Technical and Organizational Measures

Overview
Redzone is committed to protecting your data information. This page details the measures Redzone employs to protect Customer Data.  This page is intended to provide general technical and organization information, as well as information required by Article 32 of the General Data Protection Regulation (GDPR) or other applicable laws.

Hosting Environment
Redzone Software Services are serverless and hosted on cloud-based Amazon Web Services (“AWS”).  The Software Services are supported by Amazon’s redundant data center infrastructure.  The AWS virtual infrastructure is designed to provide optimum “high availability” while ensuring complete customer privacy and segregation and minimal impact of disruptions to operations.  The infrastructure is designed and managed in accordance with industry leading regulations, standards, and best practices including SOC 1/SSAE 16, SOC 2, SOC 3, HIPAA, ISO 27001 and others.
AWS data centers are located geographically throughout the US and the rest of the world in “Availability Zones” to strategically provide infrastructure redundancy in the event of a failure or catastrophe.

Infrastructure
Physical access
Redzone is an entirely cloud-hosted environment. We do not run any routers, load balancers, DNS or physical servers. Our cloud provider list can be found on our Sub-processors List Page of the Redzone website.

Infrastructure as Code
Redzone audits, tests, and peer reviews any changes to our code. This provides a secure and automated process for any applied changes.  Redzone uses GitHub repositories to manage all source code. To control access to Redzone’s code repositories, access is enabled using a centralized SSO solution. GitHub Organizational policies are enabled as well requiring Engineers to use two-factor authentication.

System Administration
Redzone utilizes AWS to leverage a fully managed, cloud-based service for the Redzone application.  We actively scan for security and configuration vulnerabilities using an EDR.  If any issues are found, they are patched according to the risks presented.

Application Security
Secure Software Development
Redzone uses automated tests and peer reviews to ensure our software is developed in a consistent and secure way.

Code reviews
Redzone code changes are reviewed by peers. The code is then tested in a development environment. Finally, the tenant application is reviewed by Apple for compliance with their requirements before being accepted and released through the App Store.

End User Login Protections
We protect our end users against attacks by utilizing EDR combined with third party SOC services. All information is encrypted at rest and in transit based on industry best practices.

Penetration Testing
Redzone works with an independent organization to perform annual penetration testing. We also utilize a year-round bug bounty program to ensure we are assessing the security of our platform from the most up-to-date vulnerabilities. If found, the team prioritizes and works quickly to mitigate potential issues identified by these reviews.

Data encryption and transfer
Redzone encrypts all data both at rest and in transit. Any external network communication uses TLS encryption in transit. We also utilize the encryption tools from our cloud data storage provider to encrypt data at rest.

Monitoring
All activity on Redzone’s systems is logged and monitored. We also capture and store logs from application code and vendor systems we work with. Once captured, internal and external logs are reviewed via software and a 24/7 SOC for any unusual activity.

Operational Security
Security Team
Redzone maintains an Information Security team for any concerns across the business. Representatives from different departments of the company participate in discussions about security and compliance issues, while executive participants make necessary high-level decisions. Redzone’s dedicated internal security team is supported by a 24/7 SOC.  Our internal security team works throughout the company to maintain strict security standards.

People and Process
All Redzone employees and contractors are required to comply with internal security policies and practices. Our policies and procedures are designed to ensure compliance with both law and security best practices. We review these policies at least annually to ensure we are up to date.

Employee Access to Data
Redzone restricts access to its systems and infrastructure with the principle of least privilege. This is reviewed at a minimum annually, and access is removed when personnel no longer need it.

Passwords and Authentication
Redzone enforces a password policy and Multi-Factor Authentication to protect sensitive systems.

Business Continuity and Disaster Recovery
Redzone has Business Continuity and Disaster Recovery plans.  Redzone maintains daily backups of all data.  The most recent validated backup will be maintained outside of the Amazon Web Services (“AWS”) Infrastructure.  Redzone also implements a rolling backup strategy within AWS which allows point-in-time recovery to any time within the last thirty (30) days (excluding the most recent hour).  In addition to its routine backup practices, Redzone also replicates live data across at least two (2) AWS availability zones so that there should always be a full live copy of all data in real time.

Compliance
Overview 
Redzone is committed to protecting customer information. We are SOC-2 Type II certified and utilize the security controls present in the ISO27001 framework. Our cloud hosting providers are SOC and ISO compliant.

Notification of Personal Data Breach
Redzone adheres to GDPR and applicable US state requirements for personal data breach notification. In the event of a personal data breach, Redzone will take action to investigate, address, and mitigate the breach in accordance with the “Security Incident” standards of our Data Processing Addendum.  Redzone will notify affected customers of a personal breach within the time frames required by law and in accordance with the Data Processing Addendum.  Notification is not required for an incident that does not result in unauthorized access to personal data or to Redzone equipment storing personal data.

Contact Us
If you have any questions or concerns, please don’t hesitate to contact us at: 
support@rzsoftware.com