Evalato is designed with hands down the best security practices to keep data safe.
High-end data security
Data is securely stored in the Amsterdam (Netherlands) data centers by Digital Ocean, Inc. DigitalOcean is certified in the international ISO/IEC 27001:2013 data protection requirements, as well as fully PCI DSS compliant. The servers have SOC 2 Type II reporting, a global standard for data privacy and security, and are monitored 24/7/365 to prevent unauthorized access.
- 24/7 Physical security guard services
- Physical entry restrictions to the property and the facility
- Physical entry restrictions to the co-located datacenter within the facility
- Full CCTV coverage externally and internally for the facility
- Biometric readers with two-factor authentication
- Facilities are unmarked as to not draw attention from the outside
- Battery and generator backup
- Generator fuel carrier redundancy
- Secure loading zones for delivery of equipment
Evalato is fully PCI DSS compliant, integrating with 3rd party payment gateways for credit card payment processing. We don’t store any credit card details, raw magnetic stripe, card validation code, or PIN block data – that information is just passed from the person making the payment directly to the payment gateway for processing. The payment gateways we’ve integrated are certified Level 1 PCI DSS compliant service providers.
- Multiple encryption keys with dual control and split knowledge makes data theft unusable without the key.
- Complete activity monitoring to guard against suspicious or unauthorised activities.
- Quarterly automated vulnerability scans.
- Annual extended penetration testing conducted by outside sources.
SendGrid maintains the email servers and infrastructure for all communication sent through Evalato, ensuring the highest deliverability and protection for your emails. They have EU-U.S. and Swiss-U.S. Privacy Shield certifications, as well as SSAE-16 SOC2 Type II reporting for data privacy and security.
- A dedicated team ensures your email communication is on the cutting edge of compliance and delivery.
- Immediate action is taken against accounts with signs of suspicious activity.
- Encrypt all your data in transit using TLS.
- Have an independent penetration test conducted on an annual basis.
- Security logs are kept for 365 days.
Evalato is fully compliant with the EU General Data Protection Regulation (GDPR). You can find the Data Processing Agreement here. You, as the program organizer, can add consent options for your programs’ registration process, download user data for information requests, or permanently delete user data.
- Your program registrants’ profiles are additionally protected by a unique PIN code.
- You alone own all program data, we don’t contact or market to your customers – ever.
- You can request a data wipe at any time.
We use TLS 1.2 (Transport Layer Security) encryption protocols with 256-bit encryption key to provide privacy, protect data and keep its integrity for you and your customers. We utilize monitoring and analytics capabilities to identify potentially malicious activity. System behaviors are monitored for suspicious activity and have response procedures in case of an incident report.
Data is backed up several times a day in multiple remote locations, so that in the unlikely event of data loss information is quickly restored. Our backups are stored on an internal non-publicly visible network on NAS/SAN servers. We are dedicated to keeping downtimes to a minimum and the service successfully maintains an uptime of 99.98%.
To ensure maximum protection of data, our support staff do not have access to the data, nor direct access to the NAS/SAN storage systems where snapshots and backup images reside.
- Access to your information is highly restricted and can only be accessed by a select senior support staff member.
- We’ve established training programs to ensure that personnel understand their responsibilities regarding data security.
- We do background checks and our employees are required to sign confidentiality agreements.
- Personnel access to network resources and secure areas are terminated when they are no longer an employee or no longer need access.