SECURITY

Protecting your data is paramount

From infrastructure to people, Responsive has woven security into every part of our DNA, so you can rest assured that your content and data are locked down and secure. Just ask the companies that trust us with their information — including Microsoft, SAP, Zoom and Adobe.

GDPR image
AICPA SOC image
Office of attorney general California

Standards you can feel good about

With information security breaches all too common, teams must take measures to reduce risk. Responsive maintains industry best practices and adheres to global standards to help our customers meet their own compliance standards and security requirements.

Security by design

Secure software development

Our design and development lifecycle is based on the Building Security In Maturity Model (BSIMM), a framework that incorporates secure design and development principles throughout the software design and development lifecycle.

Well-architected system

Our flexible, multitier architecture is designed to be scalable and resilient. The design follows industry best practices for hardening, isolation, availability, and recovery. Security is built into the architecture in layers for added security. The security layers include Intrusion Detection and Intrusion Prevention Systems (IDS/IPS), antivirus and antimalware protection, Network firewalls, Host-based Intrusion Detection Systems (HIDS), Data Leak Prevention, DDoS protection, monitoring and alerting systems and network isolation.

Network security

Responsive takes a layered approach to network security, implementing industry best practices at each layer with isolation and controls. At the core of the network security is access control. By sufficiently isolating the layers, we are able to control access through virtual private cloud (VPC), firewall rules, application layer firewall and network hardening. Additionally, we implement intrusion detection and prevention systems, along with intelligent threat detection and monitoring.

Independent validation

We conduct regular security vulnerability scans, static code analysis and dynamic security testing throughout the release cycles. In addition to internal scans, we also conduct annual penetration testing executed by independent third-party penetration testing organizations.

Data security

Tenant isolation

Responsive is a multitenant SaaS application. A key consideration in the design of the platform is tenant isolation to ensure that customers sharing the common infrastructure are logically segregated and that one tenant’s actions does not impact another. To ensure this, we logically segregate one customer’s data from another when at rest. Additionally, every request, without exception, is validated against a unique tenant ID to ensure every transaction is authenticated. This tenant ID authentication is performed regardless of the origin of the request to make sure every request is independently authenticated regardless of the source and context.

Access control

All customer data, regardless of how it is acquired or the nature of the data, is classified as confidential data, requiring the highest degree of controls and protections. Responsive support staff is prohibited from accessing any data that is not directly related to the service they are providing, and are prohibited from downloading and/or storing any customer data to their devices. Development and production environments are maintained completely independently, and customer data is never loaded in development or test environments.

Data disposition

Data disposition is a shared responsibility between Responsive and customers. The application provides customers' admins and users ways to delete and dispose of data in a timely manner. Responsive retains customers data in accordance with the data retention policy, and safely and securely deletes the data at the end of the retention period. Once permanently deleted, customer data is rendered completely unrecoverable, giving you the peace of mind your confidential data can never be accessed.

Encryption

All communications with and within the Responsive platform are encrypted with industry-standard HTTPS/TLS 1.2 (or higher) over the networks without exceptions. This ensures that all traffic between the clients and Responsive is secure during the transit. All data at rest is encrypting using AES-256 key encryption (or higher). As an added layer of security, passwords are hashed with salting to ensure they are never recoverable.

Cloud security

Hosting

Responsive hosts data primarily in AWS data centers that meet most major compliance standards, including SOC, FISMA, FedRAMP, DoD CSM, PCI DSS, and ISO 9001 / ISO 27001 / ISO 27701. AWS’s security program covers all aspects of security, including Physical and Environment Security, Business Continuity Management, Network Security, Access Controls, Account Management, Secure Design Principles, Change Management, Logging and Audit Capabilities, and Security Checks.

Layers of security

Our flexible, multitier architecture is designed to be scalable, resilient and highly secure. The security layers include: Intrusion Detection and Intrusion Prevention Systems (IDS/IPS), anti-virus and anti-malware protection, network firewalls, Host-based Intrusion Detection Systems (HIDS), Data Leak Prevention, DDoS protection, monitoring and alerting systems, and network isolation.

Reliability

We have designed, architected and built a highly resilient platform with sufficient redundancy, scalability and failover capabilities to minimize downtime. Additionally, we host our services with our cloud-hosting partners that offer multiple levels of built-in redundancy and geographical distribution. We understand even the best designed and tested systems can experience failures. For such rare events, we have state-of-the-art monitoring and alerting systems in place so our engineers can proactively respond to issues that could lead to service disruptions.

Business continuity

We have implemented a comprehensive business continuity and disaster recovery program. We test the business and disaster recovery plans over and over again, so it becomes muscle memory when disaster strikes. We continuously evaluate and revise our plans to ensure that the plans stay up to date as our technology and architecture evolve, as well as to stay pace with the evolving threat landscape. Our disaster recovery plan considers how to deal with the following possible events:

  • Natural disasters (i.e. earthquakes, fires, floods and storms)
  • Computer software or hardware failures
  • Computer shutdowns due to hackers, viruses, etc.
  • Processing shutdowns
  • Power disruptions, power failure
  • Labor strife (i.e. walkouts or shutdowns)
  • Terrorist acts (or acts of war)

Product security

Security testing

Our system undergoes vulnerability and dynamic status scans prior to each release. Our secure development lifecycle process includes the following:

  • Static Application Security Testing (SAST)
  • Dynamic Application Security Testing (DAST)
  • Interactive Application Security Testing (IAST)

Vulnerability management

Our vulnerability management program is modeled after the industry-standard framework. Components include:

  • Scheduled vulnerability scanning
  • Asset tracking and identification
  • Patch management (testing and applying patches)
  • Risk ranking
  • Follow-up remediation tests

Change management

Responsive has a formal change management policy, which defines a formal system that documents, maintains and archives changes made to the IT infrastructure and application, in both production and nonproduction environments.

Compliance and privacy

ISO 27001:2013

Responsive is ISO 27001:2013 certified. The certificate is available upon request.

ISO 27701

Responsive is ISO 27701 certified. The certfication is available upon request.

SOC 2 Type II

Responsive is SOC 2 Type II compliant. We maintain continuous compliance with SOC 2 Type II framework, with regular audits conducted by an AICPA-approved audit firm. The latest report is available on request.

GDPR

Responsive is compliant with GDPR as a data processor in the provision of our services to its customers.

CCPA

Responsive is compliant with CCPA as a data processor in the provision of our services to its customers.

Privacy policy

Learn more about privacy at Responsive.