Technical and Organizational Measures

Overview
Redzone is committed to protecting your data information. This page details the measures Redzone employs to protect Customer Data.  This page is intended to provide general technical and organization information, as well as information required by Article 32 of the General Data Protection Regulation (GDPR) or other applicable laws.

Hosting Environment
Redzone Software Services are serverless and hosted on cloud-based Amazon Web Services (“AWS”).  The Software Services are supported by Amazon’s redundant data center infrastructure.  The AWS virtual infrastructure is designed to provide optimum “high availability” while ensuring complete customer privacy and segregation and minimal impact of disruptions to operations.  The infrastructure is designed and managed in accordance with industry leading regulations, standards, and best practices including SOC 1/SSAE 16, SOC 2, SOC 3, HIPAA, ISO 27001 and others.

AWS data centers are located geographically throughout the US in “Availability Zones” to strategically provide infrastructure redundancy in the event of a failure or catastrophe.

Infrastructure
Physical access

Redzone is an entirely cloud-hosted environment. Our cloud provider list can be found on our Sub-processors List Page of the Redzone website.

Infrastructure as Code
Redzone audits, tests, and peer reviews any changes to our code. This provides a secure and automated process for any applied changes.  Redzone uses GitHub repositories to manage all source code. To control access to Redzone’s code repositories, access is enabled using a centralized SSO solution. GitHub Organizational policies are enabled as well requiring Engineers to use two-factor authentication.

System Administration
Redzone utilizes AWS to leverage a fully managed, cloud-based service for the Redzone application.  We actively scan for security and configuration vulnerabilities using an EDR.  If any issues are found, they are patched according to the risks presented.

Application Security
Secure Software Development

Redzone uses automated tests and peer reviews to ensure our software is developed in a consistent and secure way. Redzone maintains a “shift left” mentality outlined in a Software Development Life Cycle that can be made available upon request. Inherent controls reduce the risk of Cross Site Scripting, SQL Injection, and best practices for API security.
Developer and Staging environments are logically separated from Production. Customer Environments are never used in Development or Staging environments.

Secure Code Training
Annual Secure Code Training is required for all Software Engineers. Training is focused on the OWASP Top 10 security risks.

Security CI Toolchain Integration
To ensure that security vulnerabilities in Redzone’s software are continuously identified and remediated, Redzone has integrated security validation into our continuous integration workflows. Integration into CI ensures that all code is continuously scanned for security vulnerabilities prior to code acceptance. As this process happens continually, both new and existing vulnerabilities can be identified. Prior to the merge, the Redzone CI system will checkout the code and run our standard set of tests.

Penetration Testing & Bug Bounty
Redzone works with an independent organization to perform annual penetration testing. We also utilize a year-round bug bounty program to ensure we are assessing the security of our platform from the most up-to-date vulnerabilities. If found, the team prioritizes and works quickly to mitigate potential issues identified by these reviews.

Data encryption and transfer
Redzone encrypts all data both at rest and in transit. Any external network communication uses HTTPS/TLS 1.2 or higher encryption in transit. Data at-rest is encrypted using AES-256 key encryption. Passwords are one-way hashed with multiple rounds of salt.

Security Monitoring
All critical activity in Redzone is logged and monitored to detect anomalous behavior. We also capture and store logs from application code and vendor systems we work with. Once captured, internal and external logs are reviewed via software and a 24/7 SOC for any unusual activity.

Operational Security
Security Team

Redzone maintains an Information Security Council for any concerns across the business. Representatives from different departments of the company participate in discussions about security and compliance issues, while executive participants make necessary high-level decisions. Redzone’s dedicated internal security team is supported by a 24/7 SOC.  Our internal security team works throughout the company to maintain strict security standards.

People and Process
All Redzone employees and contractors are required to comply with internal security policies and practices. Our policies and procedures are designed to ensure compliance with both law and security best practices. We review these policies at least annually to ensure we are up to date. All employees are required to attend 1:1 security training and annual security training refreshers.

Employee Access to Data
Redzone restricts access to its systems and infrastructure with the principle of least privilege. This is reviewed at a minimum annually, and access is removed when personnel no longer need it.

Passwords and Authentication
Redzone enforces a password policy and Multi-Factor Authentication to protect sensitive systems. Redzone supplies all employees with an enterprise-grade password keeper and audits annually against complex passwords properly stored in a vault.

Business Continuity and Disaster Recovery
Redzone has Business Continuity and Disaster Recovery plans.  Redzone maintains daily backups of all data. Redzone also implements a rolling backup strategy within AWS which allows point-in-time recovery.

Red Teaming
Redzone performs regular Red Team events to stay offensive with security threats. This includes random removal of access, internal spear phishing attempts, phishing campaigns, and the use of tools such as Atomic Red Team.

Product Security
Authentication

The Redzone Application supports two authentication options: Enterprise SSO (SAML 2.0) and native Redzone authentication.

Configurable Password Policy
Redzone allows a configurable password expiration time, for compliance with 21 CFR Part 11.

Application Access Layers
There are multiple distinct Admin permission levels within the Redzone Admin application. This allows for Admins to be given access to manage only the specific data and settings related to their role. More information can be found in the Security section of the Redzone Knowledge Base.

Mobile Device Security
Mobile Device Management (MDM) is the process of securing corporate data by monitoring, managing, and securing devices such as laptops, smartphones, and tablets.  The Redzone application allows IT teams to control and distribute policies, applications, and secure settings to the devices.  More information regarding best-practices and minimum access requirements can be made available upon request.

IP Restrictions
Trusted DNS or specific IP address ranges for the Redzone cloud environment are available upon request.

Contact Us
If you have any questions or concerns, please don’t hesitate to contact us at: 
support@rzsoftware.com