What is an overview of ReviewStudio’s information and cybersecurity infrastructure?

All our infrastructure is hosted on Amazon Web Services (AWS), and our technical measures are in full accordance with AWS Compliance as described at https://aws.amazon.com/compliance/.

AWS security controls are described at https://aws.amazon.com/compliance/data-center/controls/

All data is processed and stored on AWS servers and S3 storage located in US-East Region (North Virginia)

In addition to AWS Compliance, ongoing hardening is implemented through upgrades to OS, upgrades to the Rails framework, and ongoing security scans by Cloud 66.

All data transferred in our platform utilizes HTTPS. Data at rest (with exception of passwords) is not encrypted.

Our corporate offices are monitored 24/7 and require authenticated keys for access. Guests must register with reception and be accompanied by staff to gain entry to any secured location.

What type of customer data does ReviewStudio store? Does ReviewStudio store any Personally Identifiable Information (PII)?

The only Personally Identifiable Information we store is the name and email address of each user in order to authenticate their access to the platform (a phone number is optional for the primary account admin). For security and auditing purposes, we store IP addresses, but they are masked.

Otherwise, we store any media files that the customer uploads to our platform in order to share with other users for review and approval. Users have full control over how and with whom this data is shared. If the customer opts for online billing then we will store the company name and billing information required to process credit card charges and issue invoices (credit card information is not stored on our system but is maintained by our payment processor, Stripe).

For reference, here are our Privacy Policy and Terms of Service.

What cyber security best practices are used by ReviewStudio?

We use the following best practices to secure the application:

  • Firewalls are in place to prevent unauthorized access.
  • Access to sensitive data is limited according to each user’s permissions.
  • Patches are applied on a predefined schedule, depending on the severity.
  • Backups are done (at least) on a daily basis.

Does ReviewStudio operate its own Security Operations Centre (SOC) and/or have an outsourced Managed Security Service Provider (MSSP)?

We manage our own security.

Does ReviewStudio maintain a business continuity and disaster recovery plan, and how often is the plan tested?

Yes. We have a comprehensive  plan in place that is tested annually.

What is ReviewStudio’s Recovery Time Objective (RTO), defined as the maximum target period IT functionality may be lost due to an incident for critical systems?

Our SLA offers a 99.99% uptime guarantee that we have not missed in the past 5 years. In general, any service interruptions trigger 24/7 alarms that the team responds to as a matter of urgent priority.

Does ReviewStudio maintain an alternate backup IT facility?

Yes – this is supported through AWS.

What frequency is critical operational data backed up?

Database is backed up daily. Other critical data is backed up hourly.

Does the organization implement standard secure configuration images for operating systems and software applications?

We use the SO Images provided through AWS.

Do standard secure configurations for operating systems and software applications incorporate industry recognized security hardening techniques (e.g., Centre for Internet Security (CIS) Security Configuration Benchmarks or NIST security configuration checklists, NCSC, etc.)?

Our OS and applications hardening is managed through AWS.

Is there a change management process for standard secure configurations to track changes and ensure only authorized changes are made to the configuration?

Our configurations are based off AWS defaults. Before any changes are made to our infrastructure we validate those changes in staging before they are applied in production.

Are secure configurations validated and refreshed on a regular basis (at least quarterly), including updates to safeguard assets against current vulnerabilities and attack vectors?

We have processes in place to check our code for any possible vulnerabilities. In regards to the OS, we use the images provided by and managed by AWS..

Are the development, testing, and production IT environments separated?

All environments are separated. Before any changes go to production they are first validated in development and staging environments.

Are system logs reviewed and at what interval?

We review system logs on a weekly basis or whenever suspicious activity triggers alerts.

What is ReviewStudio’s patch management policy?

Critical patches are applied immediately. Non-critical patches are usually applied within 2 weeks of release.

In which geographic region is data held?

US – East region (North Virginia)

Is data encrypted at rest and to what standard do the encryption tools meet?

Data at rest is not encrypted (Passwords are hashed using bcrypt).

Does the ReviewStudio have a Chief Information Security Officer (CISO), Chief Security Officer (CSO) or functional equivalent?

Information Security is managed by our Director of Development, Cristiano Rocha (cristiano(at)reviewstudio.com).

Physical address:
376 av. Victoria #200
Westmount, Québec
H3Z 1C3
Canada

This Policy was last updated on Mar 13, 2023