Security & Compliance

Dive is a platform for virtual meetings that provides meetings management as a service. Our platform creates a seamless experience to setup, manage and organize meetings through securely integrating with meeting providers.

Our software is designed to request the most limited access to customer resources to achieve a seamless virtual meeting experience. We are continuously mindful of our customer’s privacy and limit access to all customer data on a need-to-know basis internally.

Dive applies best security practices retaining a minimal amount of customer data and operating with the fewest privileges necessary to provide a great experience to our users.

This document is meant to be an overview of platform-related privacy, security, and compliance.

Key Highlights of our Security Enablement program guide

• SOC 2 Compliance
• Annual 3rd Party VAPT
• Server uptime monitoring (see status page)
• Ongoing Vulnerability Scans
• Intrusion Detection Systems ( IDS )
• Firewalls + Encryption on our Server Infrastructure

• Protection of company personnel equipment (encrypted drives, virus scanners, ...)

  
  

Calendar Integrations

Dive Google Calendar Plugin

A Dive user may use the Google Calendar integration to connect their calendar with Dive to simplify managing of meetings. Dive is built to only access the minimum data needed from connected calendars to deliver its service. For example, the Dive application only checks for the events scheduled in your calendar and its participants so that it can be populated on the Meetings page. Dive is designed not to store the details about the events in your calendar including details such as who you are meeting with, their email, the meeting title or any other details about the events in your calendar.

Dive Outlook Plug-in

A Dive user may use the Outlook integration to connect their calendar with Dive to simplify managing of meetings. Dive is built to only access the minimum data needed from connected calendars to deliver its service. For example, the Dive application only checks for the events scheduled in your calendar and its participants so that it can be populated on the Meetings page. Dive is designed not to store the details about the events in your calendar including details such as who you are meeting with, their email, the meeting title or any other details about the events in your calendar.

Authenticating with calendar integrations

We avoid collecting third-party passwords by utilizing OAuth authentication with Outlook and Google Calendar. Dive users can disconnect their calendar connection at any time through the Integrations page within their account.

Product Security

SSO & Multi-Factor Authentication / Basic Authentication:

Dive currently supports signing into its product through Google Single Sign-on (SSO) or Slack Single Sign-on (SSO) or Zoom Single Sign-on (SSO) or Microsoft Single Sign-on (SSO) and email/password.

If you currently have Multi-factor authentication enabled through your Google or Microsoft or Slack or Zoom account, then all the same protection benefits will be shared when you use those credentials to log into Dive.

User Permissions and Roles in Product:

Dive allows for the designation of various roles within its product including administrator roles, manager-roles and individual-contributor roles. This permissioning ensures that important information is seen by the appropriate people and that organization-wide functions such as billing, account-wide templates and user management are only accessible by administrators.

Software Development Practices and Security

Dive has in place secure software development practices outlined in its software development lifecycle documentation. We have in place code reviews with an emphasis on security, automated tests and manual tests that are in place before code is shipped to production. We further have separate environments for development, staging and production and do not use production data in staging/development. We have in place a full continuous integration CI pipeline that ensure that our full suite of tests are run before a production deploy.

Network and Application Security

Dive Server Infrastructure

The Dive application is hosted on Amazon Web Services ( AWS ) / Google Cloud Services (GCS). AWS & GCS' data center operations have been accredited under:

• ISO 27001
• SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II)
• PCI Level 1
• FISMA Moderate
• Sarbanes-Oxley (SOX)

For additional information see:

https://cloud.google.com/security

https://aws.amazon.com/security/

Backup of Data

Dive backs up all data on its system using AWS and maintains backups for a period of 30 days. This allows the team to be able to restore information in the event of a hardware failure. Notifications and monitoring have also been set up in order to ensure that these services continue to run as expected.

Encryption

• All connections from the browser to the Dive platform are encrypted in transit using TLS SHA-256 with RSA Encryption.
• All data is encrypted at rest.
• Dive user passwords are stored as salted password hashes
• All data is encrypted in transit using TLS. Data stored at rest in the underlying storage is encrypted including automated backups, read replicas, and sn

Disaster Recovery & Business Continuity

Dive has in place a business continuity in addition to a disaster recovery plan in place so that our staff is ready to continue to serve customers even in the most unlikely of events.

Dive has the ability to use multiple availability zones within the AWS infrastructure in order to spin up new servers in multiple locations in the event of a failure in a particular zone. Furthermore, Dive has a disaster recovery plan and policy in place that is tested regularly to ensure that our procedure is always up to date.

Vulnerability Management

We keep our systems up to date with the latest security patches and continuously monitor for new vulnerabilities through compliance and security mailing lists. This includes automatic scanning of our code repositories for vulnerable dependencies. All of our services run in containers that isolate processes, memory, and the file system using LXC while host-based firewalls restrict applications from establishing local network connections. The services are configured with tight network security constraints to further limit any potential risk. Both AWS and GCS regularly conduct internal vulnerability assessments and patch the underlying systems.

Endpoint Monitoring

Dive utilizes a centralized endpoint security solution, and ensures that all devices are up to date, clean from malware, and securely encrypted.

Vulnerability Scans

Dive undergoes 3rd party vulnerability scans daily, ensuring that no vulnerabilities exist in our systems. Where such vulnerabilities are identified they are remediated immediately.

Static Code Scans

Dive uses static code analysis tools for our backend systems and APIs as part of our CI/CD pipeline, ensuring no code is deployed without passing checks for potential vulnerabilities and anti-patterns.

Third-Party Penetration Testing

Dive commissions penetration tests from external security firms at least annually, ensuring that our software remains secure. Any potential vulnerabilities found are remediated in short order.

Incident Response Plan

Identification

Dive routinely monitors our external services and open source libraries for security issues and has executed Data Processing Addendums (DPA) with our vendors to ensure prompt notification of data breaches. Dive continuously scans Dive for service interruptions, performance degradation, and security vulnerabilities with automated tools to immediately alert our engineers when an incident has been detected. Users may also report security issues to the engineering@letsdive.io

Containment

Whenever our engineering team is alerted to a security issue, the team determines what systems are affected and quickly contains the problem by disconnecting all affected systems and devices. Because all of our services run in containers that isolate processes, memory, and the file system they are easily replaced and updated in their entirety inhibiting further escalation.

Recovery

If data was found to be affected, it is restored from clean backup files, ensuring that no vulnerabilities remain. Secondary backups are also stored in AWS. Systems are monitored for any recurrence. Ephemeral services are patched and redeployed eliminating any chance of malware persistence.

Retrospective

The Dive engineering team analyzes every operations incident and how it was handled, making recommendations for better future response and for preventing a recurrence.

Change Management Plan

New releases to the Dive Platform are thoroughly reviewed and tested to ensure high availability and a great customer experience. Changes to our codebase are required to include unit tests, integration tests, and end-to-end tests. Changes are also run against our continuous integration server. This enables us to automatically detect any issues in development.

Once a changeset is completed, it is manually peer reviewed by one or more members of the engineering team. The changeset is then evaluated and manually tested by our quality assurance team to thoroughly test areas of expected impact, regression test, and further evaluate the user experience.

After a changeset is released, we continue to monitor application exceptions and log exceptions. These exceptions are regularly reviewed and triaged for resolution. Performance impacts of the changeset are monitored through several monitoring services.

Employee Screening and Policies

As a condition of employment, all Dive employees undergo pre-employment background checks and receive training during onboarding and throughout their employment on company policies, security, GDPR, and other related security, privacy, and compliance topics.

Employee Background Checks

New employees at Dive must undergo both criminal background checks and reference checks before beginning employment at the company.

Confidentiality and Privacy

All Dive employees and service providers sign confidentiality and non-disclosure agreements to ensure confidentiality of all information collected on our systems. Furthermore, our customer support personnel will only access customer information for the purpose of troubleshooting upon asking for permission from said customers. Such access is logged and is monitored by internal security personnel.

Risk Management

Dive takes risk management seriously and has put in place a risk management policy, associated plan and risk mitigation strategies. We ensure that a risk assessment is performed at least annually or when warranted based on changes that necessitate the activity.

Employee Access and Identity

Permissions and Authentication

Dive employees internal security controls to ensure that only those that need access to critical services have access to them. We have strong password security requirements, use company provisioned password managers and enforce two-factor authentication on all critical infrastructure tools within the company. We ensure that encrypted communication using HTTPS/SSH are used where relevant. We further ensure that these access controls are reviewed regularly and our policies on provisioning and de-provisioning remain up to date.

Access Tracking

Dive implements a system to track employee access levels for all systems, and conducts regular access reviews to ensure that access is only provisioned based on the principle of least privilege. Internal and production systems are controlled tightly via Role-based Access Controls (RBAC).

Password Policies

Dive employs a centralized password management system for all employees, ensuring a high level of password security and account hygiene.

Compliance

SOC 2 Compliance

Dive has started SOC 2 Type I audit by an AICPA accredited third party as of Jun 22, 2022. The SOC 2 report can be made available to current and prospective clients with a signed MNDA.

We expect to receive a full Type I audit certification later in August 2022 and a full Type II audit certification later this 2022.

PCI Compliance

Dive uses a PCI-compliant pay processor Stripe for encrypting and storing credit card details. More information on Stripe’s commitment to security and compliance can be found here. We utilize the direct Stripe javascript integration so your credit card information never reaches Dive's servers.

https://stripe.com/docs/security/stripe

GDPR Compliance

You can count on the fact that Dive is committed to GDPR compliance. We understand the importance of incorporating standards put forth by the General Data Protection Regulation (GDPR) into our data practices and making sure our customers, whether citizens of the EU or businesses that use Dive with European customers, feel secure and confident to continue using Dive. We have developed new features, enhanced existing functionalities, and established additional documentation regarding our efforts.

However, GDPR is a broad regulation. Since it’s new, and since there is no certification process, no company can legitimately claim that they are GDPR compliant. Dive makes a good-faith effort to be compliant with GDPR, both now and as future developments come along.

For any queries contact our Data Protection Officer at Dive.

Legal Documents

Dive Privacy Policy

Our current privacy policy can be found here: https://www.letsdive.io/privacy-policy

Dive Terms of Use and Data Processing Addendum (“DPA”)

Our current terms of use, including a link to our data processing addendum, can be found here: https://www.letsdive.io/terms-and-conditions

Dive End User License Agreement

Our current End User License Agreement can be found here: https://www.letsdive.io/terms-and-conditions