Schedule a Demo

Updated on:  11/1/2020

Overview

Our security strategy involves the following components:

security components

 Organizational security

We have an Information Security Management System (ISMS) in place which takes into account our security objectives and the risks and mitigations concerning all the interested parties. We employ strict policies and procedures encompassing the security, availability, processing, integrity, and confidentiality of customer data.

Employee background checks

Each employee undergoes a process of background verification. We hire reputed external agencies to perform this check on our behalf. We do this to verify their criminal records, previous employment records if any, and educational background. Until this check is performed, the employee is not assigned tasks that may pose risks to users.

Security Awareness

Each employee, when inducted, signs a confidentiality agreement and acceptable use policy, after which they undergo training in information security, privacy, and compliance. Furthermore, we evaluate their understanding through tests and quizzes to determine which topics they need further training in. We provide training on specific aspects of security, that they may require based on their roles.

We educate our employees continually on information security, privacy, and compliance in our internal community where our employees check in regularly, to keep them updated regarding the security practices of the organization. We also host internal events to raise awareness and drive innovation in security and privacy.

Dedicated security and privacy teams

We have dedicated security and privacy teams that implement and manage our security and privacy programs. They engineer and maintain our defense systems, develop review processes for security, and constantly monitor our networks to detect suspicious activity.

Internal audit and compliance

We have a dedicated compliance team to review procedures and policies in Radix Data to align them with standards, and to determine what controls, processes, and systems are needed to meet the standards. This team also does periodic internal audits and facilitates independent audits and assessments by third parties.

Endpoint security

All workstations issued to Radix Data employees run up-to-date OS version and are configured with anti-virus software. These workstations are secure by default as they are configured to encrypt data at rest, have strong passwords, and get locked when they are idle. Mobile devices used for business purposes are enrolled in the mobile device management system to ensure they meet our security standards.

Physical security

At workplace

We control access to our resources (buildings, infrastructure, and facilities), where accessing includes consumption, entry, and utilization, with the help of digital locks and digital access keys. The Human Resource (HR) team establishes and maintains the purposes specific to roles. We maintain access logs to spot and address anomalies.

Monitoring

We monitor all entry and exit movements throughout our premises through CCTV cameras.Back-up footage is available up to a certain period, depending on the requirements for that location.

Infrastructure security

Network security

Our network security and monitoring techniques are designed to provide multiple layers of protection and defense. We use firewalls to prevent our network from unauthorized access and undesirable traffic. Our systems are segmented into separate networks to protect sensitive data. Systems supporting testing and development activities are hosted in a separate network from systems supporting Radix Data's production infrastructure.

We monitor firewall access with a strict, regular schedule. A network engineer reviews all changes made to the firewall every day. Additionally, these changes are reviewed every three months to update and revise the rules. Our dedicated team monitors the infrastructure and applications for any discrepancies or suspicious activities. All crucial parameters are continuously monitored using our Microsoft Azure Security Center and notifications are triggered in any instance of abnormal or suspicious activities in our production environment.

Network redundancy

All the components of our platform are redundant. We use Microsoft Azure's highly available resources to shield our system and services from the effects of possible server failures. If there's a server failure, users can carry on as usual because their data and Radix Data services will still be available to them.

DDoS prevention

We use Microsoft Azure, a well-established and trustworthy service provider, technologies to prevent DDoS attacks on our systems. These technologies offer multiple DDoS mitigation capabilities to prevent disruptions caused by bad traffic, while allowing good traffic through. This keeps our websites and applications highly available and performing.

Server hardening

All servers provisioned for development and testing activities are hardened (by disabling unused ports and accounts, removing default passwords, etc.). The base Operating System (OS) image has server hardening built into it, and this OS image is provisioned in the servers, to ensure consistency across servers.

Intrusion detection and prevention

Our intrusion detection mechanism takes note of host-based signals on individual devices and network-based signals from monitoring points within our system. Administrative access, use of privileged commands, and system calls on all virtual machines in our production network are logged. Rules and machine intelligence built on top of this data give security engineers warnings of possible incidents. At the application layer, we have web application firewalls (WAF) which operates on both whitelist and blacklist rules.

At the Internet Service Providers (ISP) level, a multi-layered security approach is implemented with scrubbing, network routing, rate limiting, and filtering to handle attacks from network layer to application layer. This system provides clean traffic, reliable proxy service, and a prompt reporting of attacks, if any.

Data security

Secure by design

Every change and new feature is governed by a change management policy to ensure all application changes are authorized before implementation into production. Our Software Development Life Cycle (SDLC) mandates adherence to secure coding guidelines, as well as screening of code changes for potential security issues with our code analyzer tools, vulnerability scanners, and manual review processes.

Data isolation

Our framework distributes and maintains the cloud space for our customers. Each customer's service data is logically separated from other customers' data using a set of secure protocols in the framework. This ensures that no customer's service data becomes accessible to another customer.

The service data is stored on our cloud infrastructure. Your data is owned by you, and not by Radix Data. We do not share this data with any third-party without your consent.

Encryption

In transit: All customer data transmitted to our servers over public networks is protected using strong encryption protocols. We mandate all connections to our servers use Transport Layer Security (TLS 1.2/1.3) encryption with strong ciphers, for all connections including web access, API access, our mobile apps, and IMAP/POP/SMTP email client access. This ensures a secure connection by allowing the authentication of both parties involved in the connection, and by encrypting data to be transferred. Additionally, for email, our services leverage opportunistic TLS by default. TLS encrypts and delivers email securely, mitigating eavesdropping between mail servers where peer services support this protocol.

We have full support with our encrypted connections, which ensures that even if we were somehow compromised in the future, no previous communication could be decrypted. We have enabled HTTP Strict Transport Security header (HSTS) to all our web connections. This tells all modern browsers to only connect to us over an encrypted connection, even if you type a URL to an insecure page at our site. Additionally, on the web we flag all our authentication cookies as secure.

At rest: Sensitive customer data at rest is encrypted using 256-bit Advanced Encryption Standard (AES). The data that is encrypted at rest varies with the services you opt for. We maintain the keys using Microsoft Azure Key Vault. We provide additional layers of security by encrypting the data encryption keys using master keys. The master keys and data encryption keys are physically separated and stored in different servers with limited access.

Data retention and disposal

We hold the data in your account as long as you choose to use Radix Data Services. Once you terminate your Radix Data user account, your data will get deleted from the active database during the next clean-up that occurs once every 6 months. The data deleted from the active database will be deleted from backups after 3 months. In case of your unpaid account being inactive for a continuous period of 120 days, we will terminate it after giving you prior notice and option to back-up your data. Once your account is in good standing, Radix Data will reinstate your workspace. The Master Services Agreement contains provisions for exiting the Agreement with Radix Data which includes but is not limited to obtaining a backup of your workspace.

A verified and authorized vendor carries out the disposal of unusable devices. Until such time, we categorize and store them in a secure location. Any information contained inside the devices is formatted before disposal. Microsoft Azure uses a degausser for failed hard drives and crypto erase for Solid State Devices (SSDs) and then physically destroys them using a shredder.

Identity and Access control

Single Sign-On (SSO)

Radix Data offers single sign-on (SSO) that lets users access multiple services using the same sign-in page and authentication credentials. When you sign into any Radix Data service, it happens only through our integrated Identity and Access Management (IAM) service.

SSO simplifies login process, ensures compliance, provides effective access control and reporting, and reduces risk of password fatigue, and hence weak passwords.

Multi-Factor Authentication

It provides an extra layer of security by demanding an additional verification that the user must possess, in addition to the password. This can greatly reduce the risk of unauthorized access if a user’s password is compromised. You can configure multi-factor authentication using Radix Data One-Auth. Currently, different modes like biometric Touch ID or Face ID, Push Notification, QR code, and Time-based OTP are not supported.

Administrative access

We employ technical access controls and internal policies to prohibit employees from arbitrarily accessing user data. We adhere to the principles of least privilege and role-based permissions to minimize the risk of data exposure.

Access to production environments is maintained by a central directory and authenticated using a combination of strong passwords, two-factor authentication, and passphrase-protected SSH keys. Furthermore, we facilitate such access through a separate network with stricter rules and hardened devices. Additionally, we log all the operations and audit them periodically.

Operational security

Logging and Monitoring

Access to production environments is maintained by a central directory and authenticated using a combination of strong passwords and two-factor authentication. Furthermore, we facilitate such access through a separate network with stricter rules and hardened devices. Additionally, we log all the operations and audit them periodically.

Detailed audit logging covering all update and delete operations performed by the user are available to the customers in every Radix Data service.

Vulnerability management

We have a dedicated vulnerability management process that actively scans for security threats using Microsoft Azure Security Center, and with automated and manual penetration testing efforts. Furthermore, our security team actively reviews inbound security reports and monitors public mailing lists, blog posts, and wikis to spot security incidents that might affect the company’s infrastructure.

Once we identify a vulnerability requiring remediation, it is logged, prioritized according to the severity, and assigned to an owner. We further identify the associated risks and track the vulnerability until it is closed by either patching the vulnerable systems or applying relevant controls.

Malware and spam protection

We scan all files using Microsoft Defender to stop prevent malware from being spread through Radix Data’s environment. Microsoft 365 Defender is a unified pre- and post-breach enterprise defense suite that natively coordinates detection, prevention, investigation, and response across endpoints, identities, email, and applications to provide integrated protection against sophisticated attacks.

With the integrated Microsoft 365 Defender solution, security professionals can stitch together the threat signals that each of these products receive and determine the full scope and impact of the threat; how it entered the environment, what it's affected, and how it's currently impacting the organization. Microsoft 365 Defender takes automatic action to prevent or stop the attack and self-heal affected mailboxes, endpoints, and user identities.

Radix Data supports Domain-based Message Authentication, Reporting, and Conformance (DMARC) as a way to prevent spam. DMARC uses SPF and DKIM to verify that messages are authentic.

Backup

Radix Data utilizes the Microsoft Azure Backup Center and backup vaults to backup databases, files, volume snapshots and other critical data required for service recovery. All daily backups data is retained for a period of three months. If a customer requests for data recovery within the retention period, we will restore their data and provide secure access to it. The timeline for data restoration depends on the size of the data and the complexity involved.

Azure backup vaults use various techniques to ensure data integrity and high availability of the backup data.

Disaster recovery and business continuity

Application data is stored on resilient storage that is replicated across Microsoft Azure zone redundant storage and is replicated synchronously across three Azure availability zones in the same region and encrypted using AES-256-bit algorithm.

Microsoft has power back-up, temperature control systems and fire-prevention systems as physical measures to ensure business continuity. These measures help us achieve resilience. In addition to the redundancy of data, Microsoft has a business continuity plan for our major operations such as support and infrastructure management.

Incident Management

Reporting

We have a dedicated incident management team. We notify you of the incidents in our environment that apply to you, along with suitable actions that you may need to take. We track and close the incidents with appropriate corrective actions. Whenever applicable, we will identify, collect, acquire, and provide you with necessary evidence in the form of application and audit logs regarding incidents that apply to you. Furthermore, we implement controls to prevent recurrence of similar situations.

We respond to the security or privacy incidents you report to us through security@radixdata.com, with high priority. For incidents specific to an individual user or an organization, we will notify the concerned party through email (using their primary email address of the Organization administrator registered with us).

Breach notification

As data controllers, we notify the concerned Data Protection Authority of a breach within 72 hours after we become aware of it, according to the General Data Protection Regulation (GDPR). Depending on specific requirements, we notify the customers too, when necessary. As data processors, we inform the concerned data controllers without undue delay.

Vendor and Third-party supplier management

We evaluate and qualify our vendors based on our vendor management policy. We onboard new vendors after understanding their processes for delivering us service, and performing risk assessments. We take appropriate steps to ensure our security stance is maintained by establishing agreements that require the vendors to adhere to confidentiality, availability, and integrity commitments we have made to our customers. We monitor the effective operation of the organization’s process and security measures by conducting periodic reviews of their controls.

Customer controls for security

So far, we have discussed what we do to offer security on various fronts to our customers. Here are the things that you as a customer can do to ensure security from your end:

  • Choose a unique, strong password and protect it.
  • Use multi-factor authentication
  • Use the latest browser versions, mobile OS and updated mobile applications to ensure they are patched against vulnerabilities and to use latest security features
  • Exercise reasonable precautions while sharing data from our cloud environment.
  • Monitor devices linked to your account, active web sessions, and third-party access to spot anomalies in activities on your account and manage roles and privileges to your account.
  • Be aware of phishing and malware threats by looking out for unfamiliar emails, websites, and links that may exploit your sensitive information by impersonating Radix Data or other services you trust.

Conclusion

Security of your data is your right and a never-ending mission of Radix Data. We will continue to work hard to keep your data secure, like we always have. For any further queries on this topic, write to us at security@radixdata.com.