Privacy and Security
Security and privacy are at the core of our platform.
Our platform maintains the highest level of security to stay compliant across all major protocols necessary for operation in the digital health space.
Access is maintained by management, and permissions are granted based on principle of least privilege
We implement multi-faceted security measures in a layered structure to maintain the highest level of defense.
All portions of the platform are tested internally and externally to ensure security measures operate across the whole platform.
We continue to monitor security policies and adapt to growing needs, in order to implement the most up-to-date requirements.
Security and Compliance
RiskAverse maintains SOC 2 Type II and ISO 27001 compliance. As well as the following:
All customer data is encrypted at rest, and sensitive collections/tables use row-level encryption. This approach ensures neither physical nor logical access to the database is sufficient to read sensitive information.
Data in transit uses TLS 1.2 or higher and HSTS when data is transmitted across potentially insecure networks. Server TLS keys and certificates are managed on AWS via Heroku, a Salesforce company.
Encryption keys are managed via AWS key Management System. This system prevents direct access by any individuals, including employees of Amazon and RiskAverse. The keys stored in HSMs are used for encryption and decryption via Amazon’s KMS APIs.
Application secrets are encrypted and stored securely via AWS Secrets Manager and Parameter Store, and access to these values is strictly limited.
RiskAverse utilizes Astra as its 3rd-party penetration testing partner. Automated and Manual pentests are conducted every six months to maintain maximum security.
RiskAverse incorporates vulnerability scanning across our Development Lifecycle
- SAST testing of code during pull requests
- Malicious dependency scanning
- Network vulnerability scanning
- Software composition analysis
- Dynamic analysis of running applications
- External attack surface management
All company devices are equipped with management software and anti-malware protection. Endpoints follow all protocols necessary for secure operation
Secure Remote Access
Only approved devices are utilized to access any information pertaining to the platform, and the vendor, Sophos, is used to monitor usage while inhibiting access to concerning sites.
All employees receive extensive security training during onboarding, and must review it annually. Learnings include maintaining HIPAA compliance and identifying suspicious activity.
Engineering also conducts roundtables for disaster relief every 6 months.
Employees are only granted access to the platform and vendors through permissions granted by engineering and monitored by management.
Once access is granted, two-factor authentication is required on all devices that access any solution that contains company or customer data.
Before onboarding new vendors, RiskAverse executes an thorough examination of the vendor’s ability to maintain compliance within the bounds of our requirements. Including:
- Access to customer and company data
- Integrating with the production environment
- Brand quality
Once completed, security is evaluated and our customers/partners are informed of the implementation.
RiskAverse maintains a privacy shield that is managed through Heroku.
RiskAverse constantly evaluates updates to regulatory frameworks, and evolves to the ever-changing landscape.