How does DDSArk protect backups from ransomware?

DDSArk stores backups as immutable, object-locked copies that cannot be modified or deleted until their retention period expires — even by an attacker holding valid admin credentials. Backups are encrypted with AES-256 and replicated across independent storage providers, so ransomware that reaches a practice cannot reach the backups.

Is DDSArk SOC 2 compliant?

DDSArk applies SOC 2-aligned security controls — encryption, immutable storage, least-privilege access, monitoring, and audit logging — and signs a HIPAA BAA with every customer. DDSArk does not currently hold a completed SOC 2 Type II attestation; our security documentation is available under NDA on request to security@ddsark.com.

Security — DDSArk

Encrypted end to end

AES-256 at rest, TLS 1.2+ in transit. Keys are managed in a hardware-backed key service.

Immutable by default

Object-locked backups cannot be altered or deleted before retention expires — even with stolen admin credentials.

Least privilege

Role-based access, mandatory MFA, and fully logged administrative actions.

Multi-provider

Backups replicate across independent storage clouds so no single failure or compromise loses your data.

Encryption

All backup content is encrypted with AES-256 before it leaves the practice and stays encrypted at rest. Data in transit is protected with TLS 1.2 or higher. Encryption keys are managed in a hardware-backed key-management service and are never stored alongside the data they protect.

Immutability

Backups are written as immutable, object-locked objects. For the length of their retention, they cannot be overwritten or deleted by anyone — not an attacker, not a rogue insider, not a compromised admin account. This is what turns a backup into a recovery guarantee.

Immutability is the single control that defeats modern ransomware, which now hunts for and destroys backups before triggering encryption. Ours simply cannot be destroyed in time.

Access control

Access follows least privilege. Every console user authenticates with mandatory multi-factor authentication, holds a scoped role, and operates within their own tenant. Administrative actions are logged to an append-only audit trail. Our own staff access to customer environments is restricted, time-boxed, and recorded.

Infrastructure & redundancy

Backups are replicated across independent storage providers — including Backblaze, Wasabi, and Cloudflare R2 — so the loss or compromise of any single provider never costs you your data. The control plane runs on hardened, continuously patched infrastructure with network segmentation between tenants.

Monitoring & incident response

We monitor the fleet 24/7 for anomalies, failed backups, and signs of compromise. A documented incident-response plan governs how we detect, contain, and communicate security events, and we notify affected customers without undue delay, consistent with our contractual and legal obligations.

Compliance & auditing

DDSArk operates HIPAA-aligned controls with a signed Business Associate Agreement for every customer. Our security documentation and questionnaire responses are available under NDA on request.

Responsible disclosure

If you believe you’ve found a security vulnerability, we want to hear from you. Email [email protected] with the details. We investigate every report, will not pursue good-faith researchers, and aim to acknowledge reports within two business days.

Questions about this document?

Our team responds to legal and compliance inquiries within two business days.

[email protected] Back to Trust Center