Information Security Program FAQ

Have questions about our Information Security Program? While all the information can be found within these pages, we’ve highlighted the most frequently asked questions. We’ll also draw your attention to our Cloud Security Alliance STAR questionnaires for Resolver Core and Perspective. These documents contain the answers to 300 commonly asked InfoSec questions and should address any questions about our program.

Do you review your applications for security vulnerabilities and address any issues prior to deployment to production?

Yes. At least annually, or for product releases which introduce major architecture changes, manual penetration testing is performed by external certified experts. Additionally, monthly Application, network and OS level vulnerability scans are automatically performed on all versions on staging environments, and production and pre-production versions of the software. All issues are addressed, before production deployment or, as defined per internal risk assessment, within Resolver’s mitigation time frame.

 

Do you conduct network and/or application penetration tests of your cloud service infrastructure regularly as prescribed by industry best practices and guidance?

Yes. On a monthly basis, we perform automated vulnerability tests on various aspects of the Resolver Core environments, utilizing a cloud-based vulnerability management platform comprised of

  • Agent-based hosts vulnerability scan
  • Advanced Network Scan
  • Web application scan

In addition, at least annually, or for product releases which introduce major architecture changes, external, 3rd party penetration testing is performed before public release.

All findings are reviewed and addressed by Resolver’s Security, Dev, DevOps, and management teams, before production release or, as defined per internal risk assessment, with

Resolver’s required mitigation time frame.

Penetration test executive summaries and Resolver responses to findings are made available to customers under NDA, upon written request.

Are the results of the penetration tests available to tenants at their request?

Yes.

Do you have the ability to logically segment or encrypt customer data such that data may be produced for a single tenant only, without inadvertently accessing another tenant’s data?

Yes. Customer data is logically segmented into unique customer tables, however, our approach to database encryption is holistic and comprehensive (AES 256).

Do you have the capability to recover data for a specific customer in the case of a failure or data loss?

Yes.   Resolver leverages the managed RDS PostgreSQL AWS service. Backups are performed daily and provide the ability to rollback to any point in time within the 30 days.

Do you have the capability to restrict the storage of customer data to specific countries or geographic locations?

Yes.   This capability is defined by AWS Regions and is available upon customer request and under specific agreement terms.

Do you provide tenants with geographically resilient hosting options?

Yes. All production environments utilize multiple AWS   Availability Zones (AZ) within an AWS Region to provide geographic resiliency. AZ is a logical data center in an AWS Region. Each AZ redundant and separate power, networking and connectivity to reduce the likelihood of two zones failing simultaneously.   Check out for reference: Resolver Core Deployment Diagram.

Do you provide tenants with ongoing visibility and reporting of your operational Service Level Agreement (SLA) performance?

Yes.   Reference is available here.

Do you encrypt tenant data at rest (on disk/storage) within your environment?

Yes. By utilizing AES 256 Symmetric Encryption Algorithm

Do your information security and privacy policies align with industry standards (ISO-27001, ISO-22307, CoBIT, etc.)?

Yes.   Please refer to our SOC2 report available under NDA.

Do you provide a formal, role-based, security awareness training program for cloud-related access and data management issues (e.g., multi-tenancy, nationality, cloud delivery model, segregation of duties implications, and conflicts of interest) for all persons with access to tenant data?

Yes.  As part of the onboarding process, all employees required to complete security awareness training. In addition, all developers are required to complete annual Secure Coding Awareness Training.  Please refer to our SOC 2 report, independent 3rd party assessment of Resolver’s internal processes/programs. Available under NDA and upon request.

Do you manage and store the identity of all personnel who have access to the IT infrastructure, including their level of access?

Yes.  Resolver utilizes Active Directory and AWS IAM Policy for centralized access and identity management

Do you support identity federation standards (e.g., SAML, SPML, WS-Federation, etc.) as a means of authenticating/authorizing users?

Yes.  Resolver Core supports SAML 2.0 based Web SSO integration for authentication.

Do you publish a list of all APIs available in the service?

Yes. A full list of APIs is available in application to administrators.