June 30, 2016
Security at Datto
Datto protects the essential business data of thousands of customers throughout the world who entrust us to ensure their data is secure and readily available when needed. We maintain a comprehensive matrix of safeguards to protect our customers’ data. Data security is at the heart of everything we do and is a priority shared by our more than 600 employees.
We are aware of a story released today about Datto that questions our security practices and makes specific allegations about alleged past security shortcomings. This story is similar in nature to past articles from the same organization, and it is incomplete, inaccurate and includes outright false information. The specific allegations made by an anonymous source who claims to be an ex-employee and a disgruntled former partner are dated and grossly misrepresent Datto’s security practices.
Datto understands the trust our partners and their clients have placed in us. As Datto has grown over the last 9 years, we have regularly taken steps to improve our security practices. We would like to take this chance to reiterate how seriously we take data security and describe our approach to protecting customer data.
Here is a summary of the comprehensive data protection standards we implement to protect our corporate facilities and data in the Datto Cloud:
- Manned security at each of our corporate offices during business hours and periodic inspection of our corporate headquarters by security outside of business hours
- CCTV surveillance at the perimeters of our corporate offices at all times
- Employee keycard access to our corporate offices, enforced by elevator controls and automatic locks at key access points in and around our facilities
- A strict visitor policy that requires all visitors to provide their name and corporate affiliation, sign in and out using an automated procedure and wear a special visitor badge to identify themselves while on our premises
- Strong passwords for desktops and essential corporate services, using a password validation library to ensure that all passwords meet our complexity requirements
- 10 minute inactivity lockout policy on desktops and comprehensive anti-virus software to ensure that employee machines are free of viruses and other malware
- 7 year Federal Criminal background checks for all employees, taking place before each employee’s start date
Datto Cloud and Data Centers
- Administrative access to the Datto Cloud is restricted to company employees with a need to access such services
- Two-factor authentication for employees performing administrative functions on Datto Cloud servers
- Centralized logs of all administrative employee access to and commands run on Datto Cloud servers
- Web application firewalls, network firewalls and file integrity monitoring for all Datto Cloud servers
- Centralized configuration management software to ensure that the storage servers that make up the Datto Cloud are properly patched and configured according to our strict information security standards
- Quarterly network vulnerability scans, using third party software, and annual independent third-party penetration tests of Datto Cloud infrastructure
- Manual reviews by multiple developers of all code before it is accepted into our repositories, followed by functional testing, both manual and automatic, in a separate test environment before code is released to production
- 24/7/365 manned security, strict access protocols, video camera surveillance, and multi-factor authentication at our Datto Cloud data centers, all of which have been independently audited for their controls and have completed SOC1, SOC2 and/or SSAE 16 audits
Datto’s Partners also have an important role to play in protecting their customers’ data. Our Partners have a shared responsibility with us to help make sure that our clients’ data is secure both on local Datto devices and in the Datto Cloud. Partner best-practices include:
- Using secure passphrases to control access to Datto devices and Datto Partner Portals and ensure such passphrases are not shared with unauthorized parties
- Restricting access to the device management section of Datto’s Partner portal to personnel for whom such access is appropriate
- Selecting devices and services that have features appropriate for each end user’s unique circumstances, and configuring devices with private cloud and local only service as appropriate
- Configuring device features in a secure manner, enabling local encryption and remote logging, where necessary to protect customer data
- Applying device software updates: Routine device software updates are applied automatically and without partner intervention. However, larger updates that may require a device reboot or may impact device services (such as operating system version updates) are applied by partners. These updates should be scheduled as soon as practical, given the specific needs of a partner's clients
- Protecting virtual machines with appropriate controls, including network and web application firewalls, where needed to protect end user environments
- Exporting customer data in a secure manner, including using appropriate protocols for data exports and requesting appropriate encryption for reverse round trips
- Unmounting and removing virtual machines and file restores as soon as they are no longer necessary for DR or testing purposes
- Placing local devices in a secure place in the end user’s environment and working with end users to ensure that they are physically secure
- Considering penetration tests and network scans of end users’ local environments to ensure that they are secure as a whole
- Having end user permission to manage and administer their data and the Datto service and doing so in a manner consistent with the needs and expressed wishes of each end user
Datto stands behind our comprehensive security framework. We strive to work with our Partners to protect the security of end users’ data. We will continue to proactively improve our security technologies, processes and procedures to support our Partners and stay ahead of the continually evolving security threat.
Thank you for being a Datto partner and working together with us to deliver a world class data protection service.