RELAYTO/ takes security and safety seriously protecting the confidentiality, integrity, and availability of customer data. We recognize security as a crucial aspect of our system. At RELAYTO/, the latest technologies and security best practices are used to provide a secureservice. This FAQ highlights various elements and answers certain security-related questions about RELAYTO/.
How do you mitigate security vulnerabilities?
Systems are managed such that security vulnerabilities can be mitigated via centrally managed patch repositories and configuration compliance mechanisms. Routine vulnerability scans and internal penetration tests are performed to expose any lapses in preventative application access controls. Security patches are prioritized and applied within 24 hours when possible.
How does your patching test and deployment work?
Patches (e.g. hotfixes) go through a very similar process as the rest of our product releases. The fixes are reviewed by another developer and functionally tested by QA. Depending upon the fix, we will then test the fix on our stage environment. If that all passes, then we deploy to production.
Does RELAYTO provide a SLA?
Yes, in this Master Subscription Packet.
Can RELAYTO be affected by DDOS attacks?
RELAYTO/ has partnered with Cloudflare, the leader in Web Performance and Security on the Web in order to protect ourselves from the DDOS attacks. We benefits from the Cloudflare network and experience of mitigating the DDOS attacks. Technical excerpt from Cloudflare website:
Cloudflare’s advanced DDoS protection, provisioned as a service at the network edge, matches the sophistication and scale of such threats, and can be used to mitigate DDoS attacks of all forms and sizes including those that target the UDP and ICMP protocols, as well as SYN/ACK, DNS amplification and Layer 7 attacks.
Cloudflare is one of the largest DDoS protection networks in the world. It offers flat-rate DDoS protection based on Anycast technology and have successfully mitigated attacks bigger than 400Gbps.
Can I use RELAYTO on premise?
RELAYTO/ does not offer on premise solution at this moment. If you are interested exploring enterprise hosting options, please contact [email protected]
Do RELAYTO/ employees access customer data?
RELAYTO/ does not access customer data or customer environments as part of day-to-day operations. When customers request support, authorized RELAYTO/ employees are able to view customer data and will only do so when specifically requested or when required such as making recommendations to improve document experience, give design suggestions, and so forth. All RELAYTO/ employees are trained and understand that customer data privacy and confidentiality is paramount, and under no circumstances is customer data ever disclosed to a third-party. Only a limited subset of RELAYTO/ employees have the ability to view customer environments where that stored data is accessible. Access is routinely evaluated to ensure those rights are retained only when necessary by job function.
All system access is logged such that any unauthorized access can be tracked and individual user actions audited.
Where is my data stored?
Your data is stored at the Amazon Web Services (AWS) data centers in Ireland. You can read about the AWS security practice here.
All published document content, media, and other assets are served from AWS S3 with AWS Cloudfront in front as a CDN.
Do you have a business continuity plan?
RELAYTO has a business continuity plan to address how to resume or continue providing services to users—as well as how to function as a company—if business-critical processes and activities are disrupted. We conduct a cyclic process consisting of the following phases:
- Business impact and risk assessments. We conduct a business impact assessment (BIA) at least annually to identify processes critical to RELAYTO, assess the potential impact of disruptions, set prioritized timeframes for recovery, and identify our critical dependencies and suppliers. We also conduct a company-wide risk assessment at least annually. The risk assessment helps us systematically identify, analyze, and evaluate the risk of disruptive incidents to RELAYTO. Together, the risk assessment and BIA inform continuity priorities, and mitigation and recovery strategies for business continuity plans (BCPs).
- Business continuity plans. Teams identified by the BIA as critical to RELAYTO’s continuity use this information to develop BCPs for their critical processes. These plans help the teams know who is responsible for resuming processes if there’s an emergency, who in another RELAYTO office or location can take over their processes during a disruption, and which methods for communications should be used during a continuity event. These plans also help prepare us for a disruptive incident by centralizing our recovery plans and other important information, such as when and how the plan should be used, contact and meeting information, important apps, and recovery strategies. RELAYTO’s continuity plans are tied into our company-wide crisis management plan, which establishes RELAYTO’s crisis management and incident response teams.
- Plan testing/exercising. RELAYTO tests selected elements of its business continuity plans at least annually. These tests are consistent with the scope and objectives, are based on appropriate scenarios, and are well-designed with clearly defined aims. The tests may range in scope from tabletop exercises to full-scale simulations of real-life incidents. Based on the results of the testing, as well as experience from actual incidents, teams update and improve their plans to address issues and strengthen their response capabilities.
- Review and approval of the business continuity plan. At least annually, our executive staff reviews the business continuity plan and communicate changes to the rest of the team.
Do you have a disaster recovery plan?
To address information security requirements during a major crisis or disaster impacting RELAYTO/ operations, we maintain a disaster recovery plan. The RELAYTO/ Infrastructure Team reviews this plan annually and tests selected elements at least annually. Relevant findings are documented and tracked until resolution. Our Disaster Recovery Plan (DRP) addresses both durability and availability disasters, which are defined as follows.
A durability disaster consists of one or more of the following:
- A complete or permanent loss of a primary data center that stores metadata, or of multiple data centers that store file content
- Lost ability to communicate or serve data from a data center that stores metadata, or from multiple data centers that store file content
An availability disaster consists of one or more of the following:
- An outage greater than 10 days
- Lost ability to communicate or serve data from a storage service/data center that stores metadata, or from multiple storage services/data centers that store file content
We define a Recovery Time Objective (RTO), which is the duration of time and a service level in which business process or service must be restored after a disaster, and a Recovery Point Objective (RPO), which is the maximum tolerable period in which data might be lost from a service disruption. We also measure the Recovery Time Actual (RTA) during Disaster Recovery testing, performed at least annually. RELAYTO incident response, business continuity, and disaster recovery plans are subject to being tested at planned intervals and upon significant organizational or environmental changes.
Can we restrict individual user access to specific documents?
Yes. Private documents require user to be authenticated & authorized before the accessing a document. Author/publisher have access control settings to give access only to certain user accounts. Learn more about it here.
Are the Personally Identifiable Information and other data encrypted at rest?
Yes, Encryption-at-rest is automated using AWS's transparent disk encryption, which uses industry-standard AES-256 encryption to secure all volume (disk) data. All keys are fully managed by AWS.
Is the connection to RELAYTO encrypted?
Everyone with a RELAYTO/ account has encryption on all RELAYTO/ connections. RELAYTO/ defaults and redirect all traffic to the secure HTTPS protocol. The connection to this site is encrypted and authenticated using a strong protocol (TLS 1.2), a strong key exchange (ECDHE_ECDSA with P-256), and a strong cipher (AES_128_GCM).
SSL is an acronym for “Secure Socket Layer”, a security protocol that provides communications privacy over the Internet. The protocol allows RELAYTO/ to securely communicate in a way that is designed to prevent eavesdropping, tampering, or communications forgery. It is the same technology used by banks and e-commerce companies such as Amazon.com to keep your information safe and secure during transactions. In RELAYTO's case, SSL keeps your client communications absolutely secure (RELAYTO/'s normal password protection keeps your information private, but SSL keeps it private and secure). Find out more about SSL.
Is RELAYTO/ protected against injections attacks, cross site scripting & etc?
RELAYTO/ combines innovation in the incorporating web widgets/embeds and other elements into the documents AND ensuring this richer document experience - attains enteprise-grade security. RELAYTO/ technical team reviews security implications and ways to mitigate them. We undergo rigorous security audit before introducing a new innovative feature.
Here are how RELAYTO/ protects your documents while delivering interactive web experience.
RELAYTO/ has chosen to partner with Cloudflare, the leader in Web Performance and Security on the Web in order to benefit from Cloud Web Application Firewall(WAF). Cloudflare’s WAF protects RELAYTO/ from the OWASP top 10 vulnerabilities by default. These OWASP rules are supplemented by 148 built-in WAF rules
- Broken authentication and session management
- Cross-site scripting (XSS)
- Insecure direct object references
- Security misconfiguration
- Sensitive data exposure
- Missing function-level access control
- Cross-Site Request Forgery (CSRF)
- Using components with known vulnerabilities
- Unvalidated redirects and forwards
You can learn how WAF works here. Brief overview:
Cloudflare sees roughly 2.9 million requests every second, and our WAF is continually identifying and blocking new potential threats.
When Cloudflare customer requests a new custom WAF rule, Cloudflare analyze whether it applies to all 4,000,000 domains on the network. If it does, we automatically apply that rule to everybody on our network. The more web properties on the network, the stronger the WAF gets, and the safer the Cloudflare community becomes.
On top of Cloudflare's WAF protection RELAYTO/ sanitizes all the input to have an additional layers against the injection attacks.
On Web widget/ embed security, RELAYTO/ works with Embedly and together we keep the whitelist of web-services that can be used in RELAYTO/.
All the Web widgets/embeds are securely iframed to avoid interference with your content. RELAYTO/ also allows to additionally enhance the iframe security settings by modifying the iframe permissions. You can read more about it here.
How is your physical infrastructure protected?
RELAYTO/ utilizes Amazon Web Service (AWS) data centers. Amazon data centers have been accredited under several certificates (including ISO 27001). AWS stands for a high level of physical security to safeguard their data centers. Among others things they employ two-factor authentication for all their authorized staff members, military grade perimeter controls and security staff at all ingress points.
As for environmental protection AWS has sophisticated fire detection and suppression equipment, fully redundant power infrastructure with integrated UPS units and high end climate control system to guarantee an optimal working environment for the hardware.
For a more in detail view, we refer you to the AWS Security Center.