Security and Trust at Darwin Global

Darwin Global maintains a SOC 2 Type 2 compliant security program designed to protect customer data, reduce operational risk, and support secure service delivery. Our program is supported by formal policies, technical safeguards, secure development practices, and ongoing governance.

SOC 2 Type 2
Role-Based Access Control
MFA for Privileged Access
Encryption in Transit and at Rest
Secure Development Lifecycle
Incident Response and Disaster Recovery

Security and Trust are built into how Darwin Global operates.

Compliance and Assurance

Darwin Global remains compliant with SOC 2 Type 2, with the 2024 audit completed and the final report received in December 2024. Our security program includes continuous monitoring, policy maintenance, training requirements, and quarterly reporting on security initiatives.

Darwin Global is also pursuing CMMC 2.0 Level 2 as a separate initiative. Policy alignment and System Security Plan development are underway, but this should not be presented as an achieved certification.

How We Protect Customer Data

Darwin Global classifies data based on sensitivity and business criticality and applies controls accordingly. Access to information systems and confidential data is restricted based on business need and the principle of least privilege. Role-based access control is used wherever feasible, and privileged access to production systems uses multifactor authentication. Access requests and changes require approval and are documented, and user access reviews are performed quarterly.

Confidential data is encrypted in transit over public networks, and backups containing confidential data are encrypted. Laptops and mobile devices that handle confidential data must be encrypted, and confidential data is not permitted on personal devices or removable media without authorization. Darwin Global’s cryptography policy requires TLS 1.2 or better for confidential web traffic and calls for strong cryptography with documented key management practices.

Customer accounts and customer data are deleted within 60 days of contract termination through defined deletion procedures.

Infrastructure Security and Monitoring

Darwin Global relies on Azure as its primary production environment and follows Azure-recommended security policies. Security monitoring and compliance tracking are supported through Vanta, which is used as the primary monitoring platform for SOC 2 compliance. Microsoft Defender for Endpoint is integrated with Vanta to strengthen vulnerability tracking and remediation workflows. Darwin Global also maintains Fortigate firewall support and updates as part of its infrastructure security program.

Remote access to production systems must be encrypted. Darwin Global requires antivirus protections, software firewalls, and MFA-enabled remote access mechanisms for systems connecting to company resources. Unauthorized remote access technologies are prohibited.

Secure Development

Darwin Global integrates security into the software development lifecycle. All software is version controlled, repository access is restricted by role, and significant changes are subject to review and testing before release. Security testing is carried out during development, and no code is deployed to production without documented successful test results.

Development teams are required to conduct periodic software code scanning prior to production release, including SAST, DAST, and OSS scanning. Darwin Global also prohibits storing passwords, API keys, encryption keys, or other secrets in source code or configuration files. Secrets must be managed using secure secret management tools or services.

Incident Response

Darwin Global maintains a formal incident response process for security and privacy incidents. Employees, contractors, users, and customers are instructed to report suspected incidents immediately through designated reporting channels, including security-incident@darwin-global.com. All reported incidents and response activities are documented.

The incident response process includes triage, investigation, containment, recovery, remediation, and lessons learned. Darwin Global states that relevant incidents or breaches will be communicated to customers, partners, users, affected parties, and regulators in accordance with policy, contractual commitments, and legal requirements. The incident response plan is reviewed and tested at least annually.

Business Continuity and Resilience

Darwin Global maintains a formal business continuity and disaster recovery program. Disaster recovery testing, including backup restoration testing, is performed annually. In the event of a disruption affecting office operations, staff can continue working remotely, and continuity strategies are defined for critical services and business functions.

For production services, Darwin Global relies on Azure availability commitments and SLAs. Supporting business systems are primarily vendor-hosted SaaS applications that can be accessed securely by remote staff.

Third-Party Risk Management

Before confidential data is shared with a third party, Darwin Global performs due diligence and a third-party risk assessment and requires a written agreement covering service expectations and applicable security requirements. Darwin Global evaluates whether third parties maintain reasonable organizational and technical controls, including access control, incident response, vulnerability management, secure development, business continuity, and other relevant safeguards.

Supplier security and service delivery performance are reviewed at least annually.

Security Governance

Darwin Global’s security program includes ongoing governance through bi-weekly cybersecurity meetings and quarterly Information Security Board meetings. These forums review security incidents, vulnerability remediation, awareness training, Azure risk scoring, endpoint monitoring, SOC 2 activities, and the roadmap for CMMC 2.0 Level 2.

Formal IT risk assessments are performed at least annually, and security awareness training is required at hire and annually thereafter for employees and relevant third parties with privileged access.

Frequently Asked Questions

Are you SOC 2 Type 2?

Yes. Darwin Global remains compliant with SOC 2 Type 2, and the 2024 audit was completed with the final report received in December 2024.

Do you encrypt customer data?

Darwin Global requires encryption for confidential data in transit over public networks, encrypts backups containing confidential data, and requires encryption for laptops and mobile devices handling confidential data. TLS 1.2 or better is required for confidential web traffic.

Do you use Multifactor Authentication (MFA)?

Yes. Privileged access to production systems uses multifactor authentication, and company-provided remote access methods are configured for MFA.

Where is your production environment hosted?

Darwin Global relies on Azure as its primary production environment.

How do you handle incidents?

Darwin Global maintains a formal incident response process covering reporting, investigation, containment, recovery, remediation, and lessons learned, with annual review and testing.

How do you review vendors and service providers?

Darwin Global performs due diligence and third-party risk assessments before sharing confidential data and reviews supplier security and service delivery at least annually.

Can we request security documentation?

Yes. Customers and prospective customers may request additional security and compliance documentation through the contact form or security contact.

Request Security Documentation

Customers and prospective customers may request additional security documentation, including the SOC 2 report and security review materials, through our security team. For security inquiries, contact: security-incident@darwin-global.com