Methods

We adhere to principles of transparency (no security through secrecy) and least privilege. Our communication channels are end-to-end encrypted/ All data access is scoped by roles and we rely on strong user authentication to identify requesters.

Traffic management

All HTTP based traffic to dimo.zone, and related subdomains is routed through . TCP traffic is routed directly to the deployment. All of DIMO's kubernetes run within private VPCs on AWS.

Encryption in transit

All traffic is encrypted with a minimum supported TLS version of 1.2 and HSTS for any communication between user and platform, device to platform or between services in the same VPC.

Hardware Security Modules

DIMO uses hardware based security modules for storage of asymmetric and symmetric encryption keys. Private keys are never exposed anywhere outside of the HSM and DIMO cannot retrieve them.

Backups and durability

DIMO takes full database snapshots on a daily basis and uploads transaction logs for database instances to backup storage every 5 minutes. These snapshots are stored for 7 days, accordingly DIMO can safely restore databases to any point in the last week (with 5 minute granularity) as needed.

Encryption at rest

DIMO-managed databases are encrypted at rest, independently from the fact that any user-data is itself encrypted end-to-end.

Audit logs

DIMO HSM system currently has immutable audit logs generated via Amazon Cloudwatch. Every wrapper key generation, and data key encryption or decryption event appends an entry to the log. In parallel, DIMO logs data accesses from the KMS. DIMO plans to open up these logs to all users and developers in the near future. This will enable end-users to verify how their data is used, as well as developers to audit HSM usage on their end.