrastructure.
IntoneCCM: Handles the security in the cloud, such as the SaaS platform.
Customers: Manage what is stored in the cloud, such as data, user accounts, and access.
Security Framework: IntoneCCM's security program is built on the NIST Cybersecurity Framework and adheres to ISO/IEC 27001 standards.
Certifications and Audits: The platform is ISO 27001 certified and undergoes annual SSAE 18 SOC 2 Type II audits to uphold security and compliance.
IntoneCCM has a dedicated Security Department with a diverse team of security professionals specializing in product security, security operations, incident response, risk management, and compliance.
The Security Team is led by IntoneCCM's Chief Information Security Officer (CISO).
Security and compliance is a shared responsibility between IntoneCCM and its customers. IntoneCCM manages the overall application infrastructure, while customers are responsible for managing end-user security and access control within their individual systems.
Customers should implement controls to restrict access strictly to authorized individuals. Recommended controls include:
Approving individuals for account access before setting up users in the system.
Revoking user login credentials when access is no longer required or if authentication credentials or other sensitive information have been compromised.
Microsoft Azure is a leading provider of cloud computing and data storage services. Azure is responsible for securing the physical facilities and infrastructure, including server hardware, networking, and related services for the IntoneCCM platform, as well as hosting customer data.
In addition to the physical and hardware security provided by Microsoft Azure, IntoneCCM maintains a robust information security framework to ensure that the confidentiality, integrity, and availability of customer data meet high standards and fulfill customer expectations.
Customers share the responsibility for securing their data and ensuring compliance with applicable regulatory and privacy laws.
Customers have full ownership and control over user access.
Customers manage the entire data lifecycle.
Customers determine what information to input into the system, how long to retain it, and what data should be deleted.
Customers establish who has access to their data.
The platform includes capabilities to assist customers in their responsibility for managing end-user system access:
Enforce strong password policies.
Configure password expiration settings.
Set session timeouts for enhanced security.
Enable Single Sign-On (SSO) via SAML 2.0.
Challenge user accounts after multiple failed login attempts.
Easily delete or suspend user accounts as needed.
Specify permissible user IP addresses for additional security.
Utilize activity tracking to log system access and usage.
The IntoneCCM platform is available across multiple regions, providing customers with options for data storage that comply with data privacy location requirements.
Data is securely stored and replicated across state-of-the-art data centers operated by Microsoft Azure. Upon platform setup, data is stored in the data center region corresponding to the address listed in your order form, though customers may select an alternative storage region to meet their physical, legal, security, or performance needs.
Data is encrypted both during transmission and at rest (AES-256) within the regional data storage facility. All customer data on the platform, including data in backups, is stored exclusively within a single hosting region.
All regional infrastructure is fully redundant, with data replicated or backed up to alternate regional locations to prevent loss in the event of a failure.
Beyond this real-time redundancy, we perform daily backups of all customer data, including field data and attached documents stored in your account. These backups are retained for a period of one year.
Backups are intended for restoring data integrity due to systemic or database failures, rather than for recovering user-deleted data. As long as your subscription remains active, your data will be backed up.
Customers retain complete ownership of their data and are responsible for establishing retention periods and deleting unwanted content during the subscription term and for up to 30 days after termination or expiration of the subscription. Customers also bear the responsibility of ensuring their data complies with relevant policies, regulations, and laws. IntoneCCM is committed to ensuring the security of the platform that hosts customer data.
Customers have multiple options (through authorized managers or administrators) to extract their data at any time.
If you decide to terminate your subscription, IntoneCCM will provide you with continued access to the system for an additional 30 days, allowing you to copy or extract any data you wish to retain. Once you have extracted your data, it is completely your responsibility to delete any remaining data in the system.
Upon your written request, IntoneCCM will permanently destroy the customer system and all associated data after the extraction process is complete. If 90 days pass without a written request to destroy the customer system, IntoneCCM reserves the right to delete the customer system to reclaim system resources. For product-specific terms, IntoneCCM Terms and Conditions
IntoneCCM is dedicated to providing a world-class customer experience. Our engineering teams actively monitor platform availability and performance, achieving an average uptime of 99.5% or higher. To view the current system status, please visit. IntoneCCM Status Page .
IntoneCCM maintains a disaster recovery plan. While the customer impact from a physical or environmental threat to our corporate headquarters is considered low due to our reliance on cloud-based tools, the safety and availability of our personnel remain critical priorities.
The maximum acceptable data loss duration for the platform (Recovery Point Objective or RPO) is one hour, even in the event of a disaster. Backup intervals are therefore configured to limit potential customer data loss to one hour or less, depending on the time of the system failure.
The targeted time frame for restoring service after a disaster (Recovery Time Objective or RTO) is currently set at 24 hours.
Customer data is classified as confidential information and is managed with the utmost care by IntoneCCM personnel. Customer data is never duplicated outside the production environment, including on employee laptops.
Any necessary troubleshooting of customer data is conducted within the customer’s environment. When IntoneCCM personnel require access to a customer’s environment, a ticket is generated to document the interaction, including the reasons for access and the actions taken.
Access by IntoneCCM personnel is strictly limited to addressing the customer's specific needs. Once the customer is satisfied with the support provided and the ticket is closed, access is promptly revoked. IntoneCCM only collects the minimum personally identifiable information required from licensed users for account setup, access to product resources, and system administration.
Diligent follows ISO/IEC 27001 standards to keep information assets secure by implementing an Information Security Management System (ISMS). This provides a systematic approach for managing risk across Diligent’s staff, processes, and IT systems. Diligent's ISMS is ISO/IEC 27001:2013 certified.
Diligent One Platform undergoes annual SSAE 18 SOC 2 Type II audits. The SOC 2 Type II audit is an industry recognized, independent audit, which reports on the suitability of the design, and operating effectiveness of Diligent’s controls relating to security, availability, and confidentiality.
Amazon is the largest vendor of data storage and computing on the planet, and they are responsible for the physical facility as well as the physical infrastructure of server hardware, networking, and related services for the Diligent One Platform service and hosting customer data.
These controls ensure facility and equipment safeguards for areas such as multi-factor access controls, electronic surveillance, intrusion detection systems and environmental safeguards.
For more information about Amazon Web Services security, refer to the following documents:
AWS Artifact (SOC 2, ISO compliance reports)
AWS Cloud Security (overview on AWS security)
AWS Compliance Roadmap (list of AWS security compliance programs)
If you would like to obtain any of the AWS compliance reports, especially their SOC 2, please request instructions from your Diligent account executive. Based on the standard agreement all SaaS vendors have with Amazon, Diligent cannot provide these reports directly to you. However, your account executive will help you with information to how to obtain reports directly from Amazon.
Robust information security policies and processes are the foundation of Diligent One Platform’s security program. Security is reinforced by a range of operational and security policies, standards, and procedures that address various controls and requirements. These measures ensure that our customers can trust the platform to protect their data and maintain the highest levels of confidentiality, integrity, and availability.
Upon request and subject to a standard non-disclosure agreement (NDA), customers can obtain a copy of the current platform SOC 2 report. A detailed list of policies is also available upon request.
Visit the document portal at trust.diligent.com for self-serve access to the following:
Security policies and standards.
Additional security documentation for the platform and specific modules.
Third-party audit reports such as SOC 2 and HIPAA, ISO certifications, and penetration test reports.
Diligent One Platform security is founded on the controls that are built into the service to protect customer data. Management regularly assesses risk, monitors the controls, evaluates potential threats, and uses this information to update the controls framework from policies and procedures to encryption protocols.
Strong encryption is used to protect all data in transit and at rest.
Encryption in transit is achieved via the industry- standard TLS (Transport Layer Security) protocol supporting only the strongest encryption algorithms, including AES (Advanced Encryption Standard) with up to 256-bit key lengths. Encryption at rest is achieved by leveraging AWS storage encryption, using AWS KMS to create and store the 256-bit AES encryption keys.
By using TLS version 1.3, an encrypted communication channel between the end-user web browser and the platform is established, ensuring the confidentiality and integrity of all data transmissions from end-to-end.
The AES encryption algorithm is widely recognized and approved by organizations worldwide as an industry standard in government, military, and commercial applications.
All emails from our platform are transmitted via TLS-encrypted channels, when available.
User passwords are never stored in clear text format. A strong cryptographic algorithm is used to generate irreversible strings known as password hashes. The algorithm also uses a unique long random value known as a salt, which is different for each user and ensures protection against attacks based on pre-computation of password hashes.
When signing in to our platform or generating a token to use in another application, users have up to five attempts to enter your password. After five attempts, reCAPTCHA displays. reCAPTCHA is a service that protects websites from spam and abuse, and requires you to enter a series of characters or numbers to prove you are human.
A session is a period of activity between a user logging in and out of an application. Sessions are global to all platform modules. Your session expires if you are inactive for the duration of time set by an Account Admin.
Files uploaded to the platform are scanned for malware to protect users.
All product systems are monitored 24/7 for security and availability. In the event of any service interruption, alerts are delivered via e-mail, text message, and phone call to system administrators and management.
Security and performance are monitored using sophisticated third-party monitoring tools. Security and performance requirements are reviewed on a weekly basis and any issues noted that potentially impact customers are documented and resolved.
Diligent follows the principle of least privilege for internal administration. Employees who require administrative access must be requested via a ticketing system. The request requires the approval from management before access is granted.
Diligent's administrative access is protected with a combination of network restrictions, username/password, multi-factor authentication, and private keys. Session limits for inactivity are set to 15 mins.
All access is tracked and monitored for suspicious activity. Administrative access to all applications is granted to employees only based on user job responsibilities. Access to all production system and internal applications is removed upon termination of employment.
At all phases in the application development process, security is a top priority. Diligent builds security into the platform.
Secure coding best practices are strictly followed. Common application layer vulnerabilities, including all OWASP Top 10 vulnerabilities, are explicitly addressed at all stages of the SDLC using industry standard counter-measures, such as explicit sanitization of all user input, use of parameterized queries, and use of secure libraries. All code changes are controlled and approved, and must go through strict peer review and Quality Assurance (QA) testing prior to production deployment.
Procedures, controls, and monitoring are in place to ensure that a separation of duties exist between the define, design, build, test, and deploy phases of the software lifecycle. Third-party monitoring tools are used for development, test, and production to detect run-time errors and monitor performance so multiple stakeholders are informed on deploy or error.
In addition to internal security testing, Diligent uses 3rd party independent penetration testing to check for security vulnerabilities. These tests are performed by an organization specializing in software security, and are used to probe the environment for vulnerabilities, such as cross-site scripting, SQL Injection, session and cookie management. Exploitable vulnerabilities are resolved in a timely basis based on severity and impact. A copy of the most recent penetration test report can be provided, subject to a non-disclosure agreement (NDA).
Platform source code is maintained in a repository exclusively for source code management. The source code repository is a complete copy of the source code. Vulnerability scans are performed to identify security flaws within the source code and dynamically on all applications prior to a production release. Any findings are resolved in a timely fashion.
Diligent has a robust platform Incident Response Plan to promptly and effectively manage incidents that minimize impact to the platform.
There is a Security Incident Response Team (SIRT) that is responsible for responding, managing, and conducting security investigations, including all aspects of communication such as deciding how, when, and to whom the findings shall be reported.
Platform source code is maintained in a repository exclusively for source code management. The source code repository is a complete copy of the source code. Vulnerability scans are performed to identify security flaws within the source code and dynamically on all applications prior to a production release. Any findings are resolved in a timely fashion.
Preparation - activities that enable the SIRT to respond to an incident: policies, tools, procedures, training, effective governance, and communication plans.
Preparation also implies that the affected groups have instituted the controls necessary to recover and continue operations after an incident is discovered. Post-mortem analyses from prior incidents form the basis for continuous improvement of this stage.
Detection & Investigation - the discovery of the event with security tools or notification by an inside or outside party about a suspected incident and the declaration and initial classification of the incident. Investigation includes completing an Incident Log to keep track of all incident activities.
Diligent monitors and investigate all events and reports of suspicious or unexpected activity, and tracks them in an internal ticketing system. Investigation is the phase where SIRT personnel identify and determine the priority, scope, and root cause of the incident.
Containment - the triage phase where the affected host or system is identified, isolated or otherwise mitigated, and when affected parties are notified and investigative status established.
This phase includes sub-procedures for seizure and evidence handling, escalation, and communication. All evidence will be handled in accordance with local evidence handling procedures and legal requirements.
Remediation & Eradication - the post-incident repair and recovery of affected systems and or data, communication and instruction to affected parties, and analysis that confirms the threat has been contained.
Apart from any formal reports, the post-mortem will be completed at this stage as it may impact the remediation and interpretation of the incident.
Recovery - the analysis of the incident for its procedural and policy implications, the gathering of metrics, and the incorporation of “lessons learned” into future response activities and training.
Post-incident Activities - activities within the recovery stage include “Lessons Learned.” Lessons Learned allows the SIRT to identify any weaknesses in the plan and the supporting policy and or process and to put in place remedial actions to mitigate any further such incident.
During lesson learned, the SIRT will review the incident and examine all associated artefacts to identify any root cause. Lessons learned are documented and used to improve the plan.
Diligent is committed to responsible AI deployment. Diligent maintains an AI Safety and Ethics task force comprised of Information Security, Legal, Product, Engineering, and Executive Leadership. This task force meets regularly to actively ensure our use of AI technologies meets the highest ethical and safety standards.
Diligent is exploring ways to use Generative AI and Large Language Models (LLM) to enhance the value that our products provide customers. Certain offerings such as our ESG intelligence benchmarks which apply LLMs to aggregate public ESG disclosures are already available, and we are looking at other innovative opportunities in the very near future.
By default, the AI models we employ are not trained on the data you have entrusted our software products to protect. Any deviation from this principle requires your explicit consent and would always be your company's choice. Furthermore, any content produced by our company's generative AI is labeled, allowing users to readily identify AI-generated content.
As with all Diligent product functionality, controls are in place to ensure the logical separation of customer data.