Security

Overview

Email us at info@realciso.io if you have any additional questions not answered by this page.

Data Access Level
As a SaaS vendor selling to an enterprise customer, what type of data do you need access to?
Internal (i.e. information may be shared only internally or with external parties under an NDA)

Impact Level
What is the potential impact to your enterprise customer if the data and/or functionality you, as the vendor, are supposed to manage, is compromised?
Moderate

Recovery Time Objective
What is your recovery time objective in case of critical failure? (e.g., your DB is deleted)
< 24 Hours Critical Dependence
Will your product be a system that your enterprise customer critically depends on? (i.e., a failure would cost them a ton of money)
No

Third Party Dependence
Are you also using other third-party services to manage or support your customers?
Yes

Hosting
Are you hosted only on one of the major cloud providers or do you have any on-premise systems?
Major Cloud Provider: AWS – US-East-1

Data Security

Access Monitoring
Our security team logs and monitors all access attempts to our company resources.

Backups Enabled
Backups for our databases are enabled in AWS.

Data Erasure
Customers may contact us at info@realciso.io for any data deletion requests.

Encryption-at-rest
All customer data is stored in MongoDB, AWS, and Stripe. All three provide enterprise-grade encryption-at-rest and encryption-in-transit. Stripe has been PCI certified by third party auditors.

Encryption-in-transit
All our internal and external communication in our infrastructure is encrypted using TLS 1.2 or TLS 1.3. Our application will reject requests using weak cryptographic algorithms.

Qualys SSL Labs Report – SSL Report

Physical Security
RealCISO is a fully remote team with no physical offices.

Physical security for our data centers are handled by Amazon Web Services. You can find additional details at:

Separate Production Environment
We use a staging environment that is completely separated from our production environment. Production user data is never used in our staging environment during testing. Developers do not have access to production.

Reports & Compliance

Pentest Report – Complete

Auditor: SiloCity
We engaged SiloCity to conduct a penetration test of our web application.

SOC 2 Report – In Progress

Auditor: Bonadio
We are currently working on completing a SOC 2 Type 1 audit. At the moment you may request access to our engagement letter via info@realciso.io.

CCPA
We meet the requirements set forth by the California Consumer Privacy Act. Please review our Privacy Policy for additional details.

GDPR
We meet the requirements set forth by the General Data Protection Regulation. Please review our Privacy Policy for additional details.

Corporate Security

Employee Training
Every 1 Year

Employees are required to undergo yearly security awareness training via Wizer Security Awareness Training. In addition, the security team provides ongoing training based on the latest trends and regulations in the security industry.

Incident Response
We have a formal incident response plan and have dedicated personnel for security in the event of an incident.

In the event of a suspected incident that requires our attention, please send an email immediately to info@realciso.io.

Internal Assessments
Our internal security team regularly reviews the security of our infrastructure and application to identify any vulnerabilities that need to be remediated.

Single Sign-On & Multi-factor Authentication (MFA)
We use SSO via G Suite for all services that support it, and enforce MFA for the rest.  MFA is enforced for all administrators for production access.

Cyber Insurance
We have both general business liability and cyber insurance.

If you think you may have discovered a vulnerability, please send us a note.