Navigation SearchNavigation ContactNavigation Products

A Differential Focus:
Security & Integrity

Since its inception, DDI has placed the highest value on data integrity. DDI is committed to operating our businesses in a manner that fosters confidence, and trust, which includes the proper use and management of personal data provided to us by our colleagues, customers, and suppliers. Every DDI associate worldwide has been trained in data security best practices that help to protect client data.

Our Security Mission

  • Be fully transparent around how we use and manage data.
  • Help our customers to maximize the benefits of their data while minimizing potential risks.
  • Leverage global best practices in our data policies and compliance measures.
  • Provide the highest level of data protection and confidentiality to our customers.

Our Approach to Data Security

DDI employs a multi-layered approach to Information Security in the protection of user data (candidate, participant, learner, administrator, and customer information) and prevention from unauthorized access, alteration, or destruction.  Our policies and processes are designed to:

  • Define mechanisms to protect data and prevent its misuse
  • Educate DDI associates on the importance of safe data management and recognizing potential security threats
  • Provide a communication channel for external queries about this policy and associated systems

Security Governance

To ensure data integrity, DDI has resources, policies, and processes dedicated to data protection, including a Data Security Office and Data Protection Officer, who routinely monitor global standards. 

DDI’s Data Protection Officer (DPO) sets and enforces the vision and strategy for the company’s security and compliance program, with the goal of global consistency, ascertaining that risks are managed appropriately and objectives are achieved.

Security Training

DDI conducts regular training for DDI associates to learn about data privacy, confidentiality, and security best practices.  End users are trained to recognize and avoid phishing attacks, social engineering traps, malicious links, and downloads.

Data Processing

DDI assumes the role as data Controller or Processor depending on business context. When data is captured and processed in the context of marketing, sales, or DDI-led research, DDI operates as a "Data Controller" and complies with all data security accountabilities and requirements prescribed within that role. When data is captured and processed in the context of a customer-funded engagement, the customer assumes the role of data Controller. DDI functions as a “data processor” and complies with all data security accountabilities and requirements prescribed within that role. 

Security in Partnership

The security and confidentiality of our customers’ data is a shared responsibility between DDI and our customers.  DDI provides a secure platform on which customers can access and leverage their data. In addition, DDI provides tools, services, support, and resources that enable our customers to ensure the security of their data throughout the lifecycle of the engagement. See DDI’s Privacy Statement.

Customers are jointly responsible for the security of their data during and after their engagement with DDI. Customers must understand what data is being collected and held within DDI systems and define the appropriate data sharing policy to ensure that data is shared with only those who are authorized to access it.  The data sharing policy should align with risk and compliance requirements that correlate to the importance and classification of that data.

Data Classifications

Personal Data includes any information that may identify an individual. We only collect, access, use or disclose personal data for valid and appropriate business purposes. We properly secure this information and do not share it with anyone, either inside or outside our Company, who does not have a present and valid business need.

Sensitive/Confidential Data is any information asset for which there are legal requirements for preventing disclosure, or where disclosure of such information would cause the individual’s confidentiality to be seriously compromised. Access to confidential data is restricted to DDI internal users for whom it is necessary to fulfill contracted business services and/or security management. DDI Software as a Service (SaaS) applications do not acquire or store confidential information assets.

Diagnostic/Performance Data is captured in the process of fulfilling contractual obligations to our customers, in the context prescribed by and owned by the customer. DDI application data stores have strict controls preventing disclosure of this data to unauthorized parties.  Access to is restricted to DDI internal users who require it to fulfill contracted business services and/or security management as well as client-identified and authorized users per the client’s data sharing policy.

Public Data is information that is available for public dissemination or that may be accessed from other public sources. However, most information about individuals is treated as Confidential or Sensitive even if it is publicly available.

Least-Rights Access

To Data

Access to all data (irrespective of classification) is provided using a “Least Rights Necessary” security model, i.e., granted to those with a legitimate business need such as end-users, client administrators, and various DDI and client support teams. Additional measures may be used to ensure that data are secured according to the requirements for each classification. Individuals who may be granted access include:

  • End Users
    End users are people who engaged in an online process (such a test or assessment) or created or responded to a survey.
  • Client Administrators
    Client Administrators are system end-users who manage accounts and workflow processes within a DDI application system, such as hiring managers, staff development professionals, and other Human Resources roles.  Administrators may be either client associates or DDI associates who input personal information on behalf of clients or applicants and may progress them through different process phases.
  • Support Personnel
    When a user requests technical support from DDI’s Product Support team, that user may grant a support representative temporary access to the account.  The support team may need to view an individual user’s test, assessment, or survey as part of the support incident resolution.

To Applications
Applications use a role-based security model to determine access rights. Client data is segregated logically based on site, document, user, and other criteria.  System changes are controlled through a best practice change management process.

To Accounts
End-users are granted ‘least privileged access’ permissions to effectively and efficiently do their jobs.  All administration and account management are strictly controlled by DDI. User accounts are required to have strong passwords and password-protected screen savers. Account access will be automatically disabled after excessive logon failures or termination of employment.

To Databases
Select members of our engineering team have access at a database level. This access is used for creating off-site backups and performing data restorations. This is all done without viewing data.

To Data Centers or Backups
Physical access to Data Centers is restricted to a named list of DDI associates. Physical access does not mean access to data. The physical media resides on servers in a locked cabinet. Off-site backups are stored in a fire safe in a secure room. Access to this room is restricted and logged.

Secure Transmissions

When using DDI applications, data typically flows between three important parties—the customer and its associates/candidates, and DDI. When an end-user accesses a DDI application, the information they provide is submitted via secure encrypted (HTTPS) methods. The data processed by our application servers is submitted to our database servers for storage. Web/application and database servers are located on separate logical and physical networks protected by firewalls.

DDI uses SSL/TLS 1.2 for secure HTTPS application data access. SSL technology is provided as standard for all DDI applications and all backup tapes are encrypted using 256bit AES encryption. Encryption is used for passwords stored in application databases.  All files (regardless of confidentiality) remain encrypted when copied from a DDI laptop to an external storage device.

Product Development Process & Code Management

Development Release Cycle

DDI employs an agile development model.  Agile is an iterative approach to software development and provides a very nimble capability that allows DDI to rapidly respond to the needs of our clients.  We have a planned new code release cycle – typically a weekly cycle – which means that approximately every week DDI releases new features and upgrades.  The agile development model gives frequent windows for enhancing existing and/or adding new features. Outside of this cycle we can make immediate (“hot fix”) releases as urgency dictates.

Development (Digital) Environments

DDI uses separate application instances for testing updated code as well as separate instances for early candidate code and release candidate software. This approach protects data from ever being controlled or accessed by code still in development.  All development code runs against “dummy databases.”

Code Review

Programmers work individually and in teams to develop new code.  As the end of each development cycle approaches, code is peer-reviewed and tested in a QA environment separate from the production environment.  This testing period allows most bugs to be resolved before they are ever introduced to production.  Code is also programmatically inspected for known vulnerabilities using the NTOSpider tool.

Code Management

Git is used to manage the software development process and serves as the source-code repository.  The Git tool and related processes ensure that no changes are overwritten due to multiple developers making changes within the same module.  Change control processes exist at many different levels within development, QA, and implementation including:

  • Change Request documentation and ownership that includes review, approval, and documentation of all changes by the application owner.
  • A gated approval process for code promotion from: Development to QA; QA to Staging; and Staging to Production.
  • Multi-phased software testing and QA process (unit test followed by system test, followed by user acceptance test).  Development and unit testing is done on separate development systems by software developers before being released for system and user acceptance testing on separate QA systems.

Security in Infrastructure

Secure Hosting Facilities

DDI hosts client facing applications at redundant SSAE18, SOC 2 Type II, ISO / IEC 27001:2013, HIPAA/HITECH, PCI DSS 3.1 certified data centers.

DDI’s server infrastructure is housed in a dedicated 8’ x 16’ enclosed caged area. Access to this area is limited to the DDI staff responsible for managing the application servers and network components. The data center facility has implemented extensive systems to provide security and physical plant protection. 

Since servers can be targeted for attack, DDI ensures that its servers are secured appropriately. DDI’s process of enhancing server security includes the following measures. [For security reasons, we cannot provide all details of our server security controls.]

  • Disablement or removal of unnecessary services, applications, and network protocols.
  • Disablement of unneeded user accounts and renaming of default accounts.
  • Password requirements configured to comply with the DDI Password Policy.
  • Activation of server logging and audit trails.
  • Installation of anti-virus / anti-malware software with current definition files.
  • Configured with current security patches, which are first tested on a test platform.

Continuity
The data center facility’s hot sync parallel/redundant systems provide redundant power supply through Uninterruptible Power Systems (UPS) and backup generators. There are connections to multiple telecommunications companies’ networks for redundant internet access and connectivity is load-balanced and provided by more than one ISP.

Disaster Recovery
DDI maintains a detailed Disaster Recovery plan for restoring business service in the event of a large-scale system failure. This plan is updated as any changes are made to the system infrastructure or production web farm configuration.

Network Security

Our Network Infrastructure consists of dual HA pair of devices providing load-balancing and acceleration capabilities that listens for requests coming via TCP ports 80 or 443 (based on the SSL level) to a web site’s external IP address. DDI employs both host-based and network-based detection systems that are monitored and responded to on a 24x7x365 basis.

Malware/Virus Protection
Our monitoring environment has been configured to automatically send alerts to appropriate staff that are on call 24/7/365. All appropriate systems – PCs, servers, gateways systems etc. - are protected by Microsoft’s endpoint protection anti- virus and “zero-day protection” software that is centrally managed and updated. 

Data Retention & Disposal

DDI employs a comprehensive retention policy for managing and protecting personal data. As a best practice standard, DDI does not retain personal data for any longer than necessary to meet its contractual and/or legal obligations. Our policy (1) requires personal data to deleted/destroyed or anonymized after the retention period expires, not to exceed 5 years; and, (2) allows data in de-personalized format to be retained indefinitely for business and research purposes.

Prior to May 25, 2018, data will incrementally backed-up on a nightly basis to ensure that all applications and client data is preserved and available to be restored in the event of any loss of data or catastrophic event.  After that date, nightly back-ups will only be retained for a period of thirty (30) days.

Backup Schedules and Data Retention

  • Physical File Servers and DB Server Backups: (Retained for 35 days on disk)
  • Production VMs: (Retained for 35 days on disk)
  • SharePoint Client Sites: (Retained for 35 days on disk)
  • Monthly Copy to Tape: (Retained for 1 year on tape)
  • Yearly Copy to Tape: (Retained for 5 years on tape)

Security Incident Response

DDI enforces a comprehensive security incident detection and response plan including intrusion detection, scans, and other methods deemed effective and appropriate. While computer-related incidents are most common, non-computer-related incidents can be reported through the Incident Hotline or by contacting DDI’s DPO or Corporate Counsel.  DDI will report any suspected or actual security incidents to affected or potentially affected clients and the appropriate authorities within 72 hours of discovering security breach. Once an incident has been remediated and the appropriate notifications made, DDI will continue to take steps to improve privacy controls to prevent recurrence.

Compliance

Certifications

SSAE-18: DDI only stores data in data centers that have received unbiased favorable annual SAS 70 Type II audits. Note that the SAS 70 has been replaced by the Statement on Standards for Attestation Engagements (SSAE) No. 18 and our data centers are certified to that standard.

ISO 27001: DDI adheres to this widely-adopted global security standard developed by the International Organization for Standardization and only uses data centers that have demonstrated their adherence by periodic assessments and annual certification.

SOC 1/ SOC 2 – DDI is neither SOC 1 nor SOC 2 certified. However, DDI’s data hosting provider does keep current SOC 2 certifications. 

Confidential Information

Upon hire, all DDI associates are required to sign a confidentiality agreement that specifically addresses the concerns and risks of dealing with confidential information. Any associate found to have violated this policy is subject to immediate termination or any applicable legal action.

Background Checks

DDI will generally use a third-party agency to conduct background checks on job applicants in the offer stage of the selection process. The type of information that may be collected by this agency includes, but is not limited to, that pertaining to an individual’s past employment, education, character, finances, reputation, etc. All background checks are done in compliance with applicable federal and state law.

SSN Verification

All US-based associates are verified legal US workers, and Social Security Numbers or work authorizations are verified.

EU Data Protection Regulations

DDI is headquartered in the United States and serves customers globally and has employed mechanisms to ensure that data transfers from the EU to the U.S. provide the legal protections required by EU Data Protection Regulations, including Privacy Shield (a replacement to Safe Harbor), EU Model Contract clauses and end user consent. DDI’s certification under the Privacy Shield program may be viewed at the Privacy Shield site: https://www.privacyshield.gov/

EU Model Clauses

The EU Model Clause is a standard contract addendum between service providers such as DDI and its customers, designed to ensure that any personal data leaving the EEA will be transferred in compliance with EU data- protection law and meets the requirements of the EU Data Protection Directive 95/46/EC.

General Data Protection Regulations

On May 25, 2018, a new privacy mandate called the General Data Protection Regulation (GDPR) takes effect. The GDPR expands the privacy rights of EU individuals and places new obligations on service providers like DDI which store and process EU personal data.  DDI views GDPR as an opportunity to deepen our commitment to privacy and data protection best practices internally and with customers.

As with other legal requirements, compliance with the GDPR requires a partnership between DDI, its sub-processors, and our customers. DDI will comply with the GDPR in the delivery of service to our customers and we are also dedicated to helping our customers comply. We have closely analyzed requirements of the GDPR and are working to make enhancements to our products, contracts, and documentation to support DDI’s and our customers’ compliance with the GDPR.   

Third Party Providers

DDI utilizes third party providers for the provisioning of our Services to you as described in our agreements. We employ a rigorous application, vetting, and audit process to ensure ongoing alignment with our data processing parameters and requirements. All third-party providers are required to comply with DDI’s data processing, protection, and security standards.

For a list of our sub-processors please see https://www.ddiworld.com/thirdpartyproviders

Talk to an Expert: GISP
* Denotes required field
 *
 *
 *
 *
 *
 *
 *
 *
Consent to DDI Marketing *

I consent to DDI collecting and processing my personal data in the provision of services to me and for the purposes of marketing and research. I am aware of my rights and the ways in which my data will be used as referenced in DDI’s Data Privacy Policy

Please enter the number from this image
 Security code