We combine enterprise-grade security features with comprehensive audits to ensure your data is protected.
Repositax subscribes to the governance platform, Drata, which enables us to establish our procedures and measure our adherence to them to ensure continuous compliance with industry standard best practices. This is the first step towards objectively certifying our controls to ensure the continuous security of our customers’ data, including obtaining a SOC 2 Type 2 attestation report by an independent auditor and ISO/IEC 27001 certification.
The SOC 2 audit uses the Trust Services Criteria developed by the Assurance Services Executive Committee (ASEC) of the AICPA. They are used to evaluate the suitability of the design and operating effectiveness of the controls relevant to the security, availability, or processing integrity of information and systems, or the confidentiality or privacy of the information processed.
ISO/IEC 27001 certification is widely known, providing requirements for an information security management system. Using them enables organizations of any kind to manage the security of assets such as financial information, intellectual property, employee details or information entrusted by third parties.
Repositax hosts all its software in Amazon Web Services (AWS) facilities in the USA. Amazon provides an extensive list of compliance and regulatory assurances, including SOC 13, and ISO 27001. See Amazon’s compliance and security documents for more detailed information.
All of the Repositax servers are located within Repositax’s own virtual private cloud (VPC), protected by restricted security groups allowing only the minimal required communication to and between the servers. Repositax conducts third-party network vulnerability scans at least annually.
Repositax continuously monitors 140+ security controls across the organization using Drata, a security and compliance automation platform.
Automated alerts and evidence collection allow Repositax to confidently prove its security and compliance posture any day of the year, while fostering a security-first mindset and culture of compliance across the organization.
All of the Repositax servers are located within Repositax’s own virtual private cloud (VPC), protected by restricted security groups allowing only the minimal required communication to and between the servers. Repositax conducts third-party network vulnerability scans at least annually.
All connections to Repositax are encrypted using SSL, and any attempt to connect over HTTP is redirected to HTTPS. All customer data is encrypted at rest and in transit.
System passwords are encrypted using AWS KMS with restricted access to specific production systems.
We use industry-standard data storage systems hosted at AWS.
Data access and authorizations are provided on a need-to-know basis, and based on the principle of least privilege. Access to the AWS production system is restricted to authorized personnel.
Repositax’s security policies are maintained, communicated, and approved by management to ensure everyone clearly knows their security responsibilities.
The employee hiring process includes background checks.
Code development is done through a documented Secure Development Life Cycle process. Design of all new product functionality is reviewed by its security team. Repositax conducts mandatory code reviews for code changes and periodic in-depth security review of architecture and sensitive code. Repositax development and testing environments are separate from its production environment.
At least annually, engineers participate in secure code training covering OWASP Top 10 security flaws, common attack vectors, and Repositax security controls.
Vulnerability Disclosure Process – Repositax considers security to be a core function of our platform. Earning and keeping the trust of our customers is our top priority, so we hold ourselves to the highest security standards.
Web application architecture and implementation follow OWASP guidelines.
In addition to Repositax’s internal testing program, Repositaxconducts application penetration testing by a third-party at least annually.
Single sign-on (SSO) allows you to authenticate users without requiring them to enter login credentials for your Repositax instance.
Audit logging lets administrators see when users last logged in and what features they used.
In addition to automated monitoring, Repositax applications and infrastructure are monitored 24/7 each day of the year by live persons.
All access to Repositax applications is logged and audited. Logs are kept for at least one year and Repositax maintains a formal incident response plan for major events.
If you have discovered a security issue that you believe we should know about, we would love to hear from you. Please review our Responsible Disclosure Policy and reach out to us at sales@repositax.com.
Repositax maintains a security portal which contains the details of our security program along with supporting documentation. Access may be requested through this portal which is located here: https://security.repositax.com/.