Security & Compliance
Redzone is committed to protecting customer information. We are SOC-2 Type II certified and utilize the security controls present in the ISO27001 framework. Our cloud hosting providers are SOC and ISO compliant.
Redzone adheres to GDPR and applicable US state requirements for personal data breach notification. In the event of a personal data breach, Redzone will take action to investigate, address, and mitigate the breach in accordance with the “Security Incident” standards of our Data Processing Addendum. Redzone will notify affected customers of a personal breach within the time frames required by law and in accordance with the Data Processing Addendum. Notification is not required for an incident that does not result in unauthorized access to personal data or to Redzone equipment storing personal data.
Redzone uses automated tests and peer reviews to ensure our software is developed in a consistent and secure way. Redzone maintains a “shift left” mentality outlined in a Software Development Life Cycle that can be made available upon request. Inherent controls reduce the risk of Cross Site Scripting, SQL Injection, and best practices for API security.
Developer and Staging environments are logically separated from Production. Customer Environments are never used in Development or Staging environments.
Annual Secure Code Training is required for all Software Engineers. Training is focused on the OWASP Top 10 security risks.
To ensure that security vulnerabilities in Redzone’s software are continuously identified and remediated, Redzone has integrated security validation into our continuous integration workflows. Integration into CI ensures that all code is continuously scanned for security vulnerabilities prior to code acceptance. As this process happens continually, both new and existing vulnerabilities can be identified. Prior to the merge, the Redzone CI system will checkout the code and run our standard set of tests.
Redzone works with an independent organization to perform annual penetration testing. We also utilize a year-round bug bounty program to ensure we are assessing the security of our platform from the most up-to-date vulnerabilities. If found, the team prioritizes and works quickly to mitigate potential issues identified by these reviews.
Redzone encrypts all data both at rest and in transit. Any external network communication uses HTTPS/TLS 1.2 or higher encryption in transit. Data at-rest is encrypted using AES-256 key encryption. Passwords are one-way hashed with multiple rounds of salt.
All critical activity in Redzone is logged and monitored to detect anomalous behavior. We also capture and store logs from application code and vendor systems we work with. Once captured, internal and external logs are reviewed via software and a 24/7 SOC for any unusual activity.
Redzone maintains an Information Security Council for any concerns across the business. Representatives from different departments of the company participate in discussions about security and compliance issues, while executive participants make necessary high-level decisions. Redzone’s dedicated internal security team is supported by a 24/7 SOC. Our internal security team works throughout the company to maintain strict security standards.
All Redzone employees and contractors are required to comply with internal security policies and practices. Our policies and procedures are designed to ensure compliance with both law and security best practices. We review these policies annually to ensure we are up to date. All employees are required to attend 1:1 security training and annual security training refreshers.
Redzone restricts access to its systems and infrastructure with the principle of least privilege. This is reviewed at a minimum annually, and access is removed when personnel no longer need it.
Redzone enforces a password policy and Multi-Factor Authentication to protect sensitive systems. Redzone supplies all employees with an enterprise-grade password keeper and audits annually against complex passwords properly stored in a vault.
Redzone has Business Continuity and Disaster Recovery plans. Redzone maintains daily backups of all data. The most recent validated backup will be maintained outside of the Amazon Web Services (“AWS”) Infrastructure. Redzone also implements a rolling backup strategy within AWS which allows point-in-time recovery to any time within the last thirty (30) days (excluding the most recent hour). In addition to its routine backup practices, Redzone also replicates live data across at least three (3) AWS availability zones so that there should always be a full live copy of all data in real time.
Redzone performs regular Red Team events to stay offensive with security threats. This includes random removal of access, internal spear phishing attempts, phishing campaigns, and the use of tools such as Atomic Red Team.
The Redzone Application supports two authentication options: Enterprise SSO (SAML 2.0) and native Redzone authentication.
Redzone allows a configurable password expiration time, for compliance with 21 CFR Part 11.
There are multiple distinct Admin permission levels within the Redzone Admin application. This allows for Admins to be given access to manage only the specific data and settings related to their role. More information can be found in the Security section of the Redzone Knowledge Base.
Mobile Device Management (MDM) is the process of securing corporate data by monitoring, managing, and securing devices such as laptops, smartphones, and tablets. The Redzone application allows IT teams to control and distribute policies, applications, and secure settings to the devices. More information regarding best-practices and minimum access requirements can be made available upon request.
Trusted DNS or specific IP address ranges for the Redzone cloud environment are available upon request.