Security & Compliance Overview
Introduction
Respell is SOC 2 Type II compliant. To read our full report you can download it here.
We’re committed to keeping your data safe and secure, beyond the minimum requirements for maintaining our SOC2 certification. We’ve implemented safeguards so that your information remains confidential, and we hold ourselves to high ethical standards regarding your privacy.
In this overview, you’ll gain insights into our security controls and compliance practices.
Information Security Framework
We’ve taken a robust approach to ensure the security of your data, and our commitment is underscored by our adherence to the SOC 2 Type 2 framework. SOC 2 evaluates an organization’s controls over security, availability, processing integrity, confidentiality, and privacy of customer data.
Our systems and processes are regularly audited by independent professionals to ensure they meet the highest security standards.
Data Protection and Privacy
Customer Data Access
- Customer data is stored and encrypted at rest on our production database in Google Cloud Platform (GCP).
- Confidential Customer Data is not used or stored in non-production systems/environments.
- Automatic vulnerability scanning is set up on GCP and Github.
- Only lead engineers have access to production.
- Event logging is monitored to track who is accessing the production database.
Data Retention and Destruction
Data is retained as long as the company has a need for its use, or to meet regulatory or contractual requirements. Once data is no longer needed, it shall be securely disposed of or archived. Data owners may determine retention periods for their data.
Personally identifiable information (PII) shall be deleted or de-identified as soon as it no longer has a business use.
Retention periods are documented in Respell’s Data Management Policy.
Encryption
Customer data is encrypted in our PostgreSQL database in accordance with Respell’s Cryptography Policy.
Key Management
Access to keys and secrets are be tightly controlled in accordance with the Access Control Policy.
The following table includes usage for cryptographic keys:
| Domain | Key Type | Algorithm | Key Length |
|---|---|---|---|
| Web Certificate | RSA or ECC with SHA2+ signature | RSA or ECC with SHA2+ signature | 2048 bit or greater/RSA, 256bit or greater/ECC |
| Web Cipher (TLS) | Asymmetric Encryption | Ciphers of B or greater grade on SSL Labs Rating | Varies |
| Confidential Data at Rest | Symmetric Encryption | AES | 256 bit |
| Passwords | One-way Hash | Bcrypt, PBKDF2, or scrypt, Argon2 | 256 bit+10K Stretch. Include unique cryptographic salt+pepper |
| Endpoint Storage (SSD/HDD) | Symmetric Encryption | AES | 128 or 256 bit |
Network Security
Application Security
- Code Reviews and Audits: We conduct audits by experienced security professionals to identify and address vulnerabilities and weak points in the Respell platform codebase.
- Vulnerability Assessments: Automatic vulnerability scanning is set up on GCP and GitHub.
- Authentication and Authorization: Authentication mechanisms are in place to ensure that only authorized users can access specific functionalities and data, including making changes to production data.
- Deployment Access: Specific engineers have access to deploy changes in the production database. No single user can push changes; a second verification is required.
- Least Privilege Principle: Granting users and components only the minimum permissions required for their specific roles and functionalities.
- Error Handling: Error-handling mechanisms are in place to avoid disclosing sensitive information to potential attackers in error messages.
- Auditing and Logging: Thorough auditing and logging mechanisms are in place in GCP to monitor and track user activities for potential security breaches.
Employee Training and Awareness
All employees must complete a Security Awareness Training course and be onboarded onto Respell’s best practices for securely handling data and accessing company applications.