REPUTATION.COM SECURITY POSTURE
updated Aug. 21, 2020
Reputation.com and all of its affiliates place a very high importance on the security of our organization and all customer data. This document is an outline of the extensive organizational and technical measures that Reputation.com undertakes to protect customer data from unauthorized access or disclosure. More detailed information is available upon request. Access to certain security information will require entry into a Non-Disclosure Agreement.
Reputation.com subscribes to least privilege access as a part of our access control and conducts quarterly audits of our accounts to validate this control. Physical access to Reputation.com locations is controlled by card access readers, monitored by security cameras and all guest access is logged and monitored.
All offers of employment at Reputation.com are contingent on the completion of a background screening and reference check. Employees and contractors must sign a confidentiality agreement and an agreement to abide by Company security policies and procedures.
Business Continuity and Disaster Recovery
We have a full Business Continuity Plan as well as a Disaster Recovery Plan. We maintain separate regions in our public cloud that are used for the purpose of disaster recovery with a full synchronization of platform data baked in. In addition, we maintain separate instances of our proprietary reputation management platform in the United States and the European Union to ensure compliance with the General Data Protection Regulation (‘GDPR’). With this separation, no personal data will ever leave the geographical region a customer has been assigned per their contract.
Reputation.com is SOC2 Type II compliant as attested by a third-party auditor and is HIPAA compliant to ensure all customer PII and PHI are properly handled. Reputation.com will share the latest SOC2 Type II report and our HIPAA Business Associates Agreement upon request and under NDA. Our public cloud provider, Google Cloud Platform adheres to the highest security standards. You may review their security certifications here.
We maintain stringent datastore specifications for customer data, and personal data and all customer data and personal data is encrypted at rest on our platform using the AES symmetric block cipher and data is encrypted in transit using TLS. We do not disclose or sell the data and personal data that you provide to Reputation.com about your customers. We use the data you provide us about your customers only to provide your services and for no other purpose.
Reputation.com has a strong commitment to your privacy. We have a dedicated privacy section on our website which can be reviewed here: https://www.reputation.com/privacy-policy/
Reputation.com maintains a formal incident response plan which defines the individuals responsible for responding to an incident, the responsibilities of those individuals during each phase of the incident response process.
Monitoring and Alerting
Monitoring tools and services are employed, aligning with a defense in depth strategy, to monitor our infrastructure and application on a continuous basis for anomalous behavior and attacks.
We securely encrypt your passwords. Passwords are one-way encrypted using the bcrypt algorithm, with a random salt for each password. This means that only the original creator of the password knows its value. This type of encryption is extraordinarily difficult to break. When passwords must be retrieved, public/private key encryption is used, with a key length of 4096 or greater. Access and retention of passwords are strongly controlled and logged.
Penetration tests are conducted by an independent third-party assessor at least annually. Reputation.com will share the latest Penetration Test report upon request and under NDA.
Security Awareness Training
All employees undergo training on security in the workplace as well as HIPAA training. Awareness education on security and data privacy topics are provided to employees on an ongoing basis. Employees must also renew the completion of Security Awareness training modules annually as well as adhere to our information security policies including our Information Security Policy as well as our Data Security Policy and Customer Confidentiality Policy.
We deploy the latest in threat detection/threat protection and monitor our infrastructure and application on a continuous basis for anomalous behavior and attacks. Additionally, we have baked security into the SDLC and perform Application Security Testing on our code.