Security & Compliance
Dive is a platform for virtual meetings that provides meetings management as a service. Our platform creates a seamless experience to setup, manage and organize meetings through securely integrating with meeting providers.
Our software is designed to request the most limited access to customer resources to achieve a seamless virtual meeting experience. We are continuously mindful of our customer’s privacy and limit access to all customer data on a need-to-know basis internally.
Dive applies best security practices retaining a minimal amount of customer data and operating with the fewest privileges necessary to provide a great experience to our users.
This document is meant to be an overview of platform-related privacy, security, and compliance.
Key Highlights of our Security Enablement program guide
- SOC 2 Compliance
- Annual 3rd Party VAPT
- Server uptime monitoring (see status page)
- Ongoing Vulnerability Scans
- Intrusion Detection Systems ( IDS )
- Firewalls + Encryption on our Server Infrastructure
Protection of company personnel equipment (encrypted drives, virus scanners, ...)
Dive Google Calendar Plugin
A Dive user may use the Google Calendar integration to connect their calendar with Dive to simplify managing of meetings. Dive is built to only access the minimum data needed from connected calendars to deliver its service. For example, the Dive application only checks for the events scheduled in your calendar and its participants so that it can be populated on the Meetings page. Dive is designed not to store the details about the events in your calendar including details such as who you are meeting with, their email, the meeting title or any other details about the events in your calendar.
Dive Outlook Plug-in
A Dive user may use the Outlook integration to connect their calendar with Dive to simplify managing of meetings. Dive is built to only access the minimum data needed from connected calendars to deliver its service. For example, the Dive application only checks for the events scheduled in your calendar and its participants so that it can be populated on the Meetings page. Dive is designed not to store the details about the events in your calendar including details such as who you are meeting with, their email, the meeting title or any other details about the events in your calendar.
Authenticating with calendar integrations
We avoid collecting third-party passwords by utilizing OAuth authentication with Outlook and Google Calendar. Dive users can disconnect their calendar connection at any time through the Integrations page within their account.
SSO & Multi-Factor Authentication / Basic Authentication:
Dive currently supports signing into its product through Google Single Sign-on (SSO) or Slack Single Sign-on (SSO) or Zoom Single Sign-on (SSO) or Microsoft Single Sign-on (SSO) and email/password.
If you currently have Multi-factor authentication enabled through your Google or Microsoft or Slack or Zoom account, then all the same protection benefits will be shared when you use those credentials to log into Dive.
User Permissions and Roles in Product:
Dive allows for the designation of various roles within its product including administrator roles, manager-roles and individual-contributor roles. This permissioning ensures that important information is seen by the appropriate people and that organization-wide functions such as billing, account-wide templates and user management are only accessible by administrators.
Software Development Practices and Security
Dive has in place secure software development practices outlined in its software development lifecycle documentation. We have in place code reviews with an emphasis on security, automated tests and manual tests that are in place before code is shipped to production. We further have separate environments for development, staging and production and do not use production data in staging/development. We have in place a full continuous integration CI pipeline that ensure that our full suite of tests are run before a production deploy.
Network and Application Security
Dive Server Infrastructure
The Dive application is hosted on Amazon Web Services ( AWS ) / Google Cloud Services (GCS). AWS & GCS' data center operations have been accredited under:
- ISO 27001
- SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II)
- PCI Level 1
- FISMA Moderate
- Sarbanes-Oxley (SOX)
For additional information see:
Backup of Data
Dive backs up all data on its system using AWS and maintains backups for a period of 30 days. This allows the team to be able to restore information in the event of a hardware failure. Notifications and monitoring have also been set up in order to ensure that these services continue to run as expected.
- All connections from the browser to the Dive platform are encrypted in transit using TLS SHA-256 with RSA Encryption.
- All data is encrypted at rest.
- Dive user passwords are stored as salted password hashes
- All data is encrypted in transit using TLS. Data stored at rest in the underlying storage is encrypted including automated backups, read replicas, and sn
Disaster Recovery & Business Continuity
Dive has in place a business continuity in addition to a disaster recovery plan in place so that our staff is ready to continue to serve customers even in the most unlikely of events.
Dive has the ability to use multiple availability zones within the AWS infrastructure in order to spin up new servers in multiple locations in the event of a failure in a particular zone. Furthermore, Dive has a disaster recovery plan and policy in place that is tested regularly to ensure that our procedure is always up to date.
We keep our systems up to date with the latest security patches and continuously monitor for new vulnerabilities through compliance and security mailing lists. This includes automatic scanning of our code repositories for vulnerable dependencies. All of our services run in containers that isolate processes, memory, and the file system using LXC while host-based firewalls restrict applications from establishing local network connections. The services are configured with tight network security constraints to further limit any potential risk. Both AWS and GCS regularly conduct internal vulnerability assessments and patch the underlying systems.
Dive utilizes a centralized endpoint security solution, and ensures that all devices are up to date, clean from malware, and securely encrypted.
Dive undergoes 3rd party vulnerability scans daily, ensuring that no vulnerabilities exist in our systems. Where such vulnerabilities are identified they are remediated immediately.
Static Code Scans
Dive uses static code analysis tools for our backend systems and APIs as part of our CI/CD pipeline, ensuring no code is deployed without passing checks for potential vulnerabilities and anti-patterns.
Third-Party Penetration Testing
Dive commissions penetration tests from external security firms at least annually, ensuring that our software remains secure. Any potential vulnerabilities found are remediated in short order.
Incident Response Plan
Dive routinely monitors our external services and open source libraries for security issues and has executed Data Processing Addendums (DPA) with our vendors to ensure prompt notification of data breaches. Dive continuously scans Dive for service interruptions, performance degradation, and security vulnerabilities with automated tools to immediately alert our engineers when an incident has been detected. Users may also report security issues to the firstname.lastname@example.org
Whenever our engineering team is alerted to a security issue, the team determines what systems are affected and quickly contains the problem by disconnecting all affected systems and devices. Because all of our services run in containers that isolate processes, memory, and the file system they are easily replaced and updated in their entirety inhibiting further escalation.
If data was found to be affected, it is restored from clean backup files, ensuring that no vulnerabilities remain. Secondary backups are also stored in AWS. Systems are monitored for any recurrence. Ephemeral services are patched and redeployed eliminating any chance of malware persistence.
The Dive engineering team analyzes every operations incident and how it was handled, making recommendations for better future response and for preventing a recurrence.
Change Management Plan
New releases to the Dive Platform are thoroughly reviewed and tested to ensure high availability and a great customer experience. Changes to our codebase are required to include unit tests, integration tests, and end-to-end tests. Changes are also run against our continuous integration server. This enables us to automatically detect any issues in development.
Once a changeset is completed, it is manually peer reviewed by one or more members of the engineering team. The changeset is then evaluated and manually tested by our quality assurance team to thoroughly test areas of expected impact, regression test, and further evaluate the user experience.
After a changeset is released, we continue to monitor application exceptions and log exceptions. These exceptions are regularly reviewed and triaged for resolution. Performance impacts of the changeset are monitored through several monitoring services.
Employee Screening and Policies
As a condition of employment, all Dive employees undergo pre-employment background checks and receive training during onboarding and throughout their employment on company policies, security, GDPR, and other related security, privacy, and compliance topics.
Employee Background Checks
New employees at Dive must undergo both criminal background checks and reference checks before beginning employment at the company.
Confidentiality and Privacy
All Dive employees and service providers sign confidentiality and non-disclosure agreements to ensure confidentiality of all information collected on our systems. Furthermore, our customer support personnel will only access customer information for the purpose of troubleshooting upon asking for permission from said customers. Such access is logged and is monitored by internal security personnel.
Dive takes risk management seriously and has put in place a risk management policy, associated plan and risk mitigation strategies. We ensure that a risk assessment is performed at least annually or when warranted based on changes that necessitate the activity.
Employee Access and Identity
Permissions and Authentication
Dive employees internal security controls to ensure that only those that need access to critical services have access to them. We have strong password security requirements, use company provisioned password managers and enforce two-factor authentication on all critical infrastructure tools within the company. We ensure that encrypted communication using HTTPS/SSH are used where relevant. We further ensure that these access controls are reviewed regularly and our policies on provisioning and de-provisioning remain up to date.
Dive implements a system to track employee access levels for all systems, and conducts regular access reviews to ensure that access is only provisioned based on the principle of least privilege. Internal and production systems are controlled tightly via Role-based Access Controls (RBAC).
Dive employs a centralized password management system for all employees, ensuring a high level of password security and account hygiene.
SOC 2 Compliance
Dive has started SOC 2 Type I audit by an AICPA accredited third party as of Jun 22, 2022. The SOC 2 report can be made available to current and prospective clients with a signed MNDA.
We expect to receive a full Type I audit certification later in August 2022 and a full Type II audit certification later this 2022.
You can count on the fact that Dive is committed to GDPR compliance. We understand the importance of incorporating standards put forth by the General Data Protection Regulation (GDPR) into our data practices and making sure our customers, whether citizens of the EU or businesses that use Dive with European customers, feel secure and confident to continue using Dive. We have developed new features, enhanced existing functionalities, and established additional documentation regarding our efforts.
However, GDPR is a broad regulation. Since it’s new, and since there is no certification process, no company can legitimately claim that they are GDPR compliant. Dive makes a good-faith effort to be compliant with GDPR, both now and as future developments come along.
For any queries contact our Data Protection Officer at Dive.
Dive End User License Agreement
Our current End User License Agreement can be found here: https://www.letsdive.io/terms-and-conditions