Overview

At Rasayel, protecting our customers’ data is a top priority. This Security Policy outlines the technical and organizational controls we have in place across our platform to prevent unauthorized access, misuse, alteration, or disclosure of customer data. Rasayel’s infrastructure is built on Amazon Web Services (AWS), and unless stated otherwise, the practices described below refer to our AWS-based environment. We also encourage you to read our Terms of Service and Privacy Policy to learn more about how we operate.

Best Practices

Incident Response Plan

• Rasayel has a formal process for security events and have trained our engineers and employees on these processes.
• We have a set of Engineers always on-call. In case of a security event, immediate escalation to the on-call team happens, the team is paged and coordinated efforts are done to contain and resolve the issue quickly.
• We conduct a detailed post-incident analysis after each event.
• These reports are reviewed internally and shared across the company, accompanied by follow-up actions to improve our ability to detect and prevent similar events in the future.
• In the event of a confirmed security breach that impacts your data, Rasayel will notify you promptly via email and we will provide updates on our status page. The notice will include details about the breach and our ongoing investigation.

Build Process Automation

• We have functioning, frequently used automation in place using modern CI tools and methods, so that we can safely and reliably rollout changes to our application within minutes.
• We typically ship code to production numerous times per day, so we have high confidence that we can get a security fix out quickly when required.
• We use modern IaC platforms to ensure changes to our infrastructure are always monitored and reviewed thoroughly.

Code Reviews

• Any new changes to our application or infrastructure has to go through a rigorous code review process. Deploying new code is always blocked until different team members have went through the changes to ensure no security threats are shipped to production.

Infrastructure

• All of Rasayel’s systems are hosted entirely on cloud infrastructure provided by AWS. We do not manage or maintain physical hardware such as servers, routers, or DNS infrastructure.
• Our systems and customer data are hosted on AWS data centers, which are protected by AWS security. More information can be found at: http://aws.amazon.com/security/sharing-the-security-responsibility.
• All of our infrastructure is spread across 3 AWS data centers (availability zones) and will continue to work should any one of those data centers fail unexpectedly. Amazon does not disclose the location of its data centers. As such, Rasayel builds on the physical security and environmental controls provided by AWS. See http://aws.amazon.com/security for details of AWS security infrastructure.
• All of our servers are within our own virtual private cloud (VPC) with network access control lists (ACL’s) that prevent unauthorized requests getting to our internal network.
• Rasayel uses a backup solution for datastores that contain customer data.

Data

• Rasayel’s platform and customer data are hosted in AWS’s US-based data centers (us-east-1).
• Customer data is stored in multi-tenant datastores; we do not have individual datastores for each customer. However strict privacy controls exist in our application code that are designed to ensure data privacy and to prevent one customer from accessing another customer’s data (i.e., logical separation). We have many unit and integration tests in place to ensure these privacy controls work as expected. These tests are run every time our codebase is updated and even one single test failing will prevent new code being shipped to production.

Data Transfer

• All data sent to or from Rasayel is encrypted in transit using 256-bit encryption.
• Our API and application endpoints are TLS/SSL only. This means we only use strong cipher suites. We also encrypt data at rest using an industry-standard AES-256 encryption algorithm.
• All payment instrument processing for purchase of the Rasayel services is performed by Stripe. For more information on Stripe’s security practices, please see https://stripe.com/docs/security/stripe.

Authentication

• Rasayel is completely served over HTTPS, following modern security best practices.
• We have two-factor authentication (2FA) and strong password policies on all of the services we use like AWS, Elastic, GitHub, and Rasayel to ensure access to cloud services are protected.
• Best practices for access management and control are implemented over our infrastructure on AWS and Elastic to prevent unauthorized access to our infrastructure.

Application Monitoring

• On an application level, we produce logs for all network activity, ship logs to our service providers for analysis, and use AWS S3 for archival purposes.
• All access to Rasayel applications is logged and audited.
• Access to infrastructure by personnel is guarded by bastion hosts to ensure secure entry points.

Customer Responsibilities

• Managing your internal user accounts and access roles within the Rasayel platform.
• Protecting your own account and user credentials for all of your employees accessing the Rasayel services.
• Compliance with the terms of your services agreement with Rasayel, including with respect to compliance with laws.
• Immediately notifying Rasayel if user credentials are suspected to be compromised or if there are any concerns about potential security threats to your account or the Rasayel platform.
• You may not perform any security penetration tests or security assessment activities without the consent of Rasayel.