We take security and privacy matters seriously and have taken measures to protect our customers' data at all times. Our commitment to data protection and care for privacy is reflected in how we design our products, how we implement operational security practices and the technology choices we make.
Security of cloud datacenters
As our primary Infrastructure provider, Rosalyn leverages Amazon Web Services. Rosalyn also implements and attests to its own set of security and privacy policies and practices in addition to the extensive security and privacy considerations implemented by AWS services.
Security for computing
Rosalyn's security model is based on the NIST Cybersecurity Framework (CSF) and SOC 2 Criteria of Security and Confidentiality, with additional controls for compliance with international privacy laws and regulations (EU GDPR, California CCPA, Illinois BIPA, etc.). For the higher education market, Rosalyn specifically targets the HECVAT standard. Rosalyn intends to implement an SOC2 Type 2 audit late in 2022.
For cloud infrastructure controls implementation and verification we leverage a host of AWS security services.
The target security standards used to track progress are
- Center for Internet Security (CIS) AWS Foundations Benchmark standard
- AWS Foundational Security Best Practices
For penetration testing of components deployed into production, Rosalyn works with penetration testing specialist vendors.
Risk Assessments are carried out inside Rosalyn and implementation of mitigations are planned as part of sprints.
All data in production systems inside Rosalyn are also encrypted in flight and at rest using industry standard algorithms such as AES-256 or protocols such as HTTPS, TLS and SSH. All access to production data is logged. For all cloud resources Rosalyn leverages identity and access management for defining user access and policies for fine-grained user and systems access control across all of our hosting systems. All hosting systems are separated by account level access barriers for further layers of security. Rosalyn also provides additional controls and governance capabilities, to further protect our customers' users and data.
Special consideration is given to Personally Identifiable Information (PII). All PII data flows are mapped out throughout development of our systems and clearly documented and understood throughout the organization. Lifecycles for all data, including PII is defined and maintained through established processes in order to comply with applicable regulations including GDPR.
Corporate desktops and laptops are managed by enterprise device management and endpoint protection software.
Business Continuity and Disaster Recovery
All of Rosalyn's software services are available 24 / 7.
All data stores inside Rosalyn are backed up on a continuous basis. Our main database offers global deployment over multiple regions and disaster recovery from region-wide outages. It uses storage-based replication with typical latency of less than 1 second, using dedicated infrastructure that leaves our database fully available to serve application workloads. In the event of a regional degradation or outage, one of the secondary regions can be promoted to read and write capabilities in less than 1 minute.
We currently target a Recovery Time Objective and Recovery Point Objective of under two hours with the goal of reducing this further in Q3 2022.
In accordance with Rosalyn's Business Continuity Policy, the Business Continuity Plan, testing, and procedures are updated and performed annually.
Security Software Development Lifecycle Standard
Through our platform's planning, development, and release processes, security practices are incorporated into the Rosalyn’s Software Development Lifecycle.
Our Security Development Lifecycle follows OWASP guidelines.We contract with industry-leading penetration testing providers to examine our production architecture annually.
In order to provide SSO by any number of Identity Providers (IdPs), Rosalyn supports federated access via SAML 2.0.
Rosalyn's security begins with its employees. Rosalyn implements security controls for its employees and contractors before, during, and after their tenure. Controls include security and privacy training and automated deprovisioning of logical and physical access to Rosalyn resources. Select Rosalyn staff also continuously receive advanced Cybersecurity Awareness Training in collaboration with select training partners.
Our customers' privacy is important to us, and we take it very seriously. We do not sell, share, or export your data to third parties we gather from the use of our platform. As stated in your customer agreement, we only provide data to our sub-processors for use in processing your data. We do not process biometric information, and are compliant with GDPR, and BIPA regulations
We regularly back up your data and target a RTO and RPO of 2 hours.
Users, videos, and other data can be deleted directly from our Compliance Request service. Within X days of terminating a relationship with Rosalyn, all customer data will be removed from our systems.
Rosalyn video and audio recordings are retained according to company policies, with flexible configurations based on how long recordings should be kept before being deleted.
Rosalyn supports customers with organizational requirements around data residency, requiring EU citizen data to reside in the EU.
Third-party audits attest and certify Rosalyn's security, data privacy, and compliance controls to help meet customers' legal, regulatory, and organizational policy requirements. Biometric information is not processed by us