Home Privacy & Compliance Data Security

Data Security & Infrastructure

🛡️ SOC 2 Type II Certified
📅 Last Updated: May 22, 2025 👤 Security Operations Team 📄 Document ID: SEC-2025-006

At DirConnect Directory, the security and privacy of our users, business listings, and platform data are our highest priorities. As a directory managing millions of records including Personally Identifiable Information (PII), financial transactions, and sensitive business intelligence, we employ an industry-leading security posture.

This document outlines the technical and organizational measures we implement to protect data against unauthorized access, alteration, disclosure, or destruction.

🔒 Our Commitment We adhere to a "Security by Design" methodology, integrating security controls into every phase of our development lifecycle (SDLC) and infrastructure management.

Encryption Standards

We utilize military-grade encryption protocols to secure data both in transit and at rest.

  • Data in Transit: All traffic between clients and DirConnect servers is encrypted using TLS 1.3. We enforce HTTPS across all subdomains and API endpoints.
  • Data at Rest: Databases, backups, and object storage are encrypted using AES-256. Encryption keys are managed via AWS KMS (Key Management Service) with automatic rotation.
  • Tokenization: Sensitive payment data is never stored on our primary servers. We utilize PCI-DSS compliant tokenization via Stripe and Braintree.
TLS_VERSION = 1.3 ENCRYPTION_ALGO = AES-256-GCM CERT_MANAGER = Let's Encrypt / DigiCert EV KEY_ROTATION = Automatic / 90 Days

Access Control & Identity Management

Access to DirConnect systems is governed by the Principle of Least Privilege (PoLP). Only authorized personnel with a legitimate business need can access production environments.

Multi-Factor Authentication (MFA)

MFA is mandatory for all employee accounts accessing internal systems, databases, and cloud consoles. We support TOTP, hardware keys (YubiKey), and FIDO2 standards.

Role-Based Access Control (RBAC)

User roles are strictly segmented. Access levels include:

RoleAccess LevelScope
ViewerRead-OnlyLogs, Dashboards
EditorRead/WriteSpecific Collections
AdminFull AccessConfiguration, User Mgmt
RootEmergency OnlyBreak-glass scenarios

Infrastructure Security

DirConnect is hosted on AWS (Amazon Web Services) using a multi-region architecture for high availability and disaster recovery.

  • VPC Isolation: Our infrastructure runs within isolated Virtual Private Clouds with strict subnet segmentation (Public, Private, DMZ).
  • WAF & DDoS Protection: We deploy AWS Web Application Firewall (WAF) and Shield Advanced to mitigate DDoS attacks, SQL injection, and XSS vulnerabilities.
  • Automated Patching: Serverless architectures and containerized microservices are updated automatically via CI/CD pipelines to ensure the latest security patches.
  • Vulnerability Scanning: Continuous scanning via Snyk and Qualys for code dependencies and infrastructure misconfigurations.

Compliance & Regulations

DirConnect is committed to complying with global data protection regulations. Our frameworks include:

  • GDPR (General Data Protection Regulation): We provide tools for data subject access requests (DSAR), rectification, and right to be forgotten.
  • CCPA/CPRA (California Consumer Privacy Act): California residents can exercise their right to opt-out of the sale of personal information.
  • SOC 2 Type II: Independently audited annually for Security, Availability, and Confidentiality.
  • PCI-DSS: Compliant Level 1 for handling credit card transactions.
✅ Audit Reports Available Enterprise clients and partners can request our latest SOC 2 report via our Trust Center after signing an NDA.

Data Retention Policy

We retain data only as long as necessary to fulfill the purposes for which it was collected. Standard retention periods include:

  • Active User Data: Retained indefinitely until deletion requested.
  • Business Listings: Retained while account is active; archived after 90 days of inactivity.
  • Logs & Analytics: Aggregated logs stored for 12 months; raw IP logs purged after 30 days.
  • Payment Records: Retained for 7 years per financial regulations.

Third-Party Integrations

We carefully vet third-party vendors. All integrations undergo security risk assessments before implementation. Current key partners include:

  • Payments: Stripe, Braintree
  • Communication: Twilio, SendGrid
  • Analytics: Google Analytics (Privacy-enhanced mode)
  • Maps: Mapbox

Incident Response

Our Incident Response Team (IRT) operates 24/7. We follow the NIST Cybersecurity Framework for incident handling:

  1. Preparation: Continuous monitoring and threat modeling.
  2. Detection: SIEM alerts, anomaly detection, and user reports.
  3. Containment: Isolation of affected systems to prevent lateral movement.
  4. Remediation: Eradication of threats and system restoration.
  5. Recovery: Verification of integrity and return to normal operations.
  6. Post-Incident: Root cause analysis and process improvement.

Security FAQ

Do you sell my data? No. DirConnect never sells personal data to third-party advertisers. We may anonymize aggregated trends for industry reports, but no individual data is shared.
How can I delete my account? You can delete your account via Settings > Privacy > Delete Account. This action is irreversible and will purge your PII within 30 days.
Is my business listing public? Yes, directory listings are public by default. However, sensitive backend data (invoices, admin credentials, contact emails) are strictly access-controlled.

Found a Security Vulnerability?

We welcome responsible disclosure. Please report issues to our security team immediately.

📧 security@dirconnect.com