Service Agreement

RIDDL SaaS Information Security Principles and Practices

 

Protecting the data and privacy of our customers is a top priority for all of us at RIDDL. This document provides an overview of the practices and technologies in place for safeguarding both at all times—all day, every day.

 

Best Practices

 

All RIDDL employees and contractors agree to an information security policy when they join. This requires committing to a number of best practices including:

 

  • Disk encryption for employee computers
  • Complex and unique passwords for all systems
  • Use of multi-factor authentication for all systems (where supported)

 

We educate our team on social engineering tactics and conduct our own periodic phishing attacks to reinforce constant diligence.

 

Sharing or storing data requires executive approval. No data can be shared beyond the boundaries of a RIDDL controlled system without explicit data sharing agreements and the approval of the CTO.

 

Responsible, respectful, and appropriate use of administrative access. When an employee is granted elevated privileges (e.g., administrative access) to any system, such access is provided with the least privilege required to achieve a required task.

 

Security audits are periodically performed on the RIDDL codebase and system by external security specialists.

 

An internal incident response policy is in effect so every RIDDL employee and contractor has a written process to follow if a security breach or incident is suspected.

 

Technology

 

The RIDDL software runs on the Google Cloud Platform and takes advantage of Google’s world-class security protections.

 

Account credentials are managed by Google Firebase Authentication, which uses password hashing to ensure that actual passwords are never stored.

 

The primary data store is Postgresql running on the Google Cloud SQL platform. Direct access to the database is limited to essential admin personnel only.

 

Additional data storage is provided using Google BigQuery and Google Cloud Storage. Again, direct access to these systems is limited to essential admin personnel only.

 

The server-side application layer runs on Google App Engine. It is this service-side application layer that enforces application-level security constraints.

 

The RIDDL system uses a multi-tenant software-as-a-service approach. This means that the data for multiple customers exist within the same database instance and are protected using a tenant ID (at RIDDL, we call this the org_id). All data access is done through a set of core services that strictly enforce org_id boundaries to ensure that data is only accessible to users within the organization (this includes Cloud SQL, BigQuery, and Cloud Storage data).