Recotap Security PolicyLast Updated May 18, 2021

1. Introduction

This Recotap Security Policy (“Security Policy”) outlines the organizational and technical measures that the company undertakes to protect customer data (“Customer Data”) from unauthorized access or disclosure.

2. Personnel

Structure

The Security and compliance team coordinates all security programs, internal audits, and governance of the programs across Recotap. The team reports to the CTO who reports directly to the CEO.

Background Checks

All offers of employment at Recotap are effected on the completion of a background check. All third-party contractors who may have any exposure to data (including Customer Data) are subject to the completion of a background check before they commence an engagement with Recotap.

Security and Data Privacy Trainings

Employees and third-party contractors attend onboarding orientation and must complete security awareness and data privacy instructions. System access is revoked for any employees and third-party contractors who do not complete their security awareness and data privacy training promptly.

Employees and third-party contractors must complete annual Security Awareness and Data Privacy training modules.

Information Security Policies

Employees and third-party contractors review and acknowledge Recotap's Information Security Policies and Procedures during on-boarding and thereafter.

Physical and Logical Access

Employees and third-party contractors are required to use their badges to access Recotap offices. Guest access is logged and monitored using facility management software tools. Access to systems is authorized and provisioned according to role-based access controls (RBACs). RBACs are reviewed and updated periodically in parallel with user access reviews to ensure access is restricted to reflect business requirements on the “least privileges necessary”. Access control systems are configured to “deny-all” as default.

All the access by employees and third-party contractors to Recotap systems requires successful authentication using multi-factor authentication “MFA”. In addition, another layer of authentication mechanism is required to access the virtual private cloud “VPC” access to public cloud infrastructure.

Upon termination of employment or contract, access to Recotap systems and offices is revoked.

3. Network and Application Security

Architecture

Recotap uses Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure (Azure) as cloud platforms. This infrastructure spans multiple regions and multiple availability zones within each region for redundancy, performance, and disaster recovery purposes. Recotap utilizes the shared security responsibility model, where the cloud provider is responsible for the security of the underlying cloud infrastructure (i.e. physical infrastructure, geographical regions, availability zones, operating, managing, and controlling components from the host system, security of cloud-native services, virtualization layer and storage) and Recotap is responsible for securing the application platform and configuration deployed in the cloud provider’s infrastructure.

Cloud Security

Recotap works within the security models provided by our cloud providers. The use of security groups enables the analysis of traffic and determines whether access is allowed based on the rules. Recotap has adopted a role-based framework. Access is provisioned using Identity and Access Management (IAM) role-based access to resources. Furthermore, access is granted based on the role and context of the entity (grantee) and not just on the sources. Environments are physically and logically separated by function – e.g. development, QA, staging, and production. Application cloud infrastructure is protected with cloud provider DDOS services and web application firewalls.

System Event Logging, Monitoring, and Alerting

Monitoring tools and services are used to monitor systems including network devices, security events, operating system events, resource utilization, user access audit records, cloud infrastructure and associated event logs, audit and security logs, application operations events, and application account audit logs.

Logs are analyzed for anomalies, outliers, and patterns based on security event signatures. Alerting logic processes these events and actions are taken to initiate any applicable remediation. Logs of all production servers are stored and retrievable from a centralized repository.

Application Security

At Recotap, security is integrated into the software development lifecycle (SDLC) process.

  • Training: Engineers are encouraged to undertake training on core concepts key to their development as needed and on the recommendation of their managers.
  • Design: Security implications are considered as part of the application design process.
  • Development: Peer review of source code is part of the SDLC process. Security checklists are included in the code review process to enable engineers to check for security flaws consistently as part of the review process.
  • Testing: Security testing is performed at various stages of the development lifecycle:
    • Automated tests: Security testing for business logic is automated as much as possible to catch any regressions to existing features.
    • Manual tests: Manual security testing is conducted as part of release testing to flag any security issues.
    • Security scans: Static and dynamic application security tests are run regularly in production and development environments to detect and flag any issues.
  • Vulnerability management: Security issues are triaged regularly, prioritized based on severity and tracked to remediation per published SLAs.

Data Integrity

Confidential and sensitive data is retained only as long as required for legal, regulatory, and business requirements. Customer data is by default retained for 12 months following the expiration or termination of the relationship with Recotap. However, upon request Recotap will delete customer data as per the SLA.

Encryption During Transit

Recotap encrypts traffic during transit with Transport Layer Security “TLS” using standard cipher-suites when communicating across an untrusted network. This applies to external and internal communications.

Encryption for Data at Rest

Encryption of data applies to the following use cases:

  1. Personal and Customer Data: Any data that identifies personal data through unique field values that would reveal the personal identity information of a Recotap customer. Example: customer email or phone number. Any customer data that is business transactional in nature such as a confidential marketing campaign budget and target list.
  2. Digital Advertising Metadata: Any data that is required to be shared with the digital advertising exchanges, participating websites, or partners that is abstracted from an individual identity but can be used as an identifying field for targeting.

Encryption for Storage/Backups

Data storage: All Recotap data stores are encrypted using encryption keys generated and stored via Azure Key Vault.

Key management: Keys used for data encryption or key encryption are stored in the cloud Azure Key Vault or by using the software vault secrets engine.

Access management: Identity and Access Management (IAM) roles are used for encrypt/decrypt permissions based on policies of \ least privilege access to data. Cryptography details
https://d0.awsstatic.com/whitepapers/KMS-Cryptographic-Details.pdf
https://cloud.google.com/kms/docs/encrypt-decrypt

4. Assessments and Certifications

Penetration Testing

All issues reported by the testing engagements are triaged, prioritized based on the issue severity, and remediated on time within the published SLAs. In addition to external testing, the Recotap Security team conducts gray-box tests on the application and infrastructure throughout the year.

Business Continuity and Disaster Recovery Plans

Recotap maintains a Disaster Recovery Plan in connection with our SaaS applications and a Business Continuity Plan. Both plans are reviewed, tested, and updated annually.

5. Risks

Risk Management

The Recotap Risk Management process is designed to identify, assess, and prioritize security risks to minimize, monitoring, and mitigate risks based on priority.

Risk Management Process and Methodology

The Recotap Security team conducts a risk review of all business assets, processes and services (external and internal) at least annually. We use industry-standard processes to guide the risk assessment exercise. All risks are reviewed against the four threat categories: physical, resource, personnel, and technical. A risk register is produced as the outcome of the review process, consisting of a prioritized list of identified risks along with recommendations for minimizing and controlling the risks. Mitigation plans are formulated and executed against.

In addition to annual reviews, an exceptional risk review is conducted whenever a major physical, environmental, personnel-related, regulatory, or technological change is undertaken.

Third-party Risk Management

Recotap requires all technology companies we do business with to complete a security assessment, and execute a Data Processing Agreement as part of the onboarding and contract renewal process.

Incident Response Policy

The Recotap Security team has an established incident management policy in place which defines the individuals responsible for responding to a security incident, the responsibilities of those individuals during each phase of the incident response process – detection, analysis, containment, eradication, recovery, and post-incident activities, communication channels, escalation procedures, and procedures to record and track evidence during the incident investigation process.

Suspected security incidents must be reported immediately to the Recotap Security team by email via contact@recotap.com. In addition, Recotap customers can report security issues directly to the customer success representative in charge of the account or by using the email link on our website to contact customer support.