Secure software development

RFPIO’s design and development lifecycle is based on the Build Security-In Maturity Model, a framework that incorporates secure design and development principles throughout the software design and development lifecycle.

Well-architected system

RFPIO’s flexible multi-tier architecture is designed to be scalable and resilient. The design follows industry best practices for hardening, isolation, availability, and recovery. Security is built into the architecture in layers for added security. The security layers include Intrusion Detection and Intrusion Prevention Systems (IDS/IPS), anti-virus and anti-malware protection, Network firewalls, Host-based Intrusion Detection Systems (HIDS), Data Leak Prevention, DDoS protection, monitoring and alerting systems, and network isolation.

Network security

RFPIO takes a layered approach to network security, implementing industry best practices at each layer with isolation and controls. At the core of the network security is access control. By sufficiently isolating the layers, we are able to control access through virtual private cloud (VPC), firewall rules, application layer firewall, and network hardening. Additionally, we implement intrusion detection and prevention systems, along with intelligent threat detection and monitoring.

Independent validation

We conduct regular security vulnerability scans, static code analysis, and dynamic security testing throughout the release cycles. In addition to internal scans, we also conduct annual penetration testing executed by independent third-party penetration testing organizations.

Tenant isolation

RFPIO is a multi-tenant SaaS application. A key consideration in the design of the platform is tenant isolation to ensure that customers sharing the common infrastructure are logically segregated and that one tenant’s actions does not impact another. To ensure this, we logically segregate one customer’s data from another when at-rest. Additionally, every request, without exception, is validated against a unique tenant ID to ensure every transaction is authenticated. This tenant ID authentication is performed regardless of the origin of the request to make sure every request is independently authenticated regardless of the source and context.

Access control

All customer data, regardless of how it is acquired or the nature of the data, is classified as confidential data, requiring the highest degree of controls and protections. RFPIO support staff is prohibited from accessing any data that is not directly related to the service they are providing, and are prohibited from downloading and/or storing any customer data to their devices. Development and production environments are maintained completely independently, and customer data is never loaded in development or test environments.

Data disposition

Data disposition is a shared responsibility between RFPIO and Customers. The application provides customers admins and users ways to delete and dispose data in a timely manner. RFPIO retains customers data in accordance with the data retention policy, and safely and securely deletes the data at the end of the retention period. Once permanently deleted, customer data is rendered completely unrecoverable, giving you the peace of mind your confidential data can never be accessed.

Encryption

All communications with and within the RFPIO platform are encrypted with industry-standard HTTPS/TLS 1.2 (or higher) over the networks without exceptions. This ensures that all traffic between the clients and RFPIO is secure during the transit. All data-at-rest is encrypting using AES-256 key encryption (or higher). As an added layer of security, passwords are hashed with salting to ensure they are never recoverable.

Hosting

RFPIO hosts data primarily in AWS data centers that meet most major compliance standards, including SOC, FISMA, FedRAMP, DoD CSM, PCI DSS, and ISO 9001 / ISO 27001. AWS’s security program covers all aspects of security, including Physical and Environment Security, Business Continuity Management, Network Security, Access Controls, Account Management, Secure Design Principles, Change Management, Logging and Audit Capabilities, and Security Checks.

Layers of security

Our flexible, multi-tier architecture is designed to be scalable, resilient, and highly secure.The security layers include: Intrusion Detection and Intrusion Prevention Systems (IDS/IPS), anti-virus and anti-malware protection, network firewalls, Host-based Intrusion Detection Systems (HIDS), Data Leak Prevention, DDoS protection, monitoring and alerting systems, and network isolation.

Reliability

We have designed, architected, and built a highly resilient platform with sufficient redundancy, scalability, and failover capabilities to minimize downtime. Additionally, we host our services with our cloud-hosting partners that offer multiple levels of built-in redundancy and geographical distribution. We understand even the best designed and tested systems can experience failures. For such rare events, we have state-of-the-art monitoring and alerting systems in place so our engineers can proactively respond to issues that could lead to service disruptions.

Business continuity

We have implemented a comprehensive Business Continuity & Disaster Recovery program. We test the business and disaster recovery plans over and over again, so it becomes muscle-memory when disaster strikes. We continuously evaluate and revise our plans to ensure that the plans stay up-to-date as our technology and architecture evolve, as well as to stay pace with the evolving threat landscape. Our Disaster Recovery Plan considers how to deal with the following possible events:

• Natural disasters (i.e. earthquakes, fires, floods, and storms)
• Computer software or hardware failures
• Computer shutdowns due to hackers, viruses, etc.
• Processing shutdowns
• Power disruptions, power failure
• Labor strife (i.e. walkouts or shutdowns)
• Terrorist acts (or acts of war)

Security testing

Our system undergoes vulnerability and dynamic status scans prior to each release. Our secure development lifecycle process includes the following:

• Static Application Security Testing (SAST)
• Dynamic Application Security Testing (DAST)
• Interactive Application Security Testing (IAST)

Vulnerability management

Our vulnerability management program is modeled after the industry-standard framework. Components include:

• Scheduled vulnerability scanning
• Asset tracking and identification
• Patch management (testing and applying patches)
• Risk ranking
• Follow-up remediation tests

Change management

RFPIO has a formal change management policy, which defines a formal system that documents, maintains, and archives changes made to the IT infrastructure and application, in both production and non-production environments.

ISO 27001:2013

RFPIO is ISO 27001:2013 certified. The certificate is available upon request.

SOC 2 Type II

RFPIO is SOC 2 Type II compliant. We maintain continuous compliance with SOC 2 Type II framework, with regular audits conducted by an AICPA-approved audit firm. The latest report is available on request.

GDPR

RFPIO is compliant with GDPR as a data processor in the provision of RFPIO’s services to its customers.

CCPA

RFPIO is compliant with CCPA as a data processor in the provision of RFPIO’s services to its customers.

Privacy Policy

Learn more about privacy at RFPIO