Rods&Cones Security Statement
Rods&Cones maintains an information security program focused on the security and integrity of customer data. The information security program includes administrative, technical, and operational controls appropriate for the size of its business and the types of information it processes.
Rods&Cones monitors its systems by logging security-related events, alerting suspicious activity, and conducting further analysis on suspicious activity.
Logical Access Control
Access to customer data is restricted based on the least privilege principle; access is issued via a documented access authorization process.
User access review
We periodically evaluate user access throughout the entire life cycle of a user account, from the creation to the termination of a user account to ensure the appropriateness of user accounts. Every month, the Rods&Cones application generates a report with the access right (role), last access time, access frequency for each user. This report is available for each account. The Rods&Cones Platform Operations Manager can change the role or revoke access for account managers and super admin users whose access has changed or is no longer required. The Account Managers can do the same for the users in their accounts.
Rods&Cones ensures it hires skilled professionals who follow the Rods&Cones security and data privacy training and sign a confidentiality agreement, acceptable use of information systems agreement, and code of conduct. Personnel transfers result in access management changes based on least privilege and role.
Rods&Cones maintains an information security incident management program that provides timely response and notification as appropriate to security incidents in order to protect customer information appropriate for the size of its business.
Business continuity policy
All Rods&Cones owned information stored in cloud SAAS systems where information is duplicated on multiple sites by data processors. For restoring data, the Rods&Cones team ensures a sane backup-recovery policy.
Software release process
Thanks to the SaaS architecture, there is one single version of Rods&Cones cloud infrastructure.
The agile development process is structured for a bi-weekly cycle for minor releases and a quarterly cycle for major releases. The process involves all stakeholders of the company, supported by the latest tools.
User passwords are protected with industry-standard SHA512 encryption. We enforce 2-step verification. Rods&Cones staff does not have access to the user passwords. Login credentials are always transmitted securely over HTTPS.
The data and applications are hosted on Microsoft Azure, all hosted in The Netherlands. These platforms are compliant with the most stringent security standards.
OWASP Top 10
We checked our application with the OWASP Top 10.
Data is stored using 256-bits AES encryption and server-side decryption.
Rods&Cones has implemented firewall, intrusion detection and antivirus security controls to protect customer data from loss or unauthorized disclosure.
Backups and Disaster recovery
We implement daily backups of the filesystems which can be redeployed in case of disaster.
All web connections to client instances are protected with state-of-the-art 128-bit SSL encryption. The connection uses TLS 1.2. The connection is encrypted and authenticated using AES_128_GCM cipher.
4.3. Privacy specific security measures
Rods&Cones platform and thus all stored personal data are hosted and stored on Microsoft Azure, certified ISO 27018. The data is physically hosted in The Netherlands.
Access control authentication and authorization are based on login password credentials, combined with further restrictions based on originating IP address and target domain name. Authorization is based on access control lists attached to administrators or users.
In order to fulfill the constraints described in Article 32 of GDPR, Rods&Cones:
- relies on Microsoft Ireland Operations Limited to deny unauthorized persons access to data-processing equipment used for processing personal data (equipment access control);
- relies on authentication and authorization processes described here before to prevent the unauthorized reading, copying, modification, or removal of data media (data media control);
- relies on Microsoft Ireland Operations Limited and appropriate authentication and authorization processes described here before to prevent the unauthorized input of data and the unauthorized inspection, modification, or deletion of stored personal data (storage control);
- relies on authentication and authorization processes described here before to prevent the use of automated data-processing systems by unauthorized persons using data communication equipment (user control);
- relies on authentication and authorization processes described here before to ensure that persons authorized to use an automated data-processing system only have access to the data covered by their access authorization (data access control);
- relies on authentication and authorization processes described here before combined with administrative logs and communication encryption to ensure that it is possible to verify and establish to which bodies personal data have been or may be transmitted or made available using data communication equipment (communication control);
- relies on authentication and authorization processes described here before combined with collected data along the collection chain (as described here before) to ensure that it is subsequently possible to verify and establish which personal data have been input into automated data-processing systems and when and by whom the data were input (input control);
- relies on encrypted transport (HTTPS) and/or encrypted zip files to prevent the unauthorized reading, copying, modification, or deletion of personal data during transfers of personal data or during transportation of data media (transport control);
- relies on backup processes to ensure that installed systems may, in case of interruption, be restored (recovery);
- relies on regular regression tests to ensure that the functions of the system perform, that the appearance of faults in the functions is reported (reliability) and that stored personal data cannot be corrupted by means of a malfunctioning of the system (integrity).