Security Policy for Reveal Group
Effective starting: January 31, 2020
The security of your data is of paramount importance to us. This policy is intended to help you understand Reveal Group’s approach to:
- Data Encryption;
- User Access Management & Authentication;
- Backup, Replication & Recovery;
- Software Development;
- Procedures; and
If you do not agree with these policies, do not access or use our Services or interact with any other aspect of our business.
Reveal Group protects your data in several ways:
- Data in transit between the browser and our servers is encrypted using TLS 1.2.
- Data is not stored locally on the user’s device.
- Security certificates are issued by globally trusted certificate authorities.
- Data at rest is encrypted using AES-256.
- Cloud-based intrusion detection systems monitor for real-time threats, with all traffic passing through a web application firewall.
User Access Management & Authentication
Reveal Group applications provide full control of information and a detailed audit trail of user activities.
- Account Authentication: User invite and account creation required for any platform access.
- Strong Password Policies: Required strength factors (minimum characters, required numbers and special characters), salted and hashed password storage, and password resets.
- Granular Access Control: Role-based access controls to applications, detailed object permissions and row-level security access filters for reporting data.
- Audit Log: Detailed tracking and audit log of user activities.
- Privileged Access: Additional controls applied to superuser and administrative accounts.
Reveal Group relies on best-in-breed infrastructure hosting services provided by Microsoft Azure and Amazon Web Services. Our software services utilize a combination of Infrastructure as a Service (IaaS) and Platform as a Service offerings. The following describes how our infrastructure is organized:
- Our web applications operate on a three-tier architecture – web, application, database.
- End users connect via their browser using HTTPS/SSL (TLS 1.2) to a publicly accessible application load balancer endpoint, which securely routes traffic to the web tier.
- Load balancers operate between the web, application and database tiers, with multiple redundant components used to avoid any single points of failure.
- Server components are not publicly accessible, they operate on a private software-defined network and they have no public IP addresses.
- Reveal Group system administrators must login via SSH and VPN (or a Bastion host) to perform maintenance on these machines.
- Port hardening is applied to all components.
- Virtual machines and containers are used in preference to dedicated physical hosting.
- Puppet is used to reliably and repeatably script the deployment of Infrastructure as Code.
Backup, Replication & Recovery
Reveal Group provides multiple layers of data protection:
- Automated Backup: Databases backed up every night, with a 30-day retention period.
- Data Replication: Data updates are continuously replicated across multiple infrastructure hosting instances to guarantee data durability.
- Data Locations: Hosting is provided by AWS and Azure data centers in Australia, Japan, EU, USA and Canada.
- Disaster Recovery: Alternative DR sites are maintained in case of a major hosting site outage and recovery procedures are tested annually.
Security is fully integrated into Reveal Group’s software development process. All developers receive appropriate security training (e.g. OWASP top 10) and all code changes are reviewed prior to deployment.
- Reveal Software (web, mobile and API) are designed with security that meets OWASP standards (at minimum).
- Software Development Lifecycle approach
- Separation between Production, Development and Test;
- Segregation of duties among Operations, Developer and Tester;
- Required reviews of any new code by individuals who were not an author of the original code and are educated in the execution of code review techniques and secure coding practices;
- Code changes logged in a central location;
- Restricted access to code repository.
- Other SDLC security practices include:
- Requirements review (security, privacy, process, functional);
- Design review (threat modeling and analysis, security design review);
- Development controls (static analysis, manual peer code review);
- Testing (dynamic analysis, automated testing);
- Deployment controls (security, confidentiality, integrity and availability).
Reveal Group security processes were developed based on industry best practices and are continuously updated.
- Employee Security Induction: All employees are required to comply with the following policies and procedures:
- Employee Background Checks;
- Corporate Facility Access;
- Acceptable Use;
- Corporate Passwords.
- Privileged Users: The following additional policies and procedures apply to system administrators and technical support staff:
- Production Passwords;
- Access Privileges;
- Incident Response Procedures;
- Security Training;
- Patch Management;
- System Configuration;
- Change Management.
- Platform Network Security: Continuous security activities, including:
- Network and host intrusion detection;
- System, network and application log reporting, analysis, archiving and retention;
- Network device baseline standards;
- Continuous internal monitoring;
- Regular vulnerability scanning.
- Incident Response Team handling any significant security or service event by defined policies.
- Third-Party Security Testing focused on potential vulnerabilities to both software and hosting infrastructure.
Reveal Group is committed to maintaining compliance with key global information security standards.
- We are broadly compliant with the CSA Cloud Controls Matrix.
- All standard AWS and Azure certifications and accreditations (e.g. SOC 2 audit reports for Infrastructure, Physical Security and Secured Services) are available upon request.
- Additional third-party reports (e.g. penetration and vulnerability testing) are available for limited distribution and shared under a confidentiality agreement.
Your information is controlled by Reveal Group IPA Services Inc., a Reveal Group Holdings Inc. company. If you have questions or concerns about how your information is handled, please direct your inquiry via Reveal Group USA Inc, which we have appointed to be responsible for facilitating such inquiries.
Reveal Group IPA Services Inc.
c/o Reveal Group USA Inc.
330 Madison Avenue, Floor 34
New York, NY 10017