Last reviewed date: 22 October 2025 

Purpose

The security of data is important to us. This document is intended to answer as many questions as possible about the security, reliability, and availability of DDI’s applications and data processing systems. This document outlines the flow of data for DDI technology-based solutions and addresses the security measures that we have taken to protect each part of the process. 

This Global Information Security Policy forms part of the global information security program adopted DDI. The purpose of this policy is to establish the information security criteria, means, methods, and measures to protect the Company’s information assets and those of our clients from unauthorized disclosure, modification, or denial through the establishment, implementation, and management of the global information security program. 

Scope 

This policy applies to all associates, agents, contractors, and third parties, world-wide, across all locations, business units, and functions that access, manage, or interact with company information or information systems. 

Definitions & Abbreviations 

Policy definitions: 

• Virtual Private Network (VPN) – A secure network implemented over an insecure medium, created by using encrypted tunnels for communication between endpoints. 
• Client Participants – Client employees who input information into a DDI application system in the context of completing an online diagnostic or learning activity such as an assessment, test, survey, or learning journey. 
• DDI  System Users – DDI associates who manage system level content and workflows, and, based on assigned role, administer accounts and workflow processes within a DDI application system on behalf of DDI client. 
• Client Administrators – Client employees who administer accounts and workflow processes within a DDI application systems. 

Introduction 

DDI: Who We Are, What We Do 

Founded in 1970, Development Dimensions International (DDI), a global human resource consulting firm, helps organizations close the gap between today’s talent capability and future talent needs. DDI’s expertise includes designing and implementing selection systems and identifying and developing front-line to executive leadership talent. For more information about DDI visit http://www.ddiworld.com. 

DDI’s Approach to Data Security 

Today’s talent management environment requires the processing of electronic records. Application functionality depends on information storage and transfer across DDI networks and the Internet. Appropriate security is essential and is fully integrated with application functionality and processes. DDI maintains a consistent security framework with appropriate privacy standards within which system applications and user populations leverage information within various business contexts. DDI employs a multi-layered approach to Information Security as it relates to the protection of user data (including candidate, participant, learner, administrator, and customer information) and prevention from unauthorized access, alteration, or destruction. Our policies and processes are designed to: 

• Establish DDI’s approach to information security. 
• Define mechanisms to protect data and prevent its misuse. 
• Educate DDI associates on the importance of safe data management and recognizing potential security threats. 
• Provide a communication channel for external queries about this policy and associated systems. 

DDI is committed to operating our businesses in a manner that fosters confidence and trust, which includes the proper use and management of personal data provided to us by our colleagues, customers, and suppliers. 

Security Governance 

To ensure data integrity, DDI has resources, policies, and processes dedicated to data protection, including a Privacy, Security and Compliance Office and Data Protection Officer, who routinely monitors global standards. 

DDI’s Privacy, Security and Compliance Office sets and enforces the vision and strategy for the company’s security and compliance program, with the goal of global consistency, ascertaining that risks are managed appropriately, and objectives are achieved.

Security in Partnership 

The security and confidentiality of our customers’ data is a shared responsibility between DDI and our customers. DDI provides secure platforms on which customers can access and leverage their data. In addition, DDI provides tools, services, support, and resources that enable our customers to ensure the security of their data throughout the lifecycle of the engagement.  

Customers are jointly responsible for the security of their data during and after their engagement with DDI. Customers must understand what data is being collected and held within DDI systems and define the appropriate data sharing policy to ensure that data is shared with only those who are authorised to access it. The data sharing policy should align with risk and compliance requirements that correlate to the importance and classification of that data. 

DDI’s Role as a Data Processor 

DDI clients operate as a “Data Controller” pursuant to the European Union (EU) Model Clauses. DDI functions as a “Data Processor” pursuant to EU Model Clauses and the General Data Protection Regulation (GDPR). See https://www.ddi.com/privacy/en-us.  

Data Protection Regulations 

DDI is headquartered in the United States, serves customers globally and has employed mechanisms to ensure that data transfers from the EU to the U.S. provide the legal protections required by EU Data Protection Regulations, including self-certification with the EU-US Data Privacy Framework (DPF), EU Model Contract clauses, and end user consent. DDI’s certification under the DPF may be viewed at https://www.dataprivacyframework.gov/. DDI maintains compliance with all applicable data security and data privacy regulations. For more information, please see Notices onhttps://www.ddi.com/privacy/en-us. If you have questions around regulatory applicability, reach out to DataProtectionOfficer@ddiworld.com. 

Policy 

Risk Management 

DDI maintains a Risk Management Policy and procedures designed to identify and remediate information security risks. Processes are implemented to determine inherent and residual risks. Risk acceptance criteria are established based on business requirements. Processes are implemented for risk treatment methods, including a prioritization of risk treatment based on the risk. Processes are established to review the risk assessment methodology on a regular basis.  

Third Party Providers 

DDI utilizes third party providers for the provisioning of our Services to our clients. All third-party providers are required to comply with DDI’s data processing, protection, and security standards. Information security risks associated with third parties inclusive of Information Communication Technology (ICT) suppliers and cloud service providers (CSP), who access DDI information resources, are identified, assessed, and managed. Information security requirements are documented and implemented to facilitate the selection of third-party providers. Contracts with third-party providers include information security and confidentiality clauses. Information security reviews of existing third-party providers are performed on a regular cadence. Termination of third-party providers or services, comply with information security and confidentiality clauses defined in signed contracts. 

For a list of current third-party providers please see: 

https://www.ddiworld.com/thirdpartyproviders 

Data Classification 

DDI classifies data it collects and processes into four categories: Public, Internal/Private, Confidential, and Secret data, each requiring specific actions to ensure security.  

Infrastructure Controls 

Hosting Environment 

DDI Services are hosted on Microsoft Azure (https://azure.microsoft.com). Microsoft data centres securely house the physical resources and infrastructure used to provide cloud solutions. Microsoft owns, operates and maintains all its physical data centres. All services are hosted in redundant US-based Azure datacentres. 

Microsoft Azure cloud services operate with a cloud control framework, which aligns controls with multiple regulatory standards. Microsoft designs and builds cloud services using a common set of controls, which streamlines compliance across a range of regulations not only for today, but for tomorrow as well. Microsoft engages independent auditors to perform in-depth audits of the implementation and effectiveness of these controls.  

Microsoft Azure is ISO/IEC 27001 and ISO/IEC 27017 certified. Audit reports, including SOC 1 and SOC 2, are available at https://servicetrust.microsoft.com.  

DDI’s cloud supervision processes, tools, and technologies ensure the organized oversight, control, administration, and maintenance of cloud computing infrastructure, services, and resources. Supervisory tools cover both infrastructural and product-based setups. Supervision allows DDI administrators to promote control, visibility, and scalability while adapting rapidly to changes in the cloud landscape. Examples of the critical operations are: – installation, changes, and deletion of virtualized devices such as servers, networks and storage; – termination procedures for cloud service usage; – backup and restoration. 

DDI maintains a detailed Disaster Recovery plan for restoring business service in the event of a large-scale system failure. This plan is updated as any changes are made to the system infrastructure or production web farm configuration and is tested on an annual basis. 

Applicable Certifications/Standards 

SSAE-18 

DDI only stores data in data centres that have received unbiased favourable annual SAS 70 Type II audits. Note that the SAS 70 has been replaced by the Statement on Standards for Attestation Engagements (SSAE) No. 18 and DDI’s data centres are certified to that standard. 

ISO 27001 / ISO 27701 

DDI only uses data centres that have demonstrated their adherence to ISO27001 and ISO27701 by periodic assessments and annual certification.  

DDI maintains its own ISO27001 and ISO27701 certification and is audited annually.  

SOC 1 / SOC 2 

DDI has completed a Type1 SOC 2® audit as of 2025-08-31, covering the Pinpoint and LeaderLab platforms. 

DDI hosts all services in datacenters that have been audited for SOC1 and SOC2. 

Server Hardening 

DDI’s process of enhancing server security include the following measures: 

• The disablement or removal of unnecessary services, applications, and network protocols. 
• The disablement of unneeded user accounts and renaming of default accounts. 
• Password requirements configured to comply with the DDI’s Password Policy. 
• Activation of server logging and audit trails. 
• Installation of anti-virus / anti-malware software with current definition files. 
• Configured with current security patches. 

Patch Management 

High impact patches are defined as patches that protect against a security risk that has the potential to significantly impact DDI’s network on or before the date of the patch. DDI distributes these patches to all devices after verification and testing of the patch on test platforms. Distribution occurs no later than 24 hours after identification. 

Medium or Low impact patches are defined as patches that will protect against a future security risk. DDI distributes these patches to all devices after testing of the patch on test platforms and with testing with a control group of users. Distribution occurs no later than 2 weeks after testing is complete. 

Backup, Retention, and Archiving Procedures 

Data is incrementally backed up on a nightly basis to ensure that all applications and client data is preserved and available to be restored in the event of any loss of data or catastrophic event. Hot back-ups are made directly to fast access tier cloud storage and transferred to archive tier cloud storage. Daily backups are stored in hot storage for two weeks with AES-256 encryption. Weekly full backups are stored in archive storage for one month. Monthly full backups are stored for one year in archive tier storage. Yearly full backups are stored in archive tier storage for five years. All archive tier storage is AES-256 encrypted. 

All backup data is stored in Commvault cloud or Azure (using native backup features). Rotation of the backups into archive tier storage is handled automatically by the respective platforms. 

If a system recovery is necessary, DDI can retrieve the file, data, or system state from an on-line backup system. Depending on the volume of data being retrieved, system or database recovery typically takes anywhere from a few minutes to several hours. 

Change Management 

Formal change management procedures are followed when introducing new or making changes to existing resources, inclusive of changes to configuration and infrastructure. Documented procedures to facilitate change requests including prioritization, review, approval, testing, and implementation of changes are in place. Changes are monitored during and after implementation. 

Asset Recovery, Recycling and Disposal 

Hardware Recycling/Disposal 

When hardware has reached its end-of-life cycle, the hardware is stored in a locked asset room and retained for disposal. Retired equipment is recycled through an R2 Certified Recycling vendor, and DDI will receive a Detailed Destruction report of the assets that were recycled for record keeping. 

Hard drives are sanitised as defined in NIST 800-88 by the approved recycling vendor(s), and DDI receives a Certificate of Destruction for record keeping. 

Azure-based hardware resources are governed by Microsoft’s standards as defined here: https://learn.microsoft.com/en-us/azure/security/fundamentals/physical-security#data-bearing-devices 

Network Security 

Threat Intelligence 

DDI maintains a Security Team composed of cross-functional experts in infrastructure and application security. This team is responsible for supporting the organization’s security posture through the identification and assessment of emerging and potential threats. 

In coordination with the Privacy, Security, and Compliance Office (PSCO), the Security Team is accountable for gathering and analysing threat intelligence from both internal and external sources. This includes strategic, tactical, and operational threat information relevant to the organisation’s risk landscape. 

The Security Team is responsible for ensuring that relevant threat intelligence is communicated to appropriate stakeholders within the organization. The Security Team leader is accountable for informing the Executive Leadership Team (ELT) of any threats that may have a direct or material impact on the organization, as appropriate. 

Network Infrastructure 

DDI’s services are hosted in a cloud instance utilizing services that provide dependable and scalable acceleration capabilities to our applications and platforms.  

Infrastructure is securely placed between both inbound and outbound Firewalls. All access attempts are logged. Strong authentication methods are applied to protect all assets. 

Firewalls 

Application Layer Firewalls are deployed in front of all assets/infrastructure and inspect inbound and outbound traffic while logging all sessions. All Application Layer Firewalls provide TLS Decryption, IDPS and Theat Intelligence-enhanced rules. 

Intrusion Detection and Monitoring 

DDI uses a comprehensive set of tools that provide continuous real-time monitoring of every component to enable security monitoring, patch management, and other remote administration functions. DDI employs a managed services security company for security monitoring and intrusion detection systems (systems designed to detect potential threats real time), and response processes. 

DDI employs both host-based and network-based detection systems that are monitored and responded to on a 24x7 basis. DDI IT are notified immediately upon the detection of any anomalies. Weekly reports are provided to DDI for review. 

Malware and Anti-Virus Protection 

DDI is committed to maintaining the security and integrity of its technology environment through continuous monitoring of its networks, systems, and applications. Monitoring activities are designed to detect anomalies, ensure system health, and support timely response to potential security threats. 

All relevant systems are subject to monitoring for security-related events. Alerts generated from monitoring tools are directed to designated personnel to ensure appropriate and timely response. 

DDI ensures that systems are protected by centrally managed security solutions, including anti-virus and threat detection technologies. These protections are applied across endpoints, servers, and gateway systems to mitigate risks associated with malware and other malicious activity. 

DDI employs layered security controls, including content and heuristic scanning, to safeguard email and web traffic and to help ensure that data entering or leaving the environment is free from known threats. 

Secure Data Transmission and Encryption 

All DDI applications support secure data transmission using industry-accepted encryption protocols (TLS1.2 and above). Sensitive credentials, such as passwords and API keys, are securely stored using encrypted mechanisms. 

Data transferred from DDI-managed devices to external storage remain encrypted to prevent unauthorized access. Encryption controls are enforced on the destination drive regardless of the sensitivity classification of the data. 

Email is not considered a secure communication channel by default. However, DDI provides mechanisms to enable encryption for email communications when required to protect sensitive information. 

Application Security 

Role-Based Security 

Applications use a role-based security model to determine access rights. Client data is segregated logically based on site, role, user, and client-controlled user access groups.  

Account Administration and Least Rights Access 

DDI enforces strict control over infrastructure administration and account management to protect systems and data from unauthorized access. 

Access to systems and data are governed by the principle of Least Rights Necessary, ensuring that users are granted only the minimum level of access necessary to perform their job functions. This applies to all users, including DDI personnel, client representatives, and authorized end-users. 

Strong authentication practices are required for all user and service accounts. Account access is subject to controls to prevent unauthorized use, including lockout mechanisms and deactivation upon termination of employment or contract. 

Direct Database Access 

DDI enforces strict controls over privileged access to sensitive systems and data, including database environments. Access at the database level is limited to a small number of authorised personnel and is granted solely for operational purposes such as backup and restoration activities. These activities are conducted at the control plane level without data plane level access. 

All privileged access is formally requested, justified, and approved in accordance with DDI’s identity governance framework. Access is time-bound and subject to monitoring and review to ensure compliance with organisational security standards. 

Privileged account management is supported by identity governance tools to enforce access controls, monitor usage, and maintain accountability. Additional background verification requirements may apply for individuals with elevated access privileges, as outlined in DDI’s Background Check Policy. 

Access to Application Data 

DDI defines distinct roles for end-users within its application systems to ensure appropriate access and data handling practices. These include Client Participants, Client Administrators and DDI System Users. 

Access to user data by DDI personnel is limited to what is necessary to fulfil support or operational responsibilities. When technical support is requested, temporary access to user accounts may be granted to authorised support personnel for the sole purpose of resolving the issue. Such access is restricted in scope and duration and is governed by DDI’s data protection and privacy standards. 

Application Penetration Testing 

DDI is committed to proactively identifying and mitigating security vulnerabilities within its application environments. To support this objective, DDI engages independent security experts to conduct regular application security assessments. 

These assessments include both automated and manual testing techniques to identify a broad range of vulnerabilities, including those specific to application logic and configuration, as well as known security weaknesses. 

Assessment findings are reviewed by designated security and product leadership to evaluate potential risks and determine appropriate remediation actions. Identified vulnerabilities are prioritised based on severity and business impact, and remediation efforts are tracked and managed in accordance with DDI’s risk management framework. 

All findings and associated risk decisions are documented and subject to oversight by the Director, Global Technology Services & Security to ensure consistent application of security standards and alignment with organisational risk tolerance. 

Vulnerability Classification 

Vulnerability classification and remediation is defined in DDI’s Vulnerability Management Policy. 

DDI Associate Policies 

DDI employs rigorous processes and controls over access and permissions for all infrastructure components, networks, firewalls, servers, databases, etc. This is strictly controlled within the Global Technology Group who has the final authority on all administrative user access, and system monitoring/notifications, as well as OS, security, and application updates. 

Screen Locking 

All computers are configured to have a password-enabled screen saver. DDI’s policy for screen lockout is 15 minutes. After 15 minutes of inactivity the screen saver will be invoked. The user must then re-enter their password to gain access to the computer. 

Passwords 

DDI’s Password Policy includes requirements on complexity, length, aging, and multi-factor authentication.  

Remote Working 

Telework or remote work requirements are identified, established, and implemented to protect data while away from a physical location. Standards and the associated technical and administrative controls are implemented to facilitate teleworking. Endpoints are protected by security hardening, malware protection, and host-based monitoring. Standards and the associated technical and administrative controls are implemented to facilitate the protection of information from fraudulent activity and unauthorised disclosure or modification while passing over public networks.  

Remote access to DDI systems via VPN are secured using industry-standard authentication and encryption technologies. All endpoints and systems are protected by appropriate security controls to maintain the confidentiality, integrity, and availability of organisational data. Only DDI managed devices that meet security and compliance requirements are able to connect remotely via VPN. 

Revoking Access 

DDI enforces strict controls to ensure that administrative access to systems and application platforms is limited to individuals with a current and legitimate business need. Access is revoked when it is no longer required due to changes in job responsibilities or termination of employment. 

Access rights are reviewed on a regular basis to ensure alignment with role-based responsibilities and to maintain the principle of least privilege. Adjustments are made as necessary to reflect organisational or personnel changes. 

Data Privacy and Security Awareness Training 

All DDI associates receive regular training and best practice guidance on data privacy, security, and confidentiality. Completion of training is monitored to promote the highest level of compliance. Regular simulated phishing attacks are also conducted to help DDI associates be more aware and respond to such attacks appropriately. 

Web Filtering 

DDI manages access to external web resources to reduce exposure to malicious content and protect organisational systems and data. Access to known or suspected harmful websites is restricted, and the use of unauthorized web resources is prohibited. 

Cookies 

DDI uses cookies and similar technologies to enhance user experience, support system functionality, and improve the delivery of content and services. These technologies help facilitate navigation, personalise content, support feedback mechanisms, and enable analytics and marketing efforts. 

Cookies used by DDI do not store personal data and are implemented in a manner that aligns with privacy and security best practices. Certain cookies that are essential to the operation of DDI systems are required and cannot be disabled by users. 

To review the full cookie policy, please refer to https://www.ddiworld.com/privacy. 

Product Development Process and Code Management 

Development Release Cycle 

DDI follows an agile software development methodology to support continuous improvement and rapid responsiveness to client needs. This iterative approach enables the organisation to deliver enhancements, updates, and fixes to its application platforms on a regular basis. 

Software releases are planned and executed on a recurring basis, with the flexibility to deploy urgent updates outside of the standard release cycle when necessary. All releases are subject to appropriate review, testing, and approval processes to ensure quality and minimise disruption.  

Development Environments 

DDI maintains separate environments for software development, testing, and production to ensure the integrity and security of its systems and data. Code under development is isolated from production environments and does not interact with live data. 

All testing and development activities are conducted using non-production environments and data to prevent unauthorized access to or manipulation of operational systems and sensitive information. 

Code Review 

All code developed by DDI is subject to peer review and quality assurance testing in non-production environments prior to release. 

To ensure the reliability and security of application code, DDI incorporates both manual and automated review processes. These include testing for functionality and the identification of known vulnerabilities before deployment to production systems. 

Code Management 

DDI maintains structured controls over the software development lifecycle to ensure the integrity, traceability, and quality of application code. A centralised version control system is used to manage source code and coordinate contributions from multiple developers, preventing conflicts and preserving code history. 

Formal change control processes are in place across development, quality assurance, and implementation stages. These include documented change requests, review and approval by designated application owners, and controlled promotion of code between environments. 

All software changes are subject to a multi-phase testing process to validate functionality and security prior to deployment. Testing is conducted in isolated environments to ensure that only verified code is introduced into production systems. 

Global People Services (Human Resource Policies) 

Confidential Information 

Upon hire, all DDI associates are required to sign a confidentiality agreement that specifically addresses the concerns and risks of dealing with confidential information. Any associate found to have violated this policy is subject to appropriate disciplinary actions up to and including termination or any applicable legal action. In addition, employees review and sign a Code of Business Conduct and Ethics annually. 

Background Check Policy and Procedure 

DDI believes that hiring qualified individuals to fill positions contributes to the overall strategic success of the company. Background checks serve as an important part of the selection process at DDI. This type of information is collected as a means of promoting successful candidate matches for the position, as well as ensuring a safe and secure work environment for current and future employees. Background checks help DDI obtain additional applicant related information that helps determine the applicant's overall employability, ensuring the protection of the current people, property, and information of the organisation. 

DDI’s full Background Check Policy and Procedure can be made available for viewing if requested. To request the policy, please visit https://trust.ddiworld.com/. 

Credential Verification 

DDI’s pre-employment checks are designed to ensure that all associates are confirmed to have the degrees and certifications that they purport and/or are required to have. All prospective associates have their stated employment histories and integrity references verified. 

SSN Verification 

All US-based associates are verified legal US workers, and Social Security Numbers or work authorisations are verified. 

Disciplinary Action 

A formal disciplinary process is established and implemented for non-compliance to information security policies, standards, and procedures. 

Business Continuity 

Information privacy and security aspects of business continuity aremanaged to support the availability of information resources and support capacity management requirements. Processes are implemented for information security and continuity of information security management in adverse situations. Requirements are implemented to ensure information privacy and security continuity controls are verified at regular intervals to assess their validity and effectiveness during adverse situations. Administrative and technical controls are implemented at corporate facilities to meet availability requirements. 

Security Incident Response 

DDI maintains a comprehensive security incident detection and response framework to ensure timely identification, containment, and resolution of security-related events. This includes the use of appropriate technical and procedural measures to detect and respond to both computer-related and non-computer-related incidents. 

All security incidents involving unauthorised access to or loss of confidential information are subject to formal investigation and response procedures. DDI is committed to notifying affected or potentially affected clients of any confirmed security incident or breach within 48 hours of discovery. 

Security concerns or incidents may be reported through designated channels. Clients may report potential privacy or security incidents as complaints through https://trust.ddiworld.com. 

Physical Security 

Physical locations shall be protected from unauthorised physical access, environmental threats, damage, and interruption. Security perimeter protection mechanisms are implemented to reduce the risk of unauthorised access. Access controls are implemented to restrict physical access. Environmental protection controls are implemented to ensure physical locations are protected from external and environmental threats. Monitoring of physical security and environmental related incidents are implemented. Utility and safety mechanisms are implemented commensurate with the criticality of the location. Work area and workstation measures are implemented to protect sensitive information. 

Enforcement and Compliance 

Regular audits will be conducted to ensure compliance with this policy. Non-compliance shall be addressed promptly, and corrective actions will be taken. Management is responsible for ensuring individuals within their realm of responsibilities are aware of and comply with relevant policies and procedures. 

This policy may be updated periodically and without prior notice. DDI will indicate at the top of the statement when it was most recently reviewed.