Introduction

Respell is SOC 2 Type II compliant. To read our full report you can download it here.

We’re committed to keeping your data safe and secure, beyond the minimum requirements for maintaining our SOC2 certification. We’ve implemented safeguards so that your information remains confidential, and we hold ourselves to high ethical standards regarding your privacy.

In this overview, you’ll gain insights into our security controls and compliance practices.

Information Security Framework

We’ve taken a robust approach to ensure the security of your data, and our commitment is underscored by our adherence to the SOC 2 Type 2 framework. SOC 2 evaluates an organization’s controls over security, availability, processing integrity, confidentiality, and privacy of customer data.

Our systems and processes are regularly audited by independent professionals to ensure they meet the highest security standards.

Data Protection and Privacy

Customer Data Access

  • Customer data is stored and encrypted at rest on our production database in Google Cloud Platform (GCP).
  • Confidential Customer Data is not used or stored in non-production systems/environments.
  • Automatic vulnerability scanning is set up on GCP and Github.
  • Only lead engineers have access to production.
  • Event logging is monitored to track who is accessing the production database.

Data Retention and Destruction

Data is retained as long as the company has a need for its use, or to meet regulatory or contractual requirements. Once data is no longer needed, it shall be securely disposed of or archived. Data owners may determine retention periods for their data.

Personally identifiable information (PII) shall be deleted or de-identified as soon as it no longer has a business use.

Retention periods are documented in Respell’s Data Management Policy.

Encryption

Customer data is encrypted in our PostgreSQL database in accordance with Respell’s Cryptography Policy.

Key Management

Access to keys and secrets are be tightly controlled in accordance with the Access Control Policy.

The following table includes usage for cryptographic keys:

DomainKey TypeAlgorithmKey Length
Web CertificateRSA or ECC with SHA2+ signatureRSA or ECC with SHA2+ signature2048 bit or greater/RSA, 256bit or greater/ECC
Web Cipher (TLS)Asymmetric EncryptionCiphers of B or greater grade on SSL Labs RatingVaries
Confidential Data at RestSymmetric EncryptionAES256 bit
PasswordsOne-way HashBcrypt, PBKDF2, or scrypt, Argon2256 bit+10K Stretch. Include unique cryptographic salt+pepper
Endpoint Storage (SSD/HDD)Symmetric EncryptionAES128 or 256 bit

Network Security

Application Security

  • Code Reviews and Audits: We conduct audits by experienced security professionals to identify and address vulnerabilities and weak points in the Respell platform codebase.
  • Vulnerability Assessments: Automatic vulnerability scanning is set up on GCP and GitHub.
  • Authentication and Authorization: Authentication mechanisms are in place to ensure that only authorized users can access specific functionalities and data, including making changes to production data.
  • Deployment Access: Specific engineers have access to deploy changes in the production database. No single user can push changes; a second verification is required.
  • Least Privilege Principle: Granting users and components only the minimum permissions required for their specific roles and functionalities.
  • Error Handling: Error-handling mechanisms are in place to avoid disclosing sensitive information to potential attackers in error messages.
  • Auditing and Logging: Thorough auditing and logging mechanisms are in place in GCP to monitor and track user activities for potential security breaches.

Employee Training and Awareness

All employees must complete a Security Awareness Training course and be onboarded onto Respell’s best practices for securely handling data and accessing company applications.