August 27, 2019
At RecordPoint we are committed to upholding the strictest security on information that we retain and also to ensuring that your information remains protected when our solutions communicate with you or on your behalf.
We have made it our policy to encrypt and secure information that travels between our Records365 service and user computers, information that travels between the components of our systems that communicate over the internet and for critical data at rest.
This statement provides a summary on the use of encryption in the Records365 service and in related RecordPoint computer and communications systems.
Information In Transit
Transport Layer Security (TLS) secures communication transmitted over the Internet using standard encryption technology. Securing communication this way reduces the risk of interception, eavesdropping and forgery.
In Records365, our TLS usage has the following attributes:
- RecordPoint uses TLS uniformly across all publicly available services - including our Azure hosted web services
- RecordPoint does not make use of transport layer security prior TLS 1.2, such as SSL 3.0 or other previous versions with well-known vulnerabilities.
- For internet communication RecordPoint makes use of signing and encryption certificates issued by Public Certification Authorities using SHA-256 (SHA2) and a key length of 2048. Depending on the client a typical cipher negotiation would be AES256-SHA.
- TLS configuration and cipher strength is reviewed annually by a third party auditor that verifies the correct TLS configuration (TLSv1.2 and above) as well as removal of weak ciphers
Information & Data Storage
Records365 applies encryption at the following layers:
- Transparent Data Encryption is applied to our Azure SQL (Postgres) clusters and instances to ensure that data stored is secure. All data stored by the service is secured via the Azure Storage Service through 256 bit AES encryption that is always on and cannot be turned off and is FIPS 140-2 compliant. Azure SQL for Postgres inherit network security and compliance from Microsoft Azure and provide a managed layered security model with DDoS protection, a secure gateway, SSL encrypted network traffic, native firewalls, native authentication, and finally all data is automatically encrypted by the service. This primarily protects against a scenario where the physical media (such as drives or backup tapes) are stolen and a malicious party is able to restore or attach the database and browse the data.
- Backup Encryption is applied to all Azure SQL (Postgres) backups which are encrypted using AES 256-bit encryption. Backups are automatically managed by Azure.
Ciphers in use meet or exceed the set defined as “AES-compatible” or “partially AES-compatible” according to the IETF/IRTF Cipher Catalog, or the set defined for use in the United States National Institute of Standards and Technology (NIST) publication FIPS 140-2, or any superseding documents according to the date of implementation.
Signature algorithm used is typically RSA with 2048 key length, PKCS#7.