Security

Last Published December 12, 2018

RecordPoint is committed to helping keep customer data secure, maintain privacy and meet compliance regulations, while providing high service availability. We have risk-based information security and privacy controls and a compliance framework to ensure that our infrastructure meets our commitments while helping customers meet their complex compliance requirements.

RecordPoint has rigorous internal polices and a training program relating to physical security standards, change management and security notifications, problem management and operational monitoring including system backup and logical security.

RecordPoint currently holds a SOC 2 Type 2 attestation report from an independent auditor for the following trust principles:

  • Security - The system is protected against unauthorised access.
  • Availability - The system is available for operation and use as committed or agreed.
  • Confidentiality - Information designated as confidential is protected as committed and agreed.

RecordPoint is committed to renewing the SOC 2 Type 2 attestation report with an independent auditor on an annual basis to ensure that systems are being operated and managed in a way that adheres to the three trust principles above.

The Records365 service is delivered on Microsoft Azure. This platform provides many of the underlying infrastructure, security, networking and management services that support the application workloads.

All Records365 data centres are audited against SSAE 16, SOC 1 and SOC 2.

For large or sensitive customers, the Records365 service may be optionally single-tenanted. In this scenario, each instance is only assigned to a single customer (at additional cost).

Typical security measures include:

  • Role-based administrative control
    • Unique usernames and passwords for multiple administrators.
    • Role-based permissions
  • Storage level data isolation
  • Network Security
    • Layer-2 VLANs
    • Firewall rules allow controlled access into each network host
    • NAT and VIP functions
    • Load-balancing and port translation across multiple virtual servers, with the ability to take servers in and out of service manually, programmatically, or based on monitoring probes
  • Denial of Service Protection
    • Protection against Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks, worms or botnets
  • Encryption
    • TLS encryption of all inbound / outbound communications to and from the service
    • Secure Access
    • Data at Rest Encryption
  • Audit Reporting
    • Audit logs of all environmental changes
  • Logged Change Management procedures
  • Security Incident Response team to handle escalation of relevant incidents to law enforcement and/or executive management as prescribed in security policies
  • Standard notification procedures
  • Customer audit and log feed (at additional cost)

TLS is used for client access traffic. This helps prevent spoofing, impersonation and provides confidentiality for messages in transit.