Trust & Security
Information Security Mission
We care about our customers and their convenience when using Revizto. We make our product in such a way that the users focus as much as possible on the implementation of their workflows. Everything else will be taken care of by our team. In particular, we care about the security of your data.
Our Company takes data security extremely seriously and is committed to processing it responsibly and in compliance with applicable information security standards and global data privacy laws.
We define high requirements for securely developing Revizto, implementing necessary security controls and performing regular security risk assessments. The program development methodology is established and based upon systems development and project management best practices.
Revizto includes proactive security controls which help to avoid threats to desktop/mobile application and web infrastructure.
We attach great importance to testing Revizto components. Revizto testing includes leveraging static code analysis techniques during the development and testing phases. Development, test, and stage environments are isolated from production environments and each other.
For additional control and a better user management process, we provide user authentication via Single Sign-On (SSO).
Currently, we support (LDAP and OAuth(Google Workspace (Formerly G Suite)) and working on SAML implementation.
Training and Awareness
We believe that qualified personnel is one of the main parts of security maintenance. We regularly conduct training and testing with our staff. The training and awareness program is the primary tool for communicating responsibilities to our team, according to internal Information Security policies and procedures.
During the onboarding process, new members of our team undergo security awareness training and sign a strict confidentiality agreement.
The Company completes intensive background checks prior to employment. Software developers are trained on how to apply all aspects of the system development methodology securely and effectively.
We implement access control mechanisms at each layer of the stack, dividing our infrastructure by zones, environments, and services. We have implemented stringent access controls on the following levels:
- Physical Access
- Network Access
- Datacenter infrastructure access
- Operating System Access
- Applications Access
Authentication is only provided via strong password protection (according to Password Policy) and multi-factor authentication (where applicable). Access (corresponding to administrative responsibilities) to confidential business data, application and the Company network is granted on a “need-to-know” basis. Our team is continuously monitoring access for all processing data and information systems and checking compliance with Access Policies.
Physical access to our data centers and office facilities is limited to authorized personnel only.
Network access to the internal company network is granted using a VPN. Access control to the cloud infrastructure of Revizto is provided by virtual private cloud (VPC) routing and encrypted connection based on certificates.
The Company’s Information Security Program is based on a risk-based approach. Risk Management process is implemented in all information systems and business processes. The Company’s aims concerning Risk Management are as follows:
Our team performs threat-modeling for Revizto to identify and prioritize potential security threats. This information considers in the application design process and as well as later phases of development. All key members of the development team are involved in the objective threat-modeling process.
Our Company has implemented necessary protection to prevent and protect against “malicious code” (computer viruses, malware) that is designed to exploit vulnerabilities, harm the performance of the computing environment, and/or obtain confidential business data held on laptops, workstations, and data center servers.
Network Security Policy
In the process of deploying and maintaining network security, we use the requirements and recommendations of information security best practices and vendor standards. We regularly analyze our network infrastructure both in our office and AWS and reconfigure based on new potential threats and risks.
Our Network security controls include various protection measures:
- network segmentation
- firewalls with configuration rules
- encrypted protocols
Network Security allows us effectively cope with both “internal” and “external” application infrastructure threats.
Our IT team takes steps to collect information about vulnerabilities across all systems and keep all systems up to date with vendor-supplied software updates, patches, and fixes. Our Vulnerability/Patch Management includes 5 steps:
- Governance – maintain a Vulnerability/Patch Management Framework.
- Coverage – ensure appropriate system components are compliant to Vulnerability/Patch Management policy.
- Inspection – employ automated and/or manual techniques designed to identify vulnerability/patches associated with specific Company system components.
- Reporting – define, gather, and escalate vulnerability/patch implementation information for purposes of facilitating remediation consistent with Company strategy and organizational objectives.
- Handling – correct or improve systems to prevent, minimize or mitigate adverse system impact.
Security Incident Management
We aggregate logs from various information systems and analyze them using SIEM platform. Internal policies and procedures defined in our Incident Management Process: monitoring, analyzing, classification, response, remediation, reporting, lessons learned. For greater efficiency and speed of incident response, all key employees are involved in the internal structure of incident reporting.
In the event of a severe security incident, our team will involve external experts for the response and investigation. If the incident poses a threat to the rights and freedoms of customers, our team will take all measures necessary to mitigate the incident, so it does not affect our customers and, if it does, we will contact customers immediately.