All new employees receive onboarding and systems training. This training is completed annually by employees and training compliance is monitored.
The main topics covered in security training are:
Intrro has a comprehensive set of risk management principles, policies and procedures in place to identify new business and technical risks, and put plans in place to mitigate those risks.
Intrro believes that effective risk management involves:
Intrro maintains a comprehensive set of organizational security policies that must be agreed to by all employees annually.
All policies are reviewed and approved by management annually. Employees who violate any policies may face disciplinary consequences in proportion to their violation.
Policies are maintained on the following topics:
A copy of these policies can be made available to Intrro Enterprise customers on request.
Intrro relies on vendors to perform a variety of services, some of which are critical for operations. Intrro aims to manage its relationship with vendors and manage the risk associated with engaging third parties to perform services.
Intrro conducts due diligence on an individual vendor's security, business practices, and legal commitments. Intrro's vendor management policy provides a framework for managing the lifecycle of vendor relationships.
Intrro utilizes some vendors as data subprocessors to provide the Intrro services. Intrro takes a risk-based approach to selecting data subprocessors based on the security and business practices of these vendors. To minimize our risk and the risk to our customers, we aim to utilize as few data subprocessors as possible to provide the Intrro services.
Intrro's data subprocessors are listed at Data subprocessors.
All employee and contractor agreements include a confidentiality agreement.
All employees agree during and after employment that they will:
On termination of employment, all employees must return all confidential information and must permanently erase all confidential stored on any device.
Intrro has an asset management policy in place to protect data that is stored and accessible via endpoints, such as company workstations and laptops.
All corporate endpoints are protected against internal threats and local vulnerabilities AWS Systems Manager and Vanta. All devices are continuously monitored for the following checks:
All corporate devices are also enrolled in mobile device management (MDM) enabling Intrro to remotely manage assets to ensure compliance with configuration standards and enabling remote lock and erase in the event of a lost or stolen device.
All corporate wireless networks, including both corporate and guest networks, encrypt data in transit using WPA2-AES encryption. Guest network traffic and access is separated from corporate network traffic and access.
Corporate networks are protected with Intrusion Detection Systems (IDS) and Intrusion Protection Systems (IPS) to block malicious traffic and actors attempting to access Dovetail's corporate network.
Intrro prohibits use of removable media and offline backups to mitigate both the risk of data loss as well as the risk of malware being introduced.
Can my organization request to modify the DPA?
We are unable to accept modifications to our DPA.
Have you adopted the new Standard Contractual Clauses?
Yes. In light of the new Standard Contractual Clauses adopted and approved by the European Commission, we have updated out DPA to incorporate the SCCs. You can learn more at New SCCs & the GDPR.