Infrastructure and Security

Compliance

  • SOC 2: Recidiviz has successfully completed a Service Organization Control 2 (SOC 2) Type 2 audit for its hosted services.
  • CJIS: Recidiviz is compliant with CJIS requirements that all staff with access to CJI undergo Level 4 CJIS security training and necessary background checks. Additionally, Recidiviz's product, corporate, and cloud environment are built to comply with CJIS requirements.
  • HIPAA: Recidiviz's security program conforms to HIPAA security requirements for its hosted services and corporate environment. All Recidiviz employees are trained in maintaining the confidentiality, integrity, and availability of protected health information (PHI).
  • Vendors: Recidiviz works exclusively with trusted third party cloud vendors that maintain compliance with major applicable compliance standards, including but not limited to SOC-2 Type II, ISO 27001, ISO 27018, and others as applicable to the nature of a particular data classification or partner organization.
  • GCP: Recidiviz heavily leverages GCP's Platform-as-a-Service (PaaS) offerings, meaning that GCP manages the underlying infrastructure of Recidiviz's entire product suite. Google has attested that all infrastructure in Recidiviz's product infrastructure is compliant with ISO 27001, FedRAMP, HIPAA, and NIST 800-53, to name a few. Details about GCP's compliant and secure infrastructure can be found here: https://cloud.google.com/security/compliance/offerings

Cloud Infrastructure

  • Anti-DDoS: Recidiviz utilizes an anti-DDOS system to provide guaranteed up time for our product.
  • BC/DR: Recidiviz has a tested and detailed business continuity and disaster recovery plan in the event of a major disruption to one of our key service providers.
  • Google Cloud Platform: Recidiviz hosts applications and data on Google Cloud Platform. Every asset in GCP is continuously monitored and scored against CIS's GCP Security Benchmark.
  • Separate Environments: Recidiviz maintains completely separate production and development environments to ensure product stability.
  • Encryption in Transit: All data and web content are always encrypted-in-transit, both within internal systems and to or from external systems. This encryption is performed using AES-128, AES-256, or better as recognized by the broader security community.
  • Encryption at Rest: All state and user information is always encrypted-at-rest. This includes at least file-level encryption or full disk-level encryption, and usually both simultaneously (using AES-128, AES-256, or better).

Access Control

  • Data Access: Recidiviz strictly monitors access to customer data and only permits it on an as-needed basis.
  • Logging: Recidiviz keeps detailed logs of all activities on company resources and review logs to identify irregularities on a weekly basis.
  • Password Security: Recidiviz enforces stringent password security policies and MFA (Multi-Factor Authentication) based access for all our employees via our corporate identity provider.

Non-Repudiation

  • Audit Logs: All system events, including but not limited to automatic systems operations, data access, and administrative actions, are automatically gathered into audit logs which are archived and regularly reviewed.
  • Encryption of Operational Metrics: Automatically generated systems data, including application logs, audit logs, operational metrics, and similar, are also always encrypted-in-transit and encrypted-at-rest, using the same standards.

Product Security

  • Access Control: The principle of complete mediation is used in Recidiviz's authentication system to ensure that authentication and authorization are checked prior to all attempts to access data. Since data access points and interfaces require both authentication and authorization, access is limited to only those parties who have a legitimate need for the provision of our Services. Where possible, this will additionally require multi-factor authentication.
  • Bot Detection: All Recidiviz applications have multiple bot detection and anti-automation security controls in place. We use these controls to protect our web applications from automated login attacks, denial-of-service attacks, and un-authorized automated behavior.
  • Bug Bounty: Responsible disclosures of vulnerabilities in technical or organizational systems are appropriately triaged through the Recidiviz Vulnerability Disclosure Program
  • Code Review: All changes made to the source code underlying Recidiviz services are reviewed by internal staff for potential flaws in logic, security, or otherwise, and that all changes are automatically scanned for known security vulnerabilities.
  • Vulnerability and Patch Management: Automated code analysis and vulnerability scans are performed on Recidiviz applications prior to each release. In addition, penetration tests are performed annually by a third-party security consultant.
  • Software Development Lifecycle: Recidiviz uses an Agile methodology that incorporates cross-functional teams with members from Product Management, Engineering, Security and State Engagement. Overarching Release and Quality processes ensure necessary oversight and consistency throughout the organization.
  • Credential Management: Credentials are managed using Google Cloud Platform's Secret Manager.
  • Role-Based Access Control: Recidiviz products offer role-based access control that allows administrators to provision different levels of access.
  • Audit Logging: Recidiviz products log all user activity to enable easy auditing of usage patterns.
  • Single Sign-On: Single Sign-On with SAML 2.0 authentication is supported. The Single Sign-On (SSO) feature allows you to integrate with a third-party Identity Provider (IdP) and implement SSO.

Corporate Security

  • Email Protection: Recidiviz uses Google Workspace’s strongest email security controls to filter out suspicious emails.
  • Background Checks: All Recidiviz staff receive thorough background checks, at the county, state, and federal levels, as part of the onboarding process which is required prior to receiving access to sensitive data.
  • Employee Training: Recidiviz has a comprehensive employee training program that includes in-depth training. Additionally, employees undergo CJIS Level 4 Security Training. The engineering and security staff stay current on the latest tools and techniques available for enhancing security and privacy practices, and adopting them where reasonable in a timely fashion.
  • Incident Response: Recidiviz has a dedicated incident response team and plan.
  • Mobile Device Management: We provision, deploy, and manage all company computers using a MDM program.
  • Single Sign-On: As feasible, we require employees to use SSO to login into all company resources. 

Network Security

  • DNSSEC: DNSSEC is in place for all Recidiviz domains.
  • TLS:  HTTPS is enabled and required for all web-based services, using TLS 1.1 or higher.
  • Firewall: Recidiviz utilizes a firewall to protect networked company resources.
  • IDS/IPS: Recidiviz uses an IDS to identify inbound and outbound traffic which is malicious in nature. Recidiviz uses an IPS to protect critical infrastructure, data, and vulnerable applications in real-time from known, undisclosed, and unknown vulnerabilities without adversely affecting network performance.
  • Traffic Filtering: Traffic on the Recidiviz network is filtered for known malicious domains.
  • Virtual Private Cloud: Recidiviz utilizes a private virtual cloud to ensure that all compute needs are done in a secured environment, separate from other public cloud tenants.

Endpoint Security

  • Disk Encryption: Recidiviz uses FileVault to encrypt the data on our corporate laptops.
  • DNS Filtering: DNS filtering is used to block access to known malicious websites through Chrome's Enterprise Browser Management Solution.
  • Endpoint Detection and Response: Recidiviz has deployed an Endpoint Detection and Response (EDR) solution to protect computers from malware and other threats.
  • Mobile Device Management: Recidiviz provisions, deploys, and manages all company computers using a MDM program.
  • Disk Cleanup: All data deletion from Recidiviz-owned or -controlled machines is in accordance with either DoD 5220.22-M(E) (3 or 4 pass) or DoD 5220.22-M(ECE) (7 pass) deletion protocols.

Contact

Security Questions

Our security infrastructure will change over time in response to changing circumstances, new requirements, and technical development. You can reach us at security@recidiviz.org for any questions or comments pertaining to our security and privacy practices, including but not limited to:

  • Questions about our terms of service, privacy policy, or how we protect and work with sensitive data
  • Informational requests related to our application and network architecture, security mechanisms, and tech stack

Vulnerability Disclosure Program

Recidiviz welcomes feedback from security researchers and the general public to help improve our security. If you believe you have discovered a vulnerability, privacy issue, exposed data, or other security issues in any of our assets, we want to hear from you.

Please report all security issues directly to our Vulnerability Disclosure Program:

We will do our best to respond to all inquiries as quickly as possible—typically within no more than two business days—specifically prioritizing inquiries related to potential vulnerabilities or technical issues.

Copyright © 2017, Recidiviz. All Rights Reserved.