Application Security
- Our web application architecture and API implementation follows OWASP guidelines.
- Application actions have unique permissions that are evaluated based on context such as the user and roles.
- We support Single Sign-On (SSO) via Auth0. New SSO users can be automatically provisioned with RBAC support.
- Secrets and API tokens are stored encrypted at rest.
- A risk assessment is performed annually.
- An incident response plan is in place to trace issues to their resolution and to perform post-incident reviews.
Data Security
- All data transmissions are protected with TLS (HTTPS) encryption and HSTS.
- Customer information is encrypted during transit.
- Data is stored and managed by AWS with full encrypted database backups performed every 1 hour.
- Access to systems is authorized on a need-to-know basis and follows the principle of least privilege.
- Access to prod AWS is restricted to a few key employees and is controlled by secure IdP and protected by two-factor authentication (FIDO U2F Security Key).
- Customer data can be requested and erased from Resourcely in accordance with the Terms of Service and Privacy Policy after the termination of the contract.
Software Development Life Cycle
- Application code changes require mandatory review and at least one approval.
- Architecture and sensitive code undergo periodic security reviews.
- Production environment is separate from development, testing, and staging environments.
- Customer data stays within the production environment.
Infrastructure
- Our production infrastructure is designed with redundancy measures, such as failover, content delivery networks, load balancing, and standby replicas, to ensure seamless and uninterrupted operations.
- We have a comprehensive Business Continuity Plan and Disaster Recovery Plan that undergoes an annual review to ensure our ability to respond to unforeseen events and minimize disruptions to our business.
- We utilize a third-party service to monitor the performance and system information, enabling us to detect and address issues promptly.
Security Policies
- New employees undergo a thorough background check as part of the hiring process to ensure they have a clean record.
- Regular security awareness training is provided to all new hires to identify and prevent potential security threats.
- Employee workstations are managed remotely using a secure MDM solution to minimize security risks and ensure all software is up-to-date and correctly configured.
- Disk encryption technology is used on all employee workstations to provide an extra layer of protection for sensitive data, and remote wipe capability is available to erase a lost or stolen device.
Responsible Disclosure
- We take security seriously at Resourcely and are committed to ensuring the safety and privacy of our users and their data.
- If you happen to discover a security vulnerability in our system, please report it to us as soon as possible by simply sending an email to our security team at security@resourcely.io with details of the vulnerability and any supporting information that you have.
- We will make every effort to respond to your email as quickly as possible and keep you informed throughout the process of resolving the issue.
