User Data Security
1.1 Company Compliance
Redkix is ISO 27001 certified as a cloud service provider. ISO 27001 is recognized as the premier information security management system (ISMS) standard worldwide. The basis of this certification is the development and implementation of a rigorous security management program, including the development and implementation of an Information Security Management System (ISMS). This widely-recognized and widely-respected international security standard specifies that companies that attain certification also:
- Systematically evaluate our information security risks, taking into account the impact of security threats and vulnerabilities
- Design and implement a comprehensive suite of information security controls to address security risks
- Implement an overarching audit and compliance management process to ensure that the controls meet our needs on an ongoing basis
1.2 Server Compliance
Redkix data is hosted on highly secured servers that comply with the strictest international and industry-specific standards, including:
- SSAE 16/SOC 1, SOC 2, and SOC 3
- PCI DSS Level 1
- FISMA, DIACAP, FedRAMP, and FIPS 140-2
- HIPAA, Cloud Security Alliance and MPAA
1.3 Transport Security
Redkix runs under HTTPS, use SSL for data transfer. All connections to Redkix are encrypted with the bank industry standard AES-256 and uses SHA-2 to ensure data integrity. In addition to anti-tampering controls, a comprehensive audit trail gathers every single transaction with IP addresses and user information.
The mobile app uses certificate pinning to establish trust with the Redkix server farm. To further ensure data safety of all our users we only support certificates signed by well-known CAs when communicating with any external servers such as Exchange servers.
1.4 User data isolation
Each individual user’s data set is isolated satisfying our stringent security requirements. Every API call for data access within Redkix system requires proprietary auth tokens with tamperproof design. Our infrastructure puts strong safeguards in place to help protect each user privacy. Access to data is enforced by our audited user access policy across all server resources.
Each employee that could potentially access user data is required to undergo security briefing and NDA signing with our legal team. Redkix has also established multi-factor authentication for privileged accounts, and our ISO 27001 certification validates our commitment to user security and privacy.
User Credentials Security
User credentials are required to access user data. Credentials come in the form of passwords for some server types such as Exchange, or limited-scope OAuth tokens for others such as Google Apps. Each user’s credentials are double-encrypted using a server per-account unique key and then using a client device unique key.
User Data Retention
Some user data are retained in Redkix system during the lifetime of a user account. A user can choose to completely purge his/her account from the mobile app by deleting the Redkix app from their mobile device. Consequently, a user can send an email request to firstname.lastname@example.org to wipe clean of all user data from the Redkix servers.
As an ISO 27001 certified company, Redkix uses independent third parties to conduct regular security audits as well as static and dynamic analysis scans. Internally, security audits are regularly performed by a dedicated security team under the supervision of the Board of the company. Each IT employee receives regular security training, and all updates and new features are reviewed for security, as security testing is integrated into the application development lifecycle.