Skip to content

DX's Technical and Organizational Measures

Last updated: Nov 5, 2025

Access Control

1.1 Access to systems, applications, and infrastructure is granted based on job roles and the principle of least privilege, ensuring employees only access what they need to perform their work (see Access Control and Termination Policy, ISMS Roles and Responsibilities Policy).

1.2 User accounts are provisioned according to responsibilities, and only authorized personnel can access production or development environments, including source code repositories (see Access Control and Termination Policy, Secure Development Policy).

1.3 Endpoints are monitored, to ensure hard drive encryption, anti-malware, firewall, and screen saver locks are enabled. Strong authentication, including multi-factor authentication where possible, is mandatory (see Access Control and Termination Policy, Acceptable Use Policy).

1.4 Access rights are reviewed quarterly to confirm they remain appropriate for each role (see Access Control and Termination Policy, ISMS Monitoring and Measuring Policy).

Awareness and Training

2.1 All personnel complete onboarding training on security, privacy, and compliance, with annual refreshers (see Information Security Policy, PIMS Scope Document).

2.2 Training completion is tracked in a centralized system, with automated reminders, and overseen by the security team (see Information Security Policy, Performance Review Policy).

Audit and Accountability

3.1 System activity is logged according to DX policies, with annual review and senior management oversight (see Internal Control Policy, ISMS Monitoring and Measuring Policy).

3.2 Logs are securely stored in a central repository with read-only access, and monitored for unusual activity (see Internal Control Policy, Network Security Policy).

3.3 All systems synchronize to authoritative time sources to ensure accurate timestamps in audit logs (see Internal Control Policy, ISMS Monitoring and Measuring Policy).

Assessment, Authorisation and Monitoring

4.1 Compliance with SOC 2, ISO 27001, ISO 27701, and other applicable standards is regularly verified (see ISMS Scope, Information Security Policy).

4.2 Annual penetration testing and vulnerability scans identify and remediate weaknesses in systems and applications (see Vulnerability and Patch Management Policy, Secure Development Policy).

4.3 Internal policies are reviewed and updated annually, with senior management approval (see ISMS Monitoring and Measuring Policy, Information Security Policy).

4.4 Audit findings are documented, tracked, and addressed through corrective actions, including root cause analysis (see ISMS Corrective Actions Policy, Internal Control Policy).

Configuration Management

5.1 All changes to systems, networks, and applications follow standardized procedures, including peer review and testing before deployment (see Change Management Policy, Configuration and Asset Management Policy, Secure Development Policy).

5.2 Encryption, key management, and endpoint policies ensure data is handled securely during changes and operations (see Encryption and Key Management Policy, Configuration and Asset Management Policy).

5.3 Asset inventories are maintained and reviewed annually, including both physical and logical assets (see Configuration and Asset Management Policy, ISMS Scope).

Contingency Planning

6.1 Business continuity and disaster recovery plans ensure operational resilience and timely restoration of systems (see Business Continuity and Disaster Recovery Plan).

6.2 Business continuity and disaster recovery plans are tested at least annually to validate the effectiveness of backup, restoration, and continuity procedures. Test results are used to update and improve the plans as needed (see Business Continuity and Disaster Recovery Plan).

6.3 Data is backed up daily, stored securely, and restored at least annually to verify integrity (see Business Continuity and Disaster Recovery Plan, Data Retention and Disposal Policy).

6.4 Capacity management ensures continuous availability, including protection against disruptions such as DDoS attacks (see Business Continuity and Disaster Recovery Plan, Network Security Policy).

Identification and Authentication

7.1 All personnel use unique identifiers to access systems, and authentication methods are enforced according to role and sensitivity (see Access Control and Termination Policy, Acceptable Use Policy).

7.2 Employee accounts are reviewed quarterly, and changes identified are documented (see Access Control and Termination Policy, ISMS Monitoring and Measuring Policy).

7.3 All passwords must be strong, unique, and securely stored using a DX-approved password manager. (see Access Control and Information Security Policy)

7.4 Personnel are required to configure strong, unique passwords for all accounts. When sharing credentials is necessary, a DX-approved password manager should be used to securely manage access (see Access Control and Termination Policy).

Security Incident Response

8.1 Incident response plans outline detection, containment, mitigation, and recovery processes, emphasizing protection of data and compliance with regulations (see Security Incident Response Plan, Information Security Policy).

8.2 Security incident response plans are tested at least annually through tabletop exercises or simulations to ensure preparedness and effectiveness. Lessons learned from these exercises are incorporated into updates of the incident response procedures (see Security Incident Response Plan).

8.3 Cross-functional teams handle incidents and ensure timely communication both internally and with customers (see Security Incident Response Plan, PIMS Scope Document).

8.4 Post-incident reviews, including root cause analysis and lessons learned, are conducted for high-severity events (see Security Incident Response Plan, ISMS Corrective Actions Policy).

8.5 Customers can report security concerns through security@getdx.com, and notification of incidents follows contractual and legal obligations (see Security Incident Response Plan, Privacy and Data Protection Policy).

8.6 Data breach notification procedures ensure timely communication with supervisory authorities and affected individuals within 72 hours, in accordance with contractual and legal obligations (see Security Incident Response Plan, Privacy and Data Protection Policy).

Physical and Environmental Protection

9.1 DX offices and facilities are secured with badge access, and access logs for monitoring and investigations (see Physical Security Policy).

9.2 Sensitive areas are restricted, and monitoring are in place (see Physical Security Policy).

9.3 Personnel are expected to follow a clear desk policy to ensure sensitive information is not left unattended (see Physical Security Policy, Acceptable Use Policy).

Planning & Program Management

10.1 Security and privacy controls framework aligning to standards such as SOC 2, ISO 27001, and ISO 27701. (see Information Security Policy, Privacy and Data Protection Policy, and ISMS Scope)

10.2 Regulatory obligations are actively monitored and communicated to internal teams (see ISMS Communications Policy, ISMS Scope).

10.3 Security objectives and initiatives are reviewed at least annually, with management oversight (see ISMS Roles and Responsibilities Policy, Information Security Policy).

10.4 Risk assessments, security frameworks, and mitigation plans are implemented and tracked continuously (see Risk Assessment and Treatment Policy, Vendor Management Policy, ISMS Corrective Actions Policy).

Personnel Security

11.1 Pre-hire criminal background checks and screening ensure personnel meet security and competency requirements (see Performance Review Policy, Code of Conduct, Access Control and Termination Policy).

11.2 Confidentiality agreements are executed during onboarding, and ongoing training reinforces responsibilities (see Information Security Policy, PIMS Scope Document).

11.3 Role changes and offboarding follow documented processes, including revocation of access within 24 hours of termination and device collection (see Access Control and Termination Policy, Acceptable Use Policy).

11.4 Disciplinary procedures address violations of policies (see Code of Conduct, Information Security Policy).

Personal Data Processing and Transparency

12.1 DX maintains a privacy compliance program aligned with applicable laws, including safeguards and internal processing policies (see Privacy and Data Protection Policy, PIMS Scope Document).

12.2 Personal data is classified, processed, retained, and destroyed according to defined standards (see Data Classification Policy, Data Retention and Disposal Policy).

12.3 Data pseudonymization and segregation measures are applied where appropriate, and privacy policies are communicated to users and employees (see Privacy and Data Protection Policy, ISMS Communications Policy).

12.4 Data subject rights are respected, including access, correction, and deletion requests (see Privacy and Data Protection Policy, PIMS Scope Document).

12.5 Data Protection Impact Assessments (DPIAs) are conducted for high-risk processing activities, with findings documented and mitigation measures implemented prior to processing (see Privacy and Data Protection Policy, Risk Assessment and Treatment Policy).

12.6 Records of processing activities are maintained and reviewed annually, documenting the purposes, categories, and legal basis for processing personal data (see Privacy and Data Protection Policy, PIMS Scope Document).

12.7 Customer data is retained for the duration of the customer contract and for 30 days following termination, unless earlier deletion is requested by the customer (see Data Retention and Disposal Policy, Privacy and Data Protection Policy).

12.8 Privacy by design and default principles are integrated into system development and processing activities, ensuring data protection measures are built in from the outset (see Secure Development Policy, Privacy and Data Protection Policy).

Risk Assessment

13.1 A formal risk management program identifies, assesses, and mitigates security, privacy, and operational risks (see Risk Assessment and Treatment Policy, ISMS Monitoring and Measuring Policy).

13.2 Vulnerability management, penetration testing, and threat monitoring provide ongoing risk evaluation (see Vulnerability and Patch Management Policy, Secure Development Policy).

13.3 Risk assessments are documented and tracked for continuous improvement (see Risk Assessment and Treatment Policy, ISMS Corrective Actions Policy).

System and Services Acquisition

14.1 System deployment and configuration follow standardized, secure processes with peer-reviewed code and automated testing (see Secure Development Policy, Change Management Policy).

14.2 Responsibilities for changes are segregated, and emergency change procedures are in place (see Change Management Policy, Configuration and Asset Management Policy).

14.3 Cloud and software products are documented with secure configuration instructions, and third-party libraries are regularly scanned and updated (see Secure Development Policy, Vendor Management Policy).

System and Communications Protection

15.1 Encryption of customer data at rest using AES-256 and in transit using Transport Layer Security (TLS) 1.2+ (see Encryption and Key Management Policy, Network Security Policy).

15.2 Logical segregation ensures customer data is isolated and are kept logically segregated from other customers' data (see Network Security Policy, Access Control and Termination Policy).

15.3 Environment separation limiting connectivity between production and non-production environments.

System and Information Integrity

16.1 Data disposal is performed according to legal and policy requirements, ensuring irrecoverability (see Data Retention and Disposal Policy, Information Security Policy).

16.2 Production data is never used in non-production environments (see Secure Development Policy, Data Classification Policy).

16.3 Anti-malware measures and secure endpoint practices protect against threats (see Acceptable Use Policy, Network Security Policy).

Supply Chain Risk Management

17.1 Supplier and vendor relationships are managed through a formal risk framework, including due diligence, audits, and ongoing monitoring (see Vendor Management Policy, Risk Assessment and Treatment Policy).

17.2 Vendor audit reports (SOC2, ISO 27001, etc.) and security assessments are reviewed annually, and contracts include confidentiality and security obligations (see Vendor Management Policy, Risk Assessment and Treatment Policy, Privacy and Data Protection Policy).

17.3 Security risk assessments of vendors are performed before onboarding and annually thereafter, based on risk level and any significant changes to the relationship (see Vendor Management Policy, Risk Assessment and Treatment Policy).

17.4 An inventory of all vendors is maintained, detailing ownership, services provided, and associated risk levels (see Vendor Management Policy, ISMS Scope).

17.5 All third-party controls and compliance with DX standards are evaluated through ongoing monitoring, audits, and risk management activities to ensure confidentiality, integrity, and availability of data (see Vendor Management Policy, ISMS Monitoring and Measuring Policy).

17.6 International data transfers are governed by appropriate safeguards, including Standard Contractual Clauses, adequacy decisions, or other legally compliant mechanisms (see Privacy and Data Protection Policy, Vendor Management Policy).

17.7 Subprocessors are evaluated, approved, and documented prior to engagement, with customers notified of subprocessor changes in accordance with contractual obligations (see Vendor Management Policy, Privacy and Data Protection Policy, Subprocessors).