Our security and compliance

DryvIQ maintains an Information Security Management System to ensure the confidentiality, integrity, and availability of all computer and data communication systems while meeting the necessary legislative, industry, and contractual requirements.

The safety and security of your data are paramount. We combine comprehensive audits of our application, internal systems, and networks to ensure that client data is continually protected.

DryvIQ Security Certifications - SOC 2
SOC 2 Type II
DryvIQ Security Certifications - ISO 27001
ISO 27001

SOC 2 Type II Compliance

DryvIQ has achieved SOC 2 compliance. A System and Organization Controls 2 Type II Examination (SOC 2) provides a report on the certified organization’s internal controls and how it protects customer data and sensitive information. It is the standard for data security among digital companies in the U.S. This successful completion of the SOC 2 audit validates DryvIQ’s unwavering commitment to classifying, managing, and protecting unstructured data for the world’s largest organizations.

DryvIQ’s SOC 2 audit was completed by Insight Assurance. Upon request, DryvIQ customers, prospects, and partners may obtain a copy of the SOC 2 Report. 

ISO Compliant

DryvIQ policies, procedures, and standards are based on the International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) 27001. In addition, we use an independent third-party body to audit our compliance with leading industry standards annually.

This includes:

  • Development and implementation of a rigorous security system.
  • Building a risk management program.
  • Completing incident response plans for any potential data breaches.
  • Undergoing independent assessment to an international standard based on industry best practices.
  • Undergoing regular independent security audits.

DryvIQ has a current ISO report for our platform. To request a confidential copy of DryvIQ’s ISO report, please contact us.

  • All connections to DryvIQ are encrypted.
  • All customer data is encrypted in transit and at rest.
  • Data access and authorizations are provided using the best practice of least privileged access.
  • We conduct penetration testing by a third-party at last annually in addition to our in-house product testing.
  • DryvIQ logins require strong passwords which are salted, hashed, and stored in an isolated, tenant-specific database.
  • Code scanning, vulnerability scans, and penetration testing, as well as internal code reviews, and reports are sent in through our security email address.
  • DryvIQ maintains a formal incident response plan for major events.

All DryvIQ audit information is stored within an isolated and encrypted customer database.

This data is surfaced within the Monitor and Configuration Apps. The audit contains a historical record of all operations and events that took place within the environment. DryvIQ does not have access to this data unless explicitly shared with us by the customer.

Security policies & software development lifecycle

We maintain clear internal security policies.

Our security policies are maintained, communicated, and approved by management to ensure that everyone clearly knows their security responsibilities.

Through our ISMS we maintain continuous improvement of our incident plans after each execution

DryvIQ policies are reviewed annually as a part of our ISO audit by an external auditor.

This is supported by periodic internal audits.

DryvIQ follows a well-defined Software Development Life Cycle (SDLC).

Our product engineering teams follow an agile (Kanban) development process with software updates being pushed every 8-12 weeks.

    • Every change set follows a peer review process and checklist to identify potential security vulnerabilities. Any code sections that deal specifically with security receive a detailed review from the Chief Architect.
    • DryvIQ executes static code analysis regularly to ensure that we are not using any 3rd party dependencies that contain known vulnerabilities.
    • Prior to general availability (GA) for major software updates, DryvIQ engages with a 3rd party security consulting company to test for security vulnerabilities.
DryvIQ engineers participate in secure code training.

At least annually, our engineers participate in secure code training covering OWASP Top 10 security vulnerabilities and common attack vectors.

Internal security and vetting of our employees is an ongoing process, including: background checks, personal assessment by multiple (management) team members within the company, continuous reassessment in the team, non-disclosure agreements, and standard employment contracts.