Security Overview of Ditto Technologies, Inc.
Ditto takes security very seriously. As such, we have taken great care to protect our customers’ data from the perspective of transmission, storage, and access control.
All user data is anonymized by Ditto upon receipt. This eliminates the ability for anyone to associate personally identifiable information with recorded images and metadata. Specifically, Ditto generates a randomized, 40-character hexadecimal ID (UUID) to associate with a given set of customer images and recommendations metadata.
To follow both GDPR and HIPAA, data transmission to and from Ditto’s API servers is encrypted and authenticated. Our authentication system gives you a private security key that you use to generate time-bound authentication tokens for any request, keeping your PII in your hands and in the hands of your consumers. Finally, Ditto uses encrypted AWS S3 buckets, satisfying the data-at-rest requirement for both GDPR and HIPAA.
Data repositories are only accessible over authenticated and secured protocols (SSH/SSL) from our virtual private network. Each of our employees’ workstations and/or laptops are configured to have full-disk encryption enabled. Each machine is configured with anti-virus software and best practice security measures (e.g., automatic lock screen, screensavers, strong password). To foster a culture of security vigilance, HIPAA and PII-safeguard trainings are a required part of our employees’ on-boarding process.
Ditto uses subcontractors to process some of its data. The following is list of Authorized Subcontractors that may process personal data:
- Amazon Web Services, Inc.
- Google, Inc.
- Segment.io, Inc.