This Recotap Security Policy (“Security Policy”) outlines the organizational and technical measures that the company undertakes to protect customer data (“Customer Data”) from unauthorized access or disclosure.
The Security and compliance team coordinates all security programs, internal audits, and governance of the programs across Recotap. The team reports to the CTO who reports directly to the CEO.
All offers of employment at Recotap are effected on the completion of a background check. All third-party contractors who may have any exposure to data (including Customer Data) are subject to the completion of a background check before they commence an engagement with Recotap.
Security and Data Privacy Trainings
Employees and third-party contractors attend onboarding orientation and must complete security awareness and data privacy instructions. System access is revoked for any employees and third-party contractors who do not complete their security awareness and data privacy training promptly.
Employees and third-party contractors must complete annual Security Awareness and Data Privacy training modules.
Information Security Policies
Employees and third-party contractors review and acknowledge Recotap's Information Security Policies and Procedures during on-boarding and thereafter.
Physical and Logical Access
Employees and third-party contractors are required to use their badges to access Recotap offices. Guest access is logged and monitored using facility management software tools. Access to systems is authorized and provisioned according to role-based access controls (RBACs). RBACs are reviewed and updated periodically in parallel with user access reviews to ensure access is restricted to reflect business requirements on the “least privileges necessary”. Access control systems are configured to “deny-all” as default.
All the access by employees and third-party contractors to Recotap systems requires successful authentication using multi-factor authentication “MFA”. In addition, another layer of authentication mechanism is required to access the virtual private cloud “VPC” access to public cloud infrastructure.
Upon termination of employment or contract, access to Recotap systems and offices is revoked.
Recotap uses Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure (Azure) as cloud platforms. This infrastructure spans multiple regions and multiple availability zones within each region for redundancy, performance, and disaster recovery purposes. Recotap utilizes the shared security responsibility model, where the cloud provider is responsible for the security of the underlying cloud infrastructure (i.e. physical infrastructure, geographical regions, availability zones, operating, managing, and controlling components from the host system, security of cloud-native services, virtualization layer and storage) and Recotap is responsible for securing the application platform and configuration deployed in the cloud provider’s infrastructure.
Recotap works within the security models provided by our cloud providers. The use of security groups enables the analysis of traffic and determines whether access is allowed based on the rules. Recotap has adopted a role-based framework. Access is provisioned using Identity and Access Management (IAM) role-based access to resources. Furthermore, access is granted based on the role and context of the entity (grantee) and not just on the sources. Environments are physically and logically separated by function – e.g. development, QA, staging, and production. Application cloud infrastructure is protected with cloud provider DDOS services and web application firewalls.
System Event Logging, Monitoring, and Alerting
Monitoring tools and services are used to monitor systems including network devices, security events, operating system events, resource utilization, user access audit records, cloud infrastructure and associated event logs, audit and security logs, application operations events, and application account audit logs.
Logs are analyzed for anomalies, outliers, and patterns based on security event signatures. Alerting logic processes these events and actions are taken to initiate any applicable remediation. Logs of all production servers are stored and retrievable from a centralized repository.
At Recotap, security is integrated into the software development lifecycle (SDLC) process.
Confidential and sensitive data is retained only as long as required for legal, regulatory, and business requirements. Customer data is by default retained for 12 months following the expiration or termination of the relationship with Recotap. However, upon request Recotap will delete customer data as per the SLA.
Encryption During Transit
Recotap encrypts traffic during transit with Transport Layer Security “TLS” using standard cipher-suites when communicating across an untrusted network. This applies to external and internal communications.
Encryption for Data at Rest
Encryption of data applies to the following use cases:
Encryption for Storage/Backups
Data storage: All Recotap data stores are encrypted using encryption keys generated and stored via Azure Key Vault.
Key management: Keys used for data encryption or key encryption are stored in the cloud Azure Key Vault or by using the software vault secrets engine.
Access management: Identity and Access Management (IAM) roles are used for encrypt/decrypt permissions based on policies of \ least privilege access to data. Cryptography details
All issues reported by the testing engagements are triaged, prioritized based on the issue severity, and remediated on time within the published SLAs. In addition to external testing, the Recotap Security team conducts gray-box tests on the application and infrastructure throughout the year.
Business Continuity and Disaster Recovery Plans
Recotap maintains a Disaster Recovery Plan in connection with our SaaS applications and a Business Continuity Plan. Both plans are reviewed, tested, and updated annually.
The Recotap Risk Management process is designed to identify, assess, and prioritize security risks to minimize, monitoring, and mitigate risks based on priority.
Risk Management Process and Methodology
The Recotap Security team conducts a risk review of all business assets, processes and services (external and internal) at least annually. We use industry-standard processes to guide the risk assessment exercise. All risks are reviewed against the four threat categories: physical, resource, personnel, and technical. A risk register is produced as the outcome of the review process, consisting of a prioritized list of identified risks along with recommendations for minimizing and controlling the risks. Mitigation plans are formulated and executed against.
In addition to annual reviews, an exceptional risk review is conducted whenever a major physical, environmental, personnel-related, regulatory, or technological change is undertaken.
Third-party Risk Management
Recotap requires all technology companies we do business with to complete a security assessment, and execute a Data Processing Agreement as part of the onboarding and contract renewal process.
Incident Response Policy
The Recotap Security team has an established incident management policy in place which defines the individuals responsible for responding to a security incident, the responsibilities of those individuals during each phase of the incident response process – detection, analysis, containment, eradication, recovery, and post-incident activities, communication channels, escalation procedures, and procedures to record and track evidence during the incident investigation process.
Suspected security incidents must be reported immediately to the Recotap Security team by email via email@example.com. In addition, Recotap customers can report security issues directly to the customer success representative in charge of the account or by using the email link on our website to contact customer support.