Technical and Organizational Measures

Introduction and Scope

Dispel is committed to safeguarding personal data and sensitive information by implementing robust technical and organizational measures across all aspects of its operations. These measures are designed to comply with applicable legal and regulatory frameworks, including the GDPR, the Data Privacy Framework (US–EU, US–Swiss, and US–UK), and contractual obligations under our Data Protection Addendum.

This document describes the practices Dispel applies to ensure the confidentiality, integrity, and availability of data. The measures outlined here are not theoretical—they are actively enforced and regularly audited through internal processes, independent third-party assessments, and certifications.

Governance and Accountability

Information security at Dispel is grounded in clear governance. We maintain policies covering information security, acceptable use, data protection, and access control, which are binding on all employees, contractors, and suppliers. Responsibility for oversight rests with senior leadership, and dedicated roles—including security and compliance officers—ensure accountability.

Dispel also subjects itself to regular audits and external certifications. Our current security posture is monitored in our real-time governance risk compliance (GRC) trust management platform, which demonstrates adherence to standards such as SOC 2 Type II and ISO 27001. These attestations, combined with internal policy reviews and continuous monitoring, form the backbone of our compliance and accountability framework.

Risk Management

Risk management is embedded into Dispel’s operations. We perform periodic risk assessments to identify emerging threats, prioritize mitigations, and ensure that controls remain appropriate to the risk environment. Particular attention is given to vendor and third-party risks, since these can introduce systemic vulnerabilities.

All high and critical-risk suppliers are contractually required to meet the same, or no less stringent, cybersecurity standards that Dispel enforces internally. This alignment guarantees that security obligations extend across the supply chain and that customer data remains protected, regardless of where or by whom it is processed.

Organizational Measures

Dispel invests in people and processes as much as in technology. All staff undergo mandatory security awareness training at onboarding and receive periodic refresher training. We also maintain a formal incident response process that ensures rapid detection, escalation, and remediation of security events.

Business continuity and disaster recovery capabilities are documented, tested, and updated regularly. These include distributed backups across availability zones, strict recovery point and recovery time objectives, and the ability to isolate systems if needed. In addition, Dispel supports legal hold and eDiscovery processes by capturing and preserving data snapshots in secure environments when required.

Change management is another key component of our organizational controls. System updates, configuration changes, and software deployments follow a formal approval process that includes security review, testing, and documentation.

Technical Measures

Access Control

Access control is strictly enforced using role-based access models and the principle of least privilege. Multi-factor authentication is required for privileged accounts, and sessions are automatically terminated after periods of inactivity.

Data Protection

Data protection is achieved through strong encryption practices. All sensitive data is encrypted in transit using TLS 1.2 or higher and at rest using AES-256. Where possible, personal data is pseudonymized or anonymized to minimize exposure. Data classification schemes ensure that information is handled according to its sensitivity.

Network and System Security

Network and system security are underpinned by the Dispel Zero Trust Engine. This architecture enforces micro-segmentation, moving target defense, and strict access workflows for operational technology and IT systems. Complementing this, we deploy firewalls, intrusion detection and prevention systems, and distributed denial-of-service protections. Regular vulnerability scanning and penetration testing confirm the resilience of these defenses.

Monitoring and Logging

Monitoring and logging provide visibility across the environment. Security events are centrally collected, correlated, and analyzed to identify anomalies. Logs are retained in accordance with policy and are available for audit and forensic review.

Secure Development

Secure development practices are followed in all product engineering following IEC 62443-4-1. Dispel uses modern CI/CD pipelines with automated security checks, GitHub Advanced Security for vulnerability detection, and coding standards aligned to OWASP Top 10 and other industry-standard guidance. Changes undergo peer review and testing prior to release.

Endpoint Security

Endpoint security is enforced through managed protection tools, full-disk encryption, patch management, and compliance monitoring across devices.

Physical and Environmental Security

While Dispel primarily operates in cloud environments, physical security remains critical. Data centers used by Dispel employ layered protections, including biometric access controls, CCTV monitoring, redundant power and cooling, and fire suppression systems. Hardware disposal follows NIST 800-88 standards to ensure data is irretrievably destroyed.

Resilience and Recovery

Dispel’s operations are designed for resilience. Backups are geographically distributed, regularly tested, and protected from unauthorized access. Disaster recovery procedures are rehearsed to validate that recovery objectives are met and that service continuity can be maintained even in adverse scenarios.

Continuous Improvement

Security is not static. Dispel conducts quarterly reviews of its security posture, annual penetration testing, and ongoing threat modeling. Lessons learned from incidents or near misses feed directly into updates to policies, controls, and technologies. By continuously adapting, we ensure that our measures remain effective against evolving threats.

Data Protection and Privacy

Dispel’s commitment to data privacy is formalized through its Data Protection Addendum, which governs how personal data is processed, protected, and transferred. We are certified under the EU-U.S. Data Privacy Framework, the Swiss-U.S. Framework, and the UK Extension to the EU-U.S. Framework, ensuring lawful cross-border data flows.

Conclusion

The measures described here represent Dispel’s comprehensive approach to technical and organizational safeguards. They combine strong governance, disciplined operational practices, and advanced technology to ensure that data is protected at all times. These measures are reviewed regularly and refined to meet the expectations of customers, regulators, and the evolving security landscape.