Security and Data Privacy
The security, integrity, and availability of your data are our top priorities. We know how vital it is to your Compliance success. To ensure you never have to worry, we use a multi-layered approach to protect and monitor all your information.
ComplianceDesktop® is hosted in independently audited and certified secure datacenters. All ComplianceDesktop® servers are hosted in secure SSAE/AICPA SOC 2 , PCI DSS, ISO 27001, ISO 27017 and ISO 27018 compliant data centers via Amazon Web Services (AWS) in the US or Europe.
The security measures permeate throughout the facility including but not limited to CCTV monitoring system, digital video recorders, man traps, biometric identification, mandatory visitor check-ins, a 24x7x365 front desk, and security guards around the clock.
AWS only provides data center access and information to employees and contractors who have a legitimate business need for such privileges. When an employee no longer has a business need for these privileges, his or her access is immediately revoked, even if they continue to be an employee of Amazon or Amazon Web Services. All physical access to data centers by AWS employees is logged and audited routinely.
More information is available from the AWS Cloud Compliance website.
Encryption at Rest and in Transit
All communications with ComplianceDesktop® servers are encrypted using industry standard HTTPS over public networks, meaning the traffic between you and ComplianceDesktop® is secure, as it uses public-key cryptography to prevent eavesdropping, tampering, and forgery.
All client's production data is stored encrypted with AES-256 - one of the strongest block ciphers available. Block-level encryption with decryption keys handled through Amazon’s Key Management service.
ComplianceDesktop® is built according to secure development best practices with security reviews incorporated throughout the design, prototyping and deployment process. Many manual and automated security tests are conducted at milestones leading up to public release. Security vulnerabilities discovered during these tests are then reviewed for criticality and remedied prior to release. This ensures that every release is deemed fully secure out of the gate.
As part of our commitment to protecting client data, we have implemented an industry recognized Web Application Firewall (WAF) for all our clients' environment. The WAF automatically identifies and protects against attacks aimed at the ComplianceDesktop® sites hosted on the platform.
The Red Flag Group® is ISO 27001:2013 certified, which is a global standard based on information security controls and management best practices. Our ISMS (Information Security Management System) is a structured approach that has management support all the way up to our board of directors. Adherence to the ISO 27001 standard, regular third-party audits and close attention to client input and industry trends help ensure that our security programs keep pace with a changing security landscape and meet evolving client requirements.
Additional Security Controls
PRIVACY AUDIT & COMPLIANCE
The Red Flag Group® takes information security and privacy of personal data very seriously. We are committed to GDPR compliance, and to offering our clients tools and solutions to ensure that their use of our services satisfies their obligations under the GDPR.
The Red Flag Group® also participates in the TRUSTe® Privacy Program which is designed to help businesses implement strong privacy management practices consistent with a wide range of global regulations and industry standards.
Our goal is to keep ComplianceDesktop® highly available. Any planned maintenance that would disrupt service is announced in advance and downtime is kept to a minimum.
IDENTITY & ACCESS MANAGEMENT
ComplianceDesktop® also supports integration with single sign-on (SSO) via SAML or Microsoft Azure Active Directory. This allows those enterprises using SSO to provide their users with seamless access to ComplianceDesktop® . It also lets system administrators manage authentication for ComplianceDesktop® and the rest of their corporate network through a SSO system.
BACKUP & DATA RETENTION
All file and databases are fully backed up and encrypted on a daily basis with a 30 day retention period. Backup restore testing is conducted on an annual basis.
There is no default retention on active client data. Client data is retained for as long as you remain a client.
PENETRATION TEST & VULNERABILITIES SCAN
ComplianceDesktop® employs third-party security firms to perform detailed penetration tests and vulnerabilities scanning on our application. Security vulnerabilities discovered during these tests are then reviewed for criticality and remedied prior to release.
ComplianceDesktop® 's disaster recovery plan is updated at least annually and tested on an annual basis.