Standards you can feel good about
With information security breaches all too common, teams must take measures to reduce risk. RFPIO’s maintains industry best practices and adheres to global standards to help our customers meet their own compliance standards and security requirements.
- Security by Design
Secure software developmentRFPIO’s design and development lifecycle is based on the Build Security-In Maturity Model, a framework that incorporates secure design and development principles throughout the software design and development lifecycle.
Well-architected systemRFPIO’s flexible multi-tier architecture is designed to be scalable and resilient. The design follows industry best practices for hardening, isolation, availability, and recovery. Security is built into the architecture in layers for added security. The security layers include Intrusion Detection and Intrusion Prevention Systems (IDS/IPS), anti-virus and anti-malware protection, Network firewalls, Host-based Intrusion Detection Systems (HIDS), Data Leak Prevention, DDoS protection, monitoring and alerting systems, and network isolation.
Network securityRFPIO takes a layered approach to network security, implementing industry best practices at each layer with isolation and controls. At the core of the network security is access control. By sufficiently isolating the layers, we are able to control access through virtual private cloud (VPC), firewall rules, application layer firewall, and network hardening. Additionally, we implement intrusion detection and prevention systems, along with intelligent threat detection and monitoring.
Independent validationWe conduct regular security vulnerability scans, static code analysis, and dynamic security testing throughout the release cycles. In addition to internal scans, we also conduct annual penetration testing executed by independent third-party penetration testing organizations.
- Data Security
Tenant isolationRFPIO is a multi-tenant SaaS application. A key consideration in the design of the platform is tenant isolation to ensure that customers sharing the common infrastructure are logically segregated and that one tenant’s actions does not impact another. To ensure this, we logically segregate one customer’s data from another when at-rest. Additionally, every request, without exception, is validated against a unique tenant ID to ensure every transaction is authenticated. This tenant ID authentication is performed regardless of the origin of the request to make sure every request is independently authenticated regardless of the source and context.
Access controlAll customer data, regardless of how it is acquired or the nature of the data, is classified as confidential data, requiring the highest degree of controls and protections. RFPIO support staff is prohibited from accessing any data that is not directly related to the service they are providing, and are prohibited from downloading and/or storing any customer data to their devices. Development and production environments are maintained completely independently, and customer data is never loaded in development or test environments.
Data dispositionData disposition is a shared responsibility between RFPIO and Customers. The application provides customers admins and users ways to delete and dispose data in a timely manner. RFPIO retains customers data in accordance with the data retention policy, and safely and securely deletes the data at the end of the retention period. Once permanently deleted, customer data is rendered completely unrecoverable, giving you the peace of mind your confidential data can never be accessed.
EncryptionAll communications with and within the RFPIO platform are encrypted with industry-standard HTTPS/TLS 1.2 (or higher) over the networks without exceptions. This ensures that all traffic between the clients and RFPIO is secure during the transit. All data-at-rest is encrypting using AES-256 key encryption (or higher). As an added layer of security, passwords are hashed with salting to ensure they are never recoverable.
- Cloud Security
HostingRFPIO hosts data primarily in AWS data centers that meet most major compliance standards, including SOC, FISMA, FedRAMP, DoD CSM, PCI DSS, and ISO 9001 / ISO 27001. AWS’s security program covers all aspects of security, including Physical and Environment Security, Business Continuity Management, Network Security, Access Controls, Account Management, Secure Design Principles, Change Management, Logging and Audit Capabilities, and Security Checks.
Layers of securityOur flexible, multi-tier architecture is designed to be scalable, resilient, and highly secure.The security layers include: Intrusion Detection and Intrusion Prevention Systems (IDS/IPS), anti-virus and anti-malware protection, network firewalls, Host-based Intrusion Detection Systems (HIDS), Data Leak Prevention, DDoS protection, monitoring and alerting systems, and network isolation.
ReliabilityWe have designed, architected, and built a highly resilient platform with sufficient redundancy, scalability, and failover capabilities to minimize downtime. Additionally, we host our services with our cloud-hosting partners that offer multiple levels of built-in redundancy and geographical distribution. We understand even the best designed and tested systems can experience failures. For such rare events, we have state-of-the-art monitoring and alerting systems in place so our engineers can proactively respond to issues that could lead to service disruptions.
Business continuityWe have implemented a comprehensive Business Continuity & Disaster Recovery program. We test the business and disaster recovery plans over and over again, so it becomes muscle-memory when disaster strikes. We continuously evaluate and revise our plans to ensure that the plans stay up-to-date as our technology and architecture evolve, as well as to stay pace with the evolving threat landscape. Our Disaster Recovery Plan considers how to deal with the following possible events:
- Natural disasters (i.e. earthquakes, fires, floods, and storms)
- Computer software or hardware failures
- Computer shutdowns due to hackers, viruses, etc.
- Processing shutdowns
- Power disruptions, power failure
- Labor strife (i.e. walkouts or shutdowns)
- Terrorist acts (or acts of war)
- Product Security
Security testingOur system undergoes vulnerability and dynamic status scans prior to each release. Our secure development lifecycle process includes the following:
- Static Application Security Testing (SAST)
- Dynamic Application Security Testing (DAST)
- Interactive Application Security Testing (IAST)
Vulnerability managementOur vulnerability management program is modeled after the industry-standard framework. Components include:
- Scheduled vulnerability scanning
- Asset tracking and identification
- Patch management (testing and applying patches)
- Risk ranking
- Follow-up remediation tests
Encryption key managementEncryption keys are stored and managed in AWS Key Management System. Keys are protected by encrypting master keys, not persisting them in memory, and limiting hosts. Keys are rotated every 90 days, and the CIO and VP of Engineering must be present to perform the rotation, export, and destruction of crypto keys.
Change managementRFPIO has a formal change management policy, which defines a formal system that documents, maintains, and archives changes made to the IT infrastructure and application, in both production and non-production environments.
- Compliance + Privacy
ISO 27001:2013RFPIO is ISO 27001:2013 certified. The certificate is available upon request.
SOC 2 Type IIRFPIO is SOC 2 Type II compliant. We maintain continuous compliance with SOC 2 Type II framework, with regular audits conducted by an AICPA-approved audit firm. The latest report is available on request.
GDPRRFPIO is compliant with GDPR as a data processor in the provision of RFPIO’s services to its customers.
CCPARFPIO is compliant with CCPA as a data processor in the provision of RFPIO’s services to its customers.
See how it feels to respond with confidence
Why do 100,000+ users streamline their response process with RFPIO? Schedule a demo to find out.Schedule Demo