Last updated October 1, 2015
Dispatch, Inc. (“Dispatch" “us,” “our,” or “we”), knows that the security of your data is important. Dispatch offers users a simple way for service providers to manage their information and jobs. We offer services through our Dispatch API (our “Service”), mobile applications (our “App”) and our website (“Site”).
To use Dispatch, you are required to create a unique profile called a “Dispatch Account” and share important information with us. In this Security Policy (“Policy”), we describe how we protect the data and information that we obtain from visitors and users of our Service, Site and/or App.
By visiting our Site, using or downloading our app, or using any part of our Service, you agree that your data will be secured as described in this Policy. Your use of our Service, Site or App, and any dispute over data security, is subject to this Policy and our Terms of Service including its applicable limitations on damages and the resolution of disputes. Dispatch’s Terms of Service are incorporated by reference into this Policy.
Dispatch works closely with its partners and clients to prevent unauthorized access to or unauthorized alteration, disclosure or destruction of information. We employ several security controls to encrypt and maintain the integrity of data at rest and in transit.
Product Delivery Model
Dispatch’s solutions are hosted on an Amazon Web Services (AWS), specifically the elastic cloud compute (EC2) service. We employ Amazon’s best practices to maintain and restrict access to its systems, networks, websites, and data, including all Customer Information. Data is transferred and accessed using secure protocols including Secure Shell (SSH), SSH File Transfer Protocol (SFTP), Secure Socket Layer (SSL), and/or Transport Layer Security (TLS). Access to AWS servers and infrastructure is limited, and all AWS servers are regularly updated with appropriate security patches.
Systems Communication and Access
Client applications and platform clients are authenticated via OAuth2 protocol (more at http://oauth.net/2/). Upon successful authentication application and client platforms are able to access segmented platform data. Account-level authentication provides access to managing data from multiple belonging organizations, while user-level authentication provides access to the data belonging to one Organization. User operations are logged and monitored. Every environment communicates via HTTPS protocol to protect sensitive data.
The Dispatch Platform is distributed into Linux containers which have a password-less root-level user. Root level access is provided via lead DevOps engineer public key.
We expose only those servers dedicated to running our Service and Site to public web traffic. Access to non-essential services and unnecessary network ports is blocked or disabled.
Monitoring and Alerting
Our servers are monitored with AWS (Amazon Web Service) CloudWatch monitoring and with DataDog. We use CloudWatch custom metrics for application monitoring as well as metrics derived from other solutions. Our monitoring solutions are monitored automatically, and are configured to alert appropriate personnel, who are on-call 24/7.
Client applications and platform clients are authenticated via OAuth2. Upon successful authentication they get permissions to access their own platform data. Account-level authentication provides access to managing data from multiple belonging organizations, while user-level authentication provides access to the data belonging to one Organization. All user operations are logged. Every environment communicates via HTTPS protocol to protect sensitive data being transmitted over the internet. Our application servers and databases are located within the same VPC on AWS.
Data is stored on AWS, and within our application instances. Access to database servers is restricted and all API request to read or modify data are verified by authentication challenge and a permission check for legitimate traffic. Account-level authentication provides access to managing data from multiple belonging organizations, while user-level authentication provides access to the data belonging to one Organization.
Data Retention and Disposal
Dispatch retains and stores all data indefinitely. At client request, we will remove data containing personally identifiable information as defined under applicable law from our production environment. Such a request must be made in writing and must detail the scope of the request.
Dispatch’s code is secured in centralized GitHub repositories with access granted on an as need basis. All code is peer reviewed, includes automated test coverage through Continuous Integration and is quality tested prior to production deployments.
Dispatch follows an agile development methodology, with security testing implemented throughout the entire software development lifecycle. We write automated test coverage and utilize continuous integration to validate adherence to strict API and data standards. Dispatch as needed conducts regular quality, performance, stress, security, and penetration testing.
Self-directed FAQ and help can be found on Dispatch’s ZenDesk support center. Additionally, questions or issues can be reported by contacting Dispatch through online live chat, email (firstname.lastname@example.org) or by phone. Enterprise clients should directly contact their account manager. We will work to resolve all issues as quickly as possible.
Backup Policy and Disaster Recovery
Data is stored on Amazon Web Services along with our application instances. This includes solutions for temporary application state (locking / caching) , and daily databases backups.
System Updates and Patching
Dispatch relies on commercially available cloud computing services including AWS utilizing automatic notifications for and the application of critical security patches. All employee computers must have automatic notifications of updates and security patches enabled. As security patches are made generally available they are applied immediately.
Dispatch iteratively develops and releases its Service, Site and Apps into development, QA and Production environments. All deployments follow a formal release management control process where applications are tested prior to deployment and clients are provided notice of up-coming changes. In the event of failed deployments, changes may be reverted to a previous version.
Employee Training and Background Checks
Dispatch has and annually updates its human resources data security policies and procedures to ensure its employees are sufficiently trained to uphold both the spirit and details of the Statement of Privacy and Security Controls. Additionally, Dispatch conducts background checks on all employees to ensure they are trustworthy and capable of working with sensitive data.
All employees are required to read and demonstrate proficiency with the concepts, rules and best practices laid out in the Statement of Privacy and Security Controls. Additionally, annual refresher training is held for all employees.