For more than two decades, DataMotion has built its foundation on a “trust no one, trust nothing” philosophy—a design principle that assumes every system, every connection, and every user must earn trust through rigorous security. This zero-trust mindset has guided us for over 20 years, long before it became an industry buzzword.
So, when we signed the Cybersecurity and Infrastructure Security Agency (CISA) Secure by Design Pledge nearly a year ago, it wasn’t a pivot—it was a natural extension of who we are and how we’ve always operated. It provided a formal framework to articulate and enhance our long-standing commitment to security and compliance.
The Secure by Design Pledge isn’t just a checkbox for us; it’s a roadmap to continue building products that our customers can trust implicitly. Over the past year, we’ve made measurable strides embedding security deep into our design principles, fostering transparency, and collaborating with the broader cybersecurity community.
Understanding the CISA Secure by Design Pledge Principles
The CISA Secure by Design Pledge is a voluntary commitment by software manufacturers to build products with fewer security vulnerabilities and to reduce the potential impact of those vulnerabilities that are exploited. The core idea is to shift the burden of security away from the customer and back onto the manufacturer, embedding security from the ground up.
The pledge is centered around seven core principles:
- Increase the use of multi-factor authentication (MFA).
- Reduce the use of default passwords.
- Reduce known vulnerabilities.
- Increase the installation of security patches.
- Publish a vulnerability disclosure policy (VDP).
- Make it easy for customers to report vulnerabilities.
- Reduce the impact of intrusions.
Today, we’re excited to share our progress, showing how this pledge aligns with our legacy while pushing us to new heights in delivering secure, trustworthy, and compliant solutions that our customers can rely on. Here’s a look at key areas where we’ve advanced our practices in alignment with these principles:
Our Progress: Actions Aligned with the CISA Pledge
1. Increasing Multi-Factor Authentication (MFA)
MFA is a cornerstone of secure access, and we’ve ensured it’s available across all DataMotion implementations, including on-premises, managed, and Platform as a Service (PaaS) instances. While many of our customers embed our platform into their workflows, meaning end-user logins via their own identity systems, users accessing DataMotion directly typically leverage MFA via codes or authenticator apps. We also ensure that MFA is implemented internally across all tools requiring logins. We’re actively exploring additional integrations to simplify and accelerate MFA adoption for customers in regulated industries like healthcare and finance, making secure access frictionless for both employees and external users.
2. Strengthening Authentication by Restricting Default Passwords
Default or weak passwords are incompatible with our zero-trust approach. We proactively restrict default and common passwords entirely, requiring MFA, Single Sign-On (SSO) with leading identity providers, or strong, unique passwords by default across all implementations. This practice, standard before the pledge, aligns seamlessly with CISA’s goals and significantly reduces a common attack vector, enhancing overall security. We continue to prioritize frictionless yet secure authentication for our customers.
3. Reducing Vulnerability Classes
Our rigorous “secure by design” development process is engineered to reduce vulnerability classes before they ever reach production environments. We conduct comprehensive, automated scans for every release and perform manual penetration tests throughout the year, ensuring no release ships with known vulnerabilities. In the past year, we successfully identified and resolved six vulnerabilities in production environments within an average of just three days, demonstrating our rapid response capability and minimizing potential exposure for our customers. We continue to explore advanced techniques like memory-safe programming practices to further reduce vulnerability classes in future platform updates.
4. Streamlining Security Patch Installation
As a secure PaaS provider hosted on Microsoft Azure, we centrally manage and deploy security patches across all customer instances as soon as needed. This streamlined process is a core part of our operations and directly supports CISA’s emphasis on rapid patch deployment. It removes the burden from our customers’ IT teams and ensures they receive timely, consistent protections without delay or configuration complexity. We continuously optimize our patching cadence to balance critical security updates with platform reliability and performance.
5. Publishing a Clear Vulnerability Disclosure Policy (VDP)
Transparency and collaboration are vital in cybersecurity. We’ve published a comprehensive Vulnerability Disclosure Policy, encouraging good-faith security researchers to report potential issues they discover. This policy outlines a clear process for coordinated disclosure and protects researchers who identify and report vulnerabilities responsibly. Formalizing this process has reinforced our platform’s resilience by leveraging the expertise of the broader security community and demonstrates our commitment to open security practices.
6. Improving Vulnerability Transparency and Accountability
Our vulnerability management process ensures transparency and accountability. Alongside our scanning and testing efforts, we accurately document vulnerabilities, including the six identified and resolved in production this year, in Common Vulnerabilities and Exposures (CVE) records with proper Common Weakness Enumeration (CWE) and Common Platform Enumeration (CPE) fields. This adherence to standard industry identifiers provides clarity, builds trust with customers and the security ecosystem, and supports our customers’ own risk management and audit processes.
7. Enhancing Intrusion Detection and Monitoring
Robust monitoring is essential for detecting and responding to potential threats. We’ve bolstered intrusion detection by implementing Microsoft Azure Front Door, which complements our existing robust logging and audit review processes. These enhancements provide detailed visibility into platform activity at the network edge, enabling rapid anomaly detection and proactive threat identification. Our granular audit logs empower our security and operations teams to investigate incidents effectively and provide customers with essential records for compliance and security monitoring, aligning with CISA’s focus on evidence collection.
Looking Ahead
DataMotion’s journey with the CISA Secure by Design Pledge has affirmed our zero-trust roots while sharpening our focus on transparency, collaboration, and continuous improvement. Many of these practices were already embedded in our DNA, but the pledge has provided a valuable framework to measure and share our progress more formally.
As we move forward, we’re committed to continued innovation in authentication methods, vulnerability reduction strategies, and threat detection capabilities. Our aim is not just to meet industry standards, but to help set them for secure data exchange. We are dedicated to delivering the most secure, compliant, and efficient platform for your critical digital interactions.
Join us in building a safer digital future through secure, compliant interactions. Explore our commitment to security and learn more about our platform by visiting the DataMotion Platform page or by reviewing our Vulnerability Disclosure Policy.
