Home Trust

Dataminr Trust Services

Dataminr’s commitment to privacy, security and compliance is integral to our mission. Our services are web-based, and our real-time, AI-powered alerts on high-impact events and critical information are delivered to users via a web-based app, mobile app, email and/or push notiﬁcations.

Want to learn more about Dataminr’s privacy and security practices? Review our third-party audit reports.

REQUEST ACCESS

Privacy and security by design

Dataminr embeds privacy and security throughout its systems and software design life cycle to ensure that controls are well designed and operating effectively. Privacy and security controls are documented and enforced by dedicated internal teams as well as verified by qualified, internationally accredited third-party auditors to provide assurance to customers.

Third-party verification and compliance

Dataminr is SOC 2 Type 2, NIST 800-171, ISO/IEC 27001:2013, ISO/IEC 27701:2019, and UK Cyber Essentials Plus certified. External audits are conducted annually to ensure continued compliance with these frameworks.
Comprehensive application and network penetration testing is conducted at least annually by qualified, independent security firms that are rotated for diverse coverage.

Our Cybersecurity & Trust and Legal teams

The integrated privacy and security program at Dataminr is managed by our Cybersecurity & Trust and Legal teams. Dataminr has a dedicated internal privacy counsel and a Data Protection Oﬃcer (DPO). Additionally, Dataminr maintains a 24/7/365 security operations center (SOC) to ensure continuous customer protection.

How we protect privacy

Privacy impact assessments

We have developed processes for conducting privacy impact assessments, data processing impact assessments and other applicable assessments.

Third-party vendors

We operate a vendor onboarding process that includes conducting risk assessments and performing proper due diligence prior to entering into contractual agreements with vendors.

Data residency

Dataminr is headquartered in the United States with subsidiaries in the United Kingdom, Ireland, France, Germany, Denmark and Australia. Dataminr’s platform is currently hosted on AWS in Northern Virginia, United States.

Data governance

We apply, as appropriate, data protection and privacy principles to Dataminr’s data processing activities, including, without limitation, those addressing confidentiality, limitations on data access and use, data minimization, data security and purpose limitation.

Privacy affiliations

Dataminr’s dedicated privacy and security professionals hold numerous certifications from key organizations such as the Information Systems Audit and Control Association (ISACA) and the International Association of Privacy Professionals (IAPP). Dataminr is a corporate member of the IAPP.

Privacy policy

We make our privacy policy available to data subjects, which provides information on Dataminr and its data processing activities.

General Data Protection Regulation (GDPR)

Dataminr has implemented numerous processes and technologies to ensure GDPR compliance.

Data processing addendums (DPAs)

Dataminr uses a data processing addendum, where appropriate, to address relevant responsibilities, restrictions and obligations when Dataminr is acting in the data processing role or in the capacity of a processor (or other similar terms).

International data transfers

We apply rigorous data transfer principles and a mechanism(s) for international transfers of personal data.

Data subject requests (DSRs)

Dataminr has procedures to assist customers in satisfying data subject requests. Dataminr maintains and enforces documented DSR procedures and has established clearly defined responsibilities for ensuring requests are processed appropriately and promptly.

California Consumer Privacy Act (CCPA)

Since Dataminr conducts business in the state of California, we are also subject to the California Consumer Privacy Act (CCPA). Dataminr has policies, procedures, and defined responsibilities to ensure compliance with CCPA, as well as mechanisms for appropriate, prompt processing of requests from California residents.

How we provide security

Incident management

Dataminr has implemented a NIST and SANS-based incident response plan that includes clearly defined roles and responsibilities, communication requirements, as well as procedures for incident preparation, detection/identification, escalation, containment, eradication, recovery, and lessons learned. Appropriate channels for reporting incidents are communicated and maintained.

Data loss prevention (DLP)

Dataminr has implemented a multi-tiered approach to DLP covering both engineering and corporate information resources. Dataminr’s DLP solution enables systematic detection and prevention of suspicious or inappropriate data handling, creating an additional layer of protection for personal and otherwise confidential data.

Network security

Dataminr utilizes a multi-layered approach to security with extensive use of security groups configured to implicitly deny all traffic and explicitly allow only well-defined, permitted traffic. Additionally, industry standard WAF technology is maintained to protect Dataminr’s customer applications.

Logging and monitoring

Dataminr conducts infrastructure and application logging utilizing industry standard software solutions. Intrusion prevention and detection systems are monitored by Dataminr’s 24/7/365 SOC.

Encryption

Dataminr leverages industry standard encryption technologies to ensure that the confidentiality of personal data is protected. Customer data is encrypted both at rest, utilizing AES-256, and in transit via TLS 1.2.

Threat intelligence

Dataminr utilizes third-party threat intelligence services together with internal analysis to increase awareness and assess relevance to Dataminr’s platform for potential remediation. Real-time threat intelligence information includes, but is not limited to, denial of service, zero day, public exploits and actively exploited vulnerabilities.

Vulnerability and patch management

Internal and external application and network scans are conducted utilizing industry standard software solutions. Any needed risk treatments are promptly identified, documented, and prioritized according to risk level by qualified personnel.

Availability

Business continuity & disaster recovery

Dataminr maintains business continuity and disaster recovery (BCDR) plans that outline the procedures to be followed in the event of an incident. Redundant availability zones within Dataminr’s AWS infrastructure help to safeguard availability. BCDR testing is conducted at least annually, including a lessons learned component, to inform enhancements as needed.

Access management

Dataminr utilizes cloud infrastructure as a service (IaaS), leveraging modern containerized micro-service architecture, zero trust network segmentation and industry standard encryption practices. All data centers incorporate biometric access controls, extensive security cameras, 24/7 security personnel and maintain a complete log of access events. Access controls are maintained via an automated provisioning system to help ensure current information.

Dataminr utilizes a strictly need-based approach to managing user access. Unique user identifiers (UUIDs) are required for each individual accessing the platform. Access to Dataminr’s production environment is protected by a VPN with multi-factor authentication (MFA). Dataminr fully supports SAML 2.0 for integration with customer single sign-on (SSO) solutions.

Risk management

Risk assessments

Dataminr conducts comprehensive annual security risk assessments that cover a broad range of domains. Additionally, a security risk register is continuously maintained to document new risks and treatment actions as they surface. The results of risk assessment activities are presented to top management for full visibility.

Asset management and resource ownership

Dataminr maintains architecture diagrams and a complete inventory of assets covering hardware, software, and data resources. Assets have clear owners responsible for protecting the confidentiality, integrity and availability of assigned resources throughout the complete life cycle.

Third-party risk

Dataminr maintains a third-party risk program that includes, but is not limited to, privacy and security assessments of proposed and existing suppliers. Vendor and partner platforms are assessed and validated to ensure comprehensive privacy, security and compliance programs.

Training and awareness

Employees must complete privacy, security and compliance awareness training as new employees and on an annual basis. This training also includes information on specific privacy laws and regulations such as GDPR. Phishing simulations are conducted at least quarterly.

Change Management

Systems & software development life cycle

Dataminr takes a privacy-and-security-by-design approach throughout the systems and software development life cycle (SDLC). Approval processes, segregation of duties, peer code review, static code analysis, and QA are incorporated as part of the SDLC to help prevent unauthorized or otherwise harmful changes. Dataminr maintains separate test and production environments; client data is not permitted in Dataminr’s test environment.

Configuration management

Configuration baselines are clearly established and enforced throughout the platform, and hardening standards are consistently applied. Reviews and updates of baseline configurations are regularly conducted, and solutions have been implemented to prevent deviations.