Reeher takes data security very seriously. We understand that you will be entrusting us with sensitive constituent data as well as your own institution’s financial information. We have shown our commitment to information security with an ISO 27001:2013 certification. This is our demonstration to our customers that we follow a systematic approach to managing sensitive information so that it remains secure. The ISO standard includes policies that apply to people, processes, and IT systems to ensure best-practice risk management.
CORPORATE POLICIES AND PROCEDURES
All employees receive comprehensive security awareness training as part of our onboarding training process. All laptops and workstations are centrally managed, monitored for viruses and malware, and use full disk encryption. All employee mobile devices require full-disk encryption and have monitoring software installed with the ability to remotely wipe the device.
Access to any personally identifiable information is limited exclusively to those for whom that access is part of their necessary business function, for example, in troubleshooting or analytics. Multi-factor authentication is required for access to customer information.
We host all data at a datacenter that is audited to industry standards including SSAE16 and PCI. It is Tier II plus type 2 SOC 1 compliant and includes 24-hour staffed surveillance and CCTV video surveillance, in addition to keycard access and physical access logs.
YOUR INSTITUTION’S ACCESS TO OUR SERVICES
The Reeher Platform includes multiple levels of access rights that allow administrators to enable or disable access to specific types of information. User access can be administered at the group level or customized for a specific user. Settings management includes options for mapping codes from the client database to match how they will be measured in Reeher, maintaining an overview of queries created in our reporting tool, and settings for access to our Mobile App.
Any transfer of data between your institution and Reeher is via encrypted channels. Our customers are served from a multi-tenant architecture where each institution’s data is logically partitioned, and access to end-users is controlled based on login credentials. As your data reaches our production datacenter, it is protected by industry standard AES-256 bit encryption-at-rest.
We employ monitoring services to ensure the uptime and performance of our platform, and staff are available on-call to handle outages or security incidents. Availability of Reeher’s services can be viewed 24/7/365 at http://status.reeher.com
REDUNDANCY AND SCALABILITY
Building redundancy is a key requirement for Reeher systems. All systems directly supporting the Reeher Platform have inherent local redundancy built in, specifically dual firewalls, application server pools, clustered databases, load balancers, etc.
The Reeher Platform is protected by a comprehensive Disaster Recovery that includes replication to a secondary service that can be acted upon in the event of a major event in our primary facility.
To safeguard against smaller or localized issues, Reeher performs encrypted daily backups from our production systems locally and securely sends them offsite to a second backup location.
Authentication and Application Security Features
Web connections to the Reeher Platform are secured via SSL, and bulk data exchange utilizes a whitelisted SFTP connection. For authentication, Reeher uses either username and password built into the platform or Single Sign On via SAML. Reeher’s SAML implementation supports Shibboleth, SimpleSAML and Microsoft ADFS for authentication. Our customers’ administrators can require logins via SSO.
Software Development Lifecycle
Before deployment to production on a biweekly basis, code is scanned and tested using an enterprise class security static code analysis tool. Once deployed, a PCI v3 Vulnerability Management Tool is used to simulate user actions within the platform to find and report identified vulnerabilities, which are also acted upon. Reeher’s SDLC follows an agile approach and incorporates security best practices, tools and methodologies including the OWASP guidelines for software security.
If you have any security concerns or believe you have discovered a security issue, please contact us at firstname.lastname@example.org