Privacy and data security are two of the biggest issues facing businesses today. Research shows that the global average cost of a data breach is $3.9 million, and every high-profile breach and misuse of personal data damages the trust between employees and those who collect and hold their data. Some of the most security-conscious organisations in the world trust Darwin, including banks, defence contractors, and technology companies. There are many reasons each of them chose us but common to all these businesses is the confidence that their employees’ sensitive data is safe and secure.
Darwin is hosted by our enterprise data hosting partner NaviSite, whose data centres are ISO 27001:2015 accredited and SOC 1 and SOC 2 compliant. We have invested in a private cloud solution to provide greater capacity and security for our clients. This means that every piece of infrastructure that Darwin lives on is dedicated for our use only, allowing us to manage our resources better as we are the only ones using it.
One of the reasons we have partnered with NaviSite is that they operate Tier 3 data centres. These on average have an availability of 99.98%, ensuring minimal downtime for our clients and allowing us to meet our Recovery Time and Point objectives. We also have many Tier 4 controls in place for even greater security, such as back-up power stations and additional power generators.
We have a rigorous security infrastructure, led and enforced by our dedicated Information Security team. Our Information Security Management System (ISMS) is aligned to our ISO 27001:2013 accreditation. Our business undergoes twice-yearly vulnerability and penetration testing (inclusive of the Darwin platform) and any findings are remediated in accordance with our remediation processes and policies, which form a part of our ISMS.
Darwin is protected by state of the art technologies, such as enterprise level WAF, IPS, IDS and anti-virus monitoring, both at NaviSite’s data centres and within Darwin's own internal architecture. NaviSite also has highly sophisticated physical security arrangements, including security guards, dedicated CCTV and fingerprint and iris scanners. We perform internal audits annually, and are audited yearly by our external certification body.
Our Information Security Policy is owned by the Head of Information Security and reviewed by our Chief Executive Officer. The policies are reviewed and published as part of our internal audit requirements at least annually, and are available for reference and use at all times.
Darwin is fully compliant with the European Union’s General Data Protection Regulation. Darwin includes several features that ensure compliance, including fully auditable capture of employee consent, data minimisation, and clear instructions how employees can exercise their new rights under GDPR. Darwin collects, processes and stores PII for our clients and their employees. As a result the security of this data is imperative to our function as this needs to be protected to provide assurance to our clients, and also prove to regulators and auditors we have ample controls in place to protect such data.