We adhere to principles of transparency (no security through secrecy) and least privilege. Our communication channels are end-to-end encrypted/ All data access is scoped by roles and we rely on strong user authentication to identify requesters.
DIMO takes full database snapshots on a daily basis and uploads transaction logs for database instances to backup storage every 5 minutes. These snapshots are stored for 7 days, accordingly DIMO can safely restore databases to any point in the last week (with 5 minute granularity) as needed.
DIMO HSM system currently has immutable audit logs generated via Amazon Cloudwatch. Every wrapper key generation, and data key encryption or decryption event appends an entry to the log. In parallel, DIMO logs data accesses from the KMS. DIMO plans to open up these logs to all users and developers in the near future. This will enable end-users to verify how their data is used, as well as developers to audit HSM usage on their end.