Data Security is Our Number-One Priority
Our website is Hyper Text Transfer Protocol Secure (HTTPS) which is the secure version of HTTP, the protocol over which data is sent between your browser and the website that you are connected to. The ‘S’ at the end of HTTPS stands for ‘Secure’. It means all communications between your browser and the website are encrypted.
Users are required to change their password every 90 days per the credit bureau regulation.
Multi-Factor Authentication via text and email are used to verify identity before gaining access to our platform.
Certifications and Assessments
What security certifications do you have?
Our Platform undergoes PCI-DSS, EI3PA, and SOC2 compliance certifications and assessments.
Our SOC 2 report is available under NDA for restricted distribution. Recipients wishing to obtain a copy of the SOC 2 report should email a request to [email protected] identifying who they are and their purpose for requesting the report.
For additional compliance and certification information for our cloud services partner Amazon Web Services (AWS), https://aws.amazon.com/compliance/
What system penetration and vulnerability assessments are performed?
A third-party PCI SSC Approved Scanning Vendor (ASV) conducts external and internal network vulnerability scans at least quarterly and after significant changes to our networking environments. Penetration testing is also conducted at least annually and after significant changes.
Security Policies and Procedures
Information security is the protection of information assets and its objective is to protect the confidentiality, integrity, and availability of the information technology resources and information assets in the organization’s possession. Our Platform’s Information Security Policy applies to all information technology resources used for the storage, processing and/or transmission of sensitive data and to all sensitive data within the organization.
Information security is a responsibility shared between all parties with access to our Platform systems, including end-users, and service providers.
What is your business continuity and disaster recovery (BCDR) policy?
Our Platform maintains a Business Continuity and Disaster Recovery Plan which details the policies and procedures in the event of a disruption to critical system services or damage to IT equipment or data. These processes will ensure that those assets are recoverable to the right level and within the right time frame to deliver a return to normal operations, with minimal impact on the business. We have a responsibility to maintain business operations in the face of natural disaster, catastrophe, or security breaches. Emergency preparedness training and strategy are to be refined, discussed, and practiced in an annual Incident Response Meeting.
What is your database backup strategy?
Our Platform utilizes real-time database mirroring across multiple geographically isolated availability zones in the US-West-2 (Oregon) and US-East-1 (Virginia) AWS Regions to ensure the availability and durability of system data. In the event of a catastrophic primary database failure, the system can automatically promote a reader instance to primary in a matter of minutes. Additionally, nightly database snapshots are kept for fourteen days allowing point-in-time recovery.
What is your data encryption policy?
Our Platform encrypts sensitive data using industry-standard protocols and ciphers. Sensitive data in motion or transit (e.g. data transmitted across a network) is encrypted using HTTPS and TLS 1.2. Sensitive data at rest (e.g. data stored in a database) is encrypted using AES-256.
Our Platform manages encryption keys using a fully managed Key Management Service (KMS). Our Platform does not provide access to, accept from, or manage encryption keys on behalf of end-users. Designated Key Custodians must sign a form stating that they understand and accept their custodial responsibilities.
What are your software development policies and procedures?
Our Platform maintains a Software Development Policy to ensure that security best practices (e.g. OWASP, SANS CWE, CERT Secure Coding, etc.) are followed throughout the software development lifecycle. A standard, consistent, repeatable process helps prevent the inadvertent or malicious introduction of vulnerabilities into our Platforms environment with code changes.
How are TenantReports.com personnel vetted and trained?
All employees must pass a thorough, pre-employment background screening prior to beginning employment. Additional screening may be conducted as necessary for promotion, transfer, or reassignment. Employees undergo job function and security awareness training as part of the on-boarding process and at regular intervals throughout their tenure. Training for the Software Engineering team includes secure coding practices (e.g. OWASP) training. Employees are assigned access rights and roles with least privileges and only as necessary to fulfill their specific job responsibilities.
Describe TenantReports System technology stack?
Users securely access TazWorks’ System over the Internet using HTTPS and a current version of Chrome, Firefox, Safari, Internet Explorer, or Microsoft Edge Internet browser.
How does TenantReports monitor for performance and security?
Our Platforms operational health is monitored through a combination of AWS CloudTrail events and alarms, AWS Elastic Cloud Computing (EC2) health checks, AWS Relational Database Service (RDS) alarms, NewRelic analytic tools, and other third-party monitoring solutions. The Operations teams reviews utilization, performance, and availability through console monitoring and active alerts and notifications through multiple channels, including email, SMS text, and telephone.
Our Platform provides a public-facing status page at https://status.tazworks.com with real-time health information and support for notification subscriptions.
Monitoring and intrusion/threat detection and prevention (IDS/IPS) is achieved through a combination of Amazon Web Services (AWS) CloudTrail, AWS GuardDuty, AWS Web Application Firewall, RSYSLOG, and OSSEC. Events and alerts are logged, reviewed, evaluated, and handled as appropriate by the Operations team.