Security

Security is not a feature at DARTRi Solutions. It is the foundation. Every system we build, every tool we deploy, every process we follow, and every decision we make is evaluated through a security lens. We build for clients who cannot afford to be compromised. This document describes the technical, administrative, and physical safeguards we employ to protect your data and our infrastructure.

Our infrastructure is designed on defense-in-depth principles with multiple overlapping layers of protection:

• TLS 1.3 enforced for all data in transit with no fallback to deprecated protocols
• AES-256 encryption at rest for all stored data, including backups and archives
• Network segmentation with micro-perimeter controls isolating each client environment
• Web Application Firewall (WAF) with custom rulesets tuned to each deployment
• DDoS mitigation at the network edge with automatic traffic scrubbing and rate limiting
• Immutable infrastructure: servers are provisioned from hardened images and replaced rather than patched in place
• Automated vulnerability scanning across all infrastructure components on a continuous basis
• Geographic redundancy with automated failover and multi-region backup replication
• Hardened container orchestration with read-only filesystems, dropped capabilities, and non-root execution
• DNS security extensions (DNSSEC) and Certificate Authority Authorization (CAA) records enforced

Security is embedded throughout our software development lifecycle (SDLC):

• Threat modeling performed during the design phase of every project
• Secure-by-default architecture: least-privilege access, fail-closed logic, defense in depth
• Input validation and output encoding at every trust boundary
• Parameterized queries and ORM usage to prevent SQL injection; raw queries are prohibited
• Content Security Policy (CSP), X-Frame-Options, X-Content-Type-Options, and other security headers enforced on all web applications
• Protection against OWASP Top 10 and CWE Top 25 vulnerability classes
• Static Application Security Testing (SAST) integrated into CI/CD pipelines
• Dynamic Application Security Testing (DAST) performed in staging environments before deployment
• Software Composition Analysis (SCA) for automated dependency vulnerability detection
• Mandatory code review by at least one additional engineer before merge to production
• Signed commits and verified build artifacts with reproducible build pipelines
• Automated secret scanning to prevent credential leakage in source code and configuration

We enforce strict access controls across all systems and environments:

• Role-Based Access Control (RBAC) with least-privilege principles and no standing admin access
• Multi-factor authentication (MFA) required for all internal accounts without exception
• Just-in-time (JIT) privileged access with automatic expiration and full audit trails
• Single Sign-On (SSO) with SAML 2.0 / OIDC for centralized authentication
• Automated access reviews conducted quarterly; dormant accounts are disabled after 30 days of inactivity
• SSH key rotation enforced on a regular cadence; password-based SSH is disabled
• API keys and service credentials are rotated regularly and stored in hardware-backed secret management systems
• All access to production environments is logged with tamper-evident audit trails

Client data is handled with the highest level of care and segregation:

• Strict tenant isolation: client data is logically and/or physically segregated at the database, storage, and network levels
• Production data is never used in development, staging, or testing environments. Synthetic or anonymized data is used instead
• Data classification framework applied to all information assets: public, internal, confidential, restricted
• Encrypted backups performed daily with point-in-time recovery capability
• Backup integrity verified through automated restoration testing on a regular schedule
• Secure data destruction procedures for all end-of-life media and decommissioned storage, including cryptographic erasure and certificate of destruction where applicable
• Data Loss Prevention (DLP) controls to prevent unauthorized exfiltration of sensitive data
• All data transfers between systems use encrypted channels with certificate pinning where supported

We maintain a documented, tested incident response plan with defined roles, escalation paths, and communication procedures. Our incident response commitments:

• Detection and initial containment: within 4 hours of identification
• Preliminary impact assessment and severity classification: within 12 hours
• Client notification for incidents affecting their data or services: within 24 hours
• Full post-incident report with root cause analysis, impact assessment, timeline, and remediation steps: within 72 hours
• Remediation verification and lessons-learned review: within 14 days
• Incident response tabletop exercises conducted semi-annually to validate procedures
• Compliance with all applicable breach notification laws including GDPR (72-hour notification to supervisory authority), state breach notification statutes, and contractual obligations

We design and operate all systems with availability and resilience as core requirements:

• Recovery Time Objective (RTO) and Recovery Point Objective (RPO) defined per system based on criticality, typically RTO under 4 hours and RPO under 1 hour for critical systems
• Automated failover to secondary regions for critical infrastructure components
• Backup replication to geographically separate locations with encryption in transit and at rest
• Automated backup restoration testing to verify recoverability
• Documented disaster recovery procedures with defined roles and escalation paths
• Annual disaster recovery drills simulating real-world failure scenarios
• Redundant communication channels for coordination during incidents

Third-party services and dependencies are evaluated and monitored throughout their lifecycle:

• Security assessment of all third-party vendors before integration, including review of certifications, audit reports, and data handling practices
• Vendor risk register maintained with periodic reassessments on at least an annual basis
• Software Bill of Materials (SBOM) maintained for all deployed applications
• Automated dependency vulnerability scanning with alerts for newly disclosed CVEs
• Strict evaluation criteria for open-source dependencies: maintenance activity, security track record, license compatibility, and community size
• Third-party API integrations use scoped credentials with minimum required permissions
• Data Processing Agreements (DPAs) executed with all vendors that process personal data

We maintain comprehensive observability across all systems:

• Centralized log aggregation with real-time correlation and anomaly detection
• Security Information and Event Management (SIEM) with custom detection rules
• Real-time alerting for suspicious authentication attempts, privilege escalations, and policy violations
• Network traffic analysis for lateral movement detection and data exfiltration attempts
• File integrity monitoring on critical system files and configurations
• Immutable, append-only log storage to prevent tampering or deletion
• Log retention periods aligned with compliance requirements, with a minimum of 12 months for security events
• Regular review and tuning of detection rules to reduce false positives and improve coverage

Where applicable, we maintain physical security controls for any on-premises infrastructure and office environments:

• Cloud infrastructure providers selected based on SOC 2 Type II, ISO 27001, and other relevant certifications
• Physical access to data center facilities restricted to authorized personnel with multi-factor authentication and biometric verification
• Office environments secured with access controls, visitor logging, and clean-desk policies
• Secure disposal of physical media containing sensitive information
• Environmental controls including fire suppression, climate control, and redundant power in data center facilities

Our team is our first line of defense:

• Background checks conducted for all employees and contractors with access to client data or production systems
• Security awareness training required during onboarding and refreshed annually
• Phishing simulation exercises conducted regularly to test and reinforce training
• Confidentiality and acceptable use agreements signed by all personnel before access is granted
• Immediate access revocation upon termination or role change, enforced through automated provisioning systems
• Security-focused engineering culture with incentives for identifying and reporting vulnerabilities

We align our security practices with recognized frameworks and maintain compliance with applicable regulations:

• SOC 2 Type II principles applied across our control environment
• GDPR compliance for processing of European personal data
• CCPA/CPRA compliance for California resident data
• OWASP Application Security Verification Standard (ASVS) followed for application development
• NIST Cybersecurity Framework (CSF) used as the foundation for our security program
• Annual security assessments conducted by independent third parties
• Compliance documentation available to clients under NDA upon request

We welcome and encourage responsible disclosure of security vulnerabilities. If you discover a security issue in any of our systems, please report it to security@dartri.com with the subject line "Security Vulnerability". Please include a detailed description of the vulnerability, steps to reproduce, potential impact, and any suggested remediation. Our commitments to researchers: acknowledgment of your report within 24 hours, an initial assessment and severity classification within 72 hours, regular status updates until resolution, public credit (if desired) in our security acknowledgments. We will not take legal action against security researchers acting in good faith who comply with this policy, make a good-faith effort to avoid privacy violations and data destruction, and do not exploit vulnerabilities beyond what is necessary to demonstrate the issue.

Security is a shared responsibility. We ask our clients to uphold their part by:

• Maintaining the confidentiality of all account credentials, API keys, and access tokens
• Using strong, unique passwords and enabling MFA on all accounts
• Promptly reporting any suspected security incidents, unauthorized access, or credential compromise to security@dartri.com
• Keeping all client-managed systems, libraries, and dependencies up to date with security patches
• Following the security guidelines and best practices provided during onboarding and in project documentation
• Restricting access to DARTRi Solutions-provided systems and deliverables to authorized personnel only
• Conducting their own security testing only with prior written authorization and coordination with our team
• Promptly notifying us of any changes to their security posture that may affect integrated systems

This security policy is reviewed and updated at least annually, or more frequently in response to changes in our technology, threat landscape, regulatory requirements, or operational practices. Material changes will be communicated to clients via email. Previous versions are available upon request.

For security questions, to report vulnerabilities, to request our security documentation, or to discuss specific security requirements for your engagement, contact security@dartri.com. For general legal inquiries: legal@dartri.com. We aim to respond to all security inquiries within one business day.