It gives us enormous pleasure to announce that Dotdigital has retained all three of its ISO certifications after passing eight days of auditing with no non-conformities being raised. Since obtaining our ISO 27001 certification in 2020, we have undergone regular audits. However, this is the first time Alcumus (our external auditors) have assessed all aspects of our three standards (ISO 27001, ISO 14001, and ISO 27701) simultaneously.

Our commitment to ISO standards

Since 2020, Dotdigital has opted to implement 3 ISO standards, underpinning its commitment to the protection of Information, the promotion of sustainability, and positive environmental behaviors. The three standards Dotdigital is certified to are:

• ISO 27001 – Information Security Management 
• ISO 27701 – Privacy Information Management 
• ISO 14001 – Environmental Management 

The global significance of ISO certifications

The International Organisation for Standardization (ISO) is an independent body that sets global standards for safety, security, and quality. As the name suggests, its goal is to define standards for best practices that can be implemented, irrespective of the size, type, or location of an organization. By holding these certifications, we can show global clients and prospects that Dotdigital is the obvious choice for responsible marketers wanting a customer experience and data platform. Not forgetting that we’re also the world’s first carbon-neutral, ISO 14001-certified CXDP.

Over time there have been various protocols used to achieve this secure transmission of data, and more recently, Dotdigital has supported TLS (Transport Layer Security) versions 1.0, 1.1, 1.2, and 1.3.

The time has come for us to turn off support for the older versions of the protocol; these being 1.0 and 1.1.  However, we’ll continue to support TLS 1.2 and 1.3 for the foreseeable future.

When will these changes happen?

We are switching off TLS versions 1.0 and 1.1 in two stages. For the first stage, on all of our web applications. And then for the second stage, on our API endpoints. This is to allow enough time, for customers with integrations, to make any necessary changes to their infrastructure.

After these dates, connections from systems that do not support TLS 1.2 or higher will fail, and services will appear unavailable.

Why the change?

TLS 1.0 and 1.1 have been considered legacy protocols for some time now, as they do not offer the same level of security as their more modern counterparts with organizations such as NIST and the NCSC advising against their use.

At Dotdigital, we’ve managed the security vs usability trade-offs by disabling the weaker parts (ciphers) of the legacy protocols, and mitigating against known exploits – all while continuously monitoring usage across our infrastructure. Using those metrics, we’re now in an excellent position to disable the legacy protocols on our web applications without impacting our customers (with legacy TLS usage making up 0.05% of all connections).  This is predominately down to internet browsers now auto-updating, and in more recent versions of the browsers, only enabling TLS 1.2 and 1.3 by default.

Across our API endpoints, we still see a higher percentage of legacy TLS usage.  This is down to the server software on which our customers build their integrations tending not to have the same auto-update functionality – requiring somebody to apply the updates on the server manually.

We’re advising all customers using our APIs to check with their IT administrator contacts to ensure that their integrations and software can support TLS 1.2 or 1.3.  We will continue to analyze the data and will attempt to contact those customers still using legacy protocols where possible.

Questions?

If you have any questions please contact security@dotdigital.com You can check your own browser’s TLS support by visiting Qualys SSL Labs, and confirming that TLS 1.2 and 1.3 say “Yes”