Email us at email@example.com if you have any additional questions not answered by this page.
Data Access Level
As a SaaS vendor selling to an enterprise customer, what type of data do you need access to?
Internal (i.e. information may be shared only internally or with external parties under an NDA)
What is the potential impact to your enterprise customer if the data and/or functionality you, as the vendor, are supposed to manage, is compromised?
Recovery Time Objective
What is your recovery time objective in case of critical failure? (e.g., your DB is deleted)
< 24 Hours Critical Dependence
Will your product be a system that your enterprise customer critically depends on? (i.e., a failure would cost them a ton of money)
Third Party Dependence
Are you also using other third-party services to manage or support your customers?
Are you hosted only on one of the major cloud providers or do you have any on-premise systems?
Major Cloud Provider: AWS – US-East-1
Our security team logs and monitors all access attempts to our company resources.
Backups for our databases are enabled in AWS.
Customers may contact us at firstname.lastname@example.org for any data deletion requests.
All customer data is stored in MongoDB, AWS, and Stripe. All three provide enterprise-grade encryption-at-rest and encryption-in-transit. Stripe has been PCI certified by third party auditors.
All our internal and external communication in our infrastructure is encrypted using TLS 1.2 or TLS 1.3. Our application will reject requests using weak cryptographic algorithms.
Qualys SSL Labs Report – SSL Report
RealCISO is a fully remote team with no physical offices.
Physical security for our data centers are handled by Amazon Web Services. You can find additional details at:
Separate Production Environment
We use a staging environment that is completely separated from our production environment. Production user data is never used in our staging environment during testing. Developers do not have access to production.
Reports & Compliance
Pentest Report – Complete
We engaged SiloCity to conduct a penetration test of our web application.
SOC 2 Report – In Progress
Every 1 Year
Employees are required to undergo yearly security awareness training via Wizer Security Awareness Training. In addition, the security team provides ongoing training based on the latest trends and regulations in the security industry.
We have a formal incident response plan and have dedicated personnel for security in the event of an incident.
In the event of a suspected incident that requires our attention, please send an email immediately to email@example.com.
Our internal security team regularly reviews the security of our infrastructure and application to identify any vulnerabilities that need to be remediated.
Single Sign-On & Multi-factor Authentication (MFA)
We use SSO via G Suite for all services that support it, and enforce MFA for the rest. MFA is enforced for all administrators for production access.
We have both general business liability and cyber insurance.