Resolver System Description

SECURITY OVERVIEW

The description of Resolver’s system throughout the period of October 1, 2019 through September 30, 2020, pursuant to Reporting on Service Organization Controls 2 (SOC 2) Type 2 examination performed under AT-C 105 and AT-C 205 and HIPAA/HITECH requirements.

OVERVIEW OF OPERATIONS

Company Background

Resolver provides applications to address security, compliance, and risk requirements for over 1,000 of the largest organizations in the world. Resolver’s software includes applications such as Incident Reporting, Command Center, Investigations & Case Management, Risk Assessment, Enterprise Risk Management, Internal Audit, Compliance, and Internal Control.

Resolver has over 220 employees across its North American offices and supports customers across 40 countries.

The company is structured functionally. Sales, Marketing, Finance & Operations, HR, Product Management, Professional Service, Customer Success and Development report to the CEO. Development includes sub-teams devoted to Development, Quality, Information Security and DevOps. Professional Service includes sub-teams devoted to Customer Service, Consulting Services and Business Development, and Solution Engineering.

Description of Services Provided

Resolver Core

Resolver’s Integrated Risk, Governance and Compliance Management platform helps plan and prepare organizations to limit the likeliness or impact of events from occurring; this includes:

  • Risk assessments
  • Enterprise Security Risk Management (ESRM)
  • Compliance Management
  • Internal Audit Management
  • Internal Control (SOX Compliance)
  • Business Continuity Management
  • Incident Management
  • Investigations & Case Management
  • Process, risk and control documentation
  • Audit work papers
  • Control testing results
  • Compliance requirements and assessments
  • Corporate investigations and case files
  • Asset lists
  • Person information, potentially including personally identifiable information
  • Patient information, including potentially personal health information
  • Standard operating procedures

Perspective (PSV)

Perspective supports the response and recovery process when an event does occur; including:

  • Incident Investigations, Response and Reporting
  • Corporate investigations and case files
  • Risk assessments
  • Enterprise Security Risk Management (ESRM)
  • Security Operations Center
  • Asset lists
  • Person information, potentially including Personally Identifiable Information (PII)
  • Patient information, including potentially Personal Health Information (PHI)
  • Security guard activities
  • Standard operating procedures

RiskVision

RiskVision Information Security Platform Protect client’s Data from Cyber Attacks and Data Breaches and helps organizations understand their information systems, through:

  • IT Risk Management
  • Threat and Vulnerability Management
  • Vendor Risk Management
  • Process, risk and control documentation
  • Risk assessments
  • Audit work papers
  • Control testing results
  • Compliance requirements and assessments

GRC Cloud

GRC Cloud houses data predominantly pertaining to risk and compliance. It contains highly confidential customer information relating to some or all of the following:

  • Process, risk and control documentation
  • Risk assessments
  • Audit work papers
  • Control testing results
  • Compliance requirements and assessments

GAL

GAL houses data pertaining to business continuity, crisis and emergency. It contains highly confidential customer information relating to some or all of the following:

  • Disaster Recovery
  • Business continuity plans
  • Crisis Planning
  • Emergency Response
  • Incident data
  • Asset lists
  • Person information, potentially including personally identifiable information

WRM

WRM houses data predominantly pertaining to risk and compliance. It contains highly confidential customer information relating to some or all of the following:

  • Process, risk and control documentation
  • Risk assessments
  • Audit work papers
  • Control testing results
  • Compliance requirements and assessments

Principal Service Commitments and System Requirements

Resolver designs its processes and procedures related to Global Alert Application, Risk Vision Application, WRM Application, Resolver Core Application, GRC Cloud Application, and Perspective PSV Application, to meet its objectives for its Global Alert Application, Risk Vision Application, WRM Application, Resolver Core Application, GRC Cloud Application, and Perspective PSV Application services. Those objectives are based on the service commitments that Resolver makes to user entities, the laws and regulations that govern the provision of Global Alert Application, Risk Vision Application, WRM Application, Resolver Core Application, GRC Cloud Application, and Perspective PSV Application services, and the financial, operational, and compliance requirements that Resolver has established for the services. The Global Alert Application, Risk Vision Application, WRM Application, Resolver Core Application, GRC Cloud Application, and Perspective PSV Application services of Resolver are subject to the security and privacy requirements of the Health Insurance Portability and Accountability Act Administrative Simplification, as amended, including relevant regulations, as well as state privacy security laws and regulations in the jurisdictions in which Resolver operates.

Security commitments to user entities are documented and communicated in Service Level Agreements (SLAs) and other customer agreements, as well as in the description of the service offering provided online. Security commitments are standardized and include, but are not limited to, the following:

Security principles within the fundamental designs of Global Alert Application, Risk Vision Application, WRM Application, Resolver Core Application, GRC Cloud Application, and Perspective PSV Application services, that are designed to permit system users to access the information they need based on their role in the system while restricting them from accessing information not needed for their role.

Use of encryption technologies to protect customer data both at rest and in transit.

Resolver establishes operational requirements that support the achievement of security commitments, relevant laws and regulations, and other system requirements. Such requirements are communicated in Resolver’s system policies and procedures, system design documentation, and contracts with customers. Information security policies define an organization-wide approach to how systems and data are protected. These include policies around how the service is designed and developed, how the system is operated, how the internal business systems and networks are managed and how employees are hired and trained. In addition to these policies, standard operating procedures have been documented on how to carry out specific manual and automated processes required in the operation and development of Global Alert Application, Risk Vision Application, and WRM Application, Resolver Core Application, GRC Cloud Application, and Perspective PSV Application services.

Components of the System

Infrastructure

The Risk (Core, WRM), Audit (Core, WRM), Compliance (Core, GRC Cloud, WRM), Controls and Incident Management (Core, Perspective) Business Continuity & Disaster Recovery (GAL), Crisis & Emergency (GAL), Threat and Vulnerability (RiskVision) and IT Risk & Compliance (RiskVision) Management systems consist of six distinct software applications platforms:

Resolver Core, Perspective, GAL, RiskVision, GRC Cloud and WRM. Each application is deployed in one or more AWS or/and Rackspace regions.

Primary infrastructure used to provide Resolver’s Global Alert Application, Risk Vision Application, WRM Application, Resolver Core Application, GRC Cloud Application, and Perspective PSV Application services system includes the following:

AWS RegionResolver CorePSVRiskVision
AWS USAAmazon ECS managed immutable Containers, an instances of Docker Images build based on the latest release of Alpine Linux, Node.js, ElastiCache Redis, PostgreSQL RDS, RabbitMQ. Security in Depth approach is implemented**Windows Server 2016, IIS, .Net, SQL Server 2016 Enterprise. Security in Depth approach is implemented **NA
AWS Europe (Germany)Amazon ECS managed immutable Containers, an instances of Docker Images build based on the latest release of Alpine Linux, Node.js, ElastiCache Redis, PostgreSQL RDS, RabbitMQ. Security in Depth approach is implemented**Windows Server 2016, IIS, .Net, SQL Server 2016 Standard. Security in Depth approach is implemented **NA
AWS CanadaAmazon ECS managed immutable Containers, an instances of Docker Images build based on the latest release of Alpine Linux, Node.js, ElastiCache Redis, PostgreSQL RDS, RabbitMQ. Security in Depth approach is implemented**Windows Server 2016, IIS, .Net, SQL Server 2016 Standard. Security in Depth approach is implemented **Windows Server 2016, IIS, .Net, SQL Server 2016 Standard. Security in Depth approach is implemented **
AWS AustraliaAmazon ECS managed immutable Containers, an instances of Docker Images build based on the latest release of Alpine Linux, Node.js, ElastiCache Redis, PostgreSQL RDS, RabbitMQ. Security in Depth approach is implemented**NANA
AWS UKAmazon ECS managed immutable Containers, an instances of Docker Images build based on the latest release of Alpine Linux, Node.js, ElastiCache Redis, PostgreSQL RDS, RabbitMQ. Security in Depth approach is implemented**NANA
Rackspace USANANAWindows Server 2016, Apache HTTP Server, Tomcat and Jetty application Servers PostgreSQL DB and MySQL DB.
Security in Depth approach is implemented **

* Core environment; Core platform services running inside of Amazon ECS, container management service cluster, deployed in at least two (2) separate AWS Availability Zones (AZ)), as an immutable Containers, an instances of Docker Images build based on the latest release of Alpine Linux, with no services other than the Resolver application available and/or running.

Alpine Linux was designed with security in mind, simplicity, and resource efficiency. It uses a hardened kernel and compiles all user-space binaries as Position Independent Executables (PIE) with stack-smashing protection.

Each ECS cluster member runs a docker container for every Core micro service.

For more information about AWS ECS please see: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ECS_instances.html

** “Security in Depth” approach means the use of all available Security mechanisms in the different layers of the application deployment infrastructure to minimize potential attack vectors by creating multiple layers of protection in case one mechanism fails.

Since Resolver uses Amazon Web Service (AWS) hosting and deploys production environments using the AWS VPC service, the following AWS security features are used.

Security controls/mechanisms is on Network Level (Layer 4 of OSI model):

  • Concept of Public/Private and facing networks
  • Network Access Control Lists (ACLs) (AWS Firewall)
  • VPC Security Groups

Application (HTTP/HTTPS) level mechanisms (Layer 7 of OSI Model):

  • ALB (Application Load Balancer)
  • AWS Web Application Firewall (WAF)
  • Resolver Application Level Authentication control
  • Resolver Application Level RBAC based Authorization control

OS infrastructure level mechanisms (Layer 4/5/6/7 of OSI Model)

  • Antivirus
  • Antimalware
  • Intrusion detection system (IDS)
  • OS Firewall / IPsec Policy / IPtables mechanisms

The Risk (Core, WRM), Audit (Core, WRM), Compliance (Core, GRC Cloud, WRM), Controls and Incident Management (Core, Perspective) Business Continuity & Disaster Recovery (GAL), Crisis & Emergency (GAL), Threat and Vulnerability (RiskVision) and IT Risk & Compliance (RiskVision) Management applications are developed and supported internally. Resolver operates the internally developed web and application services on Windows Server 2016 Standard, with Resolver Core services running inside Amazon Elastic Container Service (ECS), container management service, as immutable Containers, and instances of Docker Images built upon on the latest release of Alpine Linux, with no services other than the Resolver application available and/or running.

Alpine Linux was designed with security in mind, simplicity, and resource efficiency. It uses a hardened kernel and compiles all user-space binaries as PIE with stack-smashing protection.

The database environment is Microsoft SQL Server 2016 Standard and/or Microsoft SQL Server 2016 Enterprise running on Windows Server 2016 Standard operating systems as well as AWS PostgreSQL Relational Database Server (RDS) SaaS Service and MySQL.

Security Infrastructure

Logical access security software, infrastructure, and architectures have been implemented to support identification and authentication of authorized internal and external users; restriction of authorized internal and external user access to system components, or portions thereof, authorized by management, including hardware, data, software, mobile devices, output, and offline elements; and prevention and detection of unauthorized access to meet the entity’s commitments and system requirements as they relate to security and availability.

Software

Primary software used to provide Resolver’s Global Alert Application, Risk Vision Application, WRM Application, Resolver Core Application, GRC Cloud Application, and Perspective PSV Application services system includes the following:

SoftwareOperating SystemPurpose
BoxLinux ServerFile Storage
JiraLinux ServerDevelopment and change management
BitbucketLinux ServerSource control
GitLabLinux ServerSource Code Management and Continuous Integration
ConfluenceLinux ServerContent collaboration: Document/Wiki pages
BambooHRLinux ServerHR system

People

There are multiple departments involved in the technical development, delivery and operations of the Risk, Audit, Compliance, Controls and Incident Management applications. These groups are led by the Chief Technology Officer (CTO) & Chief Information Security Officer (CISO), VP Professional Services and Chief Information Officer (CIO) who report to the CEO.

DepartmentFunction
Product ManagementConsults with customers, prospects and subject matter experts to design the Risk, Audit, Compliance, Controls and Incident Management applications. Works with Development to build the applications.
DevelopmentBuilds the Risk, Audit, Compliance, Controls and Incident Management applications.
Quality EngineeringPerforms all functional, integration and performance testing and assures quality for the Risk, Audit, Compliance, Controls and Incident Management applications.
DevOpsManages Production and Staging environments, performs all required monitoring, incident management and maintenance.
InfoSecManages information security across the company. Ensures customer data is protected, security controls are adequate, properly designed and functioning effectively.
Customer ServiceProvides end user support, first level incident triage.

Data

Resolver Core

Resolver Core houses data pertaining to security and risk. It contains highly confidential customer information relating to some or all of the following:

Process, risk and control documentation, Risk assessments, Audit work papers, Control testing results, Compliance requirements and assessments, Incident data, Corporate investigations and case files, Asset lists, Person information, potentially including personally identifiable information, Patient information, including potentially personal health information.

All data is housed in a PostgreSQL RDS database or an S3 bucket for file uploads. All data and files are encrypted at rest using an AES-256 algorithm and in transit using Transport Layer Security (TLS) 1.2. Users can only interact with the data through the web user interface (WUI) or the REST API. Users must possess valid login credentials with proper authorization to access the data through either mechanism.

All data interactions through the WUI also flow through the REST API. All data access occurs through the REST API. Administrative users have an additional option to upload data through an Excel data import tool. The Excel data import tool also uses the REST API to upload data.

Users may export data they are authorized to access by running a report and exporting the result to Excel.

Perspective

Perspective houses data pertaining to security and investigations. It contains highly confidential customer information relating to some or all of the following:

Incident data, Corporate investigations and case files, Asset lists, Person information, potentially including Personally Identifiable Information (PII), Patient information, including potentially Personal Health Information (PHI), Security guard activities, Standard operating procedures.

All data is housed in a Microsoft SQL Server database. Data is encrypted at rest using an AES-256 algorithm and in transit using TLS 1.2. Users can only interact with the data through the user interface (UI) or the REST API. Users must possess valid login credentials with proper authorization to access the data through either mechanism. To use the API, users must request and possess an additional authorized key.

Users may export data they are authorized to access by running a query in the UI and exporting the result to Excel.

RiskVision

RiskVision houses data predominantly pertaining to risk and compliance. It contains highly confidential customer information relating to some or all of the following:

Process, risk and control documentation, Risk assessments, Audit work papers, Control testing results, Compliance requirements and assessments.
All transactional data is housed in a MySQL Server database. Data is encrypted at rest using an AES-256 algorithm and in transit using TLS 1.2. Transactional data is denormalized and stored in separate reporting data warehouse. Users can only interact with the data through the web user interface (WUI) or through Business Intelligence (BI) tool connected to the data warehouse. Users must possess valid login credentials with proper authorization to access the data through either mechanism.

Administrative users have an additional option to upload data through an Excel data import tool.

Users may export data they are authorized to access by running a report and exporting the result to Excel.

GAL

GAL houses data pertaining to business continuity, crisis and emergency. It contains highly confidential customer information relating to some or all of the following:

Disaster Recovery, Business continuity plans, Crisis Planning, Emergency Response, Incident data, Asset lists, Person information, potentially including personally identifiable information.

All transactional data is housed in a Microsoft SQL Server database. Data is encrypted at rest using an AES-256 algorithm and in transit using TLS v1.1 and TLS v1.2. Users can only interact with the data through the web user interface (WUI). Users must possess valid login credentials with proper authorization to access the data through either mechanism.

Users may export data they are authorized to access by running a report and exporting the result to CSV.

GRC Cloud

GRC Cloud houses data predominantly pertaining to risk and compliance. It contains highly confidential customer information relating to some or all of the following:

Process, risk and control documentation, Risk assessments, Audit work papers, Control testing results, Compliance requirements and assessments.

All transactional data is housed in a Microsoft SQL Server database. Data is encrypted at rest using an AES-256 algorithm and in transit using TLS 1.2. Transactional data is denormalized and stored in separate reporting data warehouse. Users can only interact with the data through the web user interface (WUI) or through Business Intelligence (BI) tool connected to the data warehouse. Users must possess valid login credentials with proper authorization to access the data through either mechanism.

Administrative users have an additional option to upload data through an Excel data import tool.

Users may export data they are authorized to access by running a report and exporting the result to Excel.

WRM

WRM houses data predominantly pertaining to risk and compliance. It contains highly confidential customer information relating to some or all of the following:

Process, risk and control documentation, Risk assessments, Audit work papers. Control testing results, Compliance requirements and assessments.

All transactional data is housed in a Microsoft SQL Server database. Data is encrypted at rest using an AES-256 algorithm and in transit using TLS 1.2. Transactional data is denormalized and stored in separate reporting data warehouse. Users can only interact with the data through the web user interface (WUI) or through Business Intelligence (BI) tool connected to the data warehouse. Users must possess valid login credentials with proper authorization to access the data through either mechanism.

Administrative users have an additional option to upload data through an Excel data import tool.

Users may export data they are authorized to access by running a report and exporting the result to Excel.

Hosted Data Access

All customer hosted data is treated equally as confidential. Resolver does not access the data except when granted permission by a customer for troubleshooting purposes.

Customers own their data and are responsible for the input of data into the system. Data classification is the responsibility of the customer. Resolver does not have knowledge of, or access to, the data to know what it contains, including PII and/or PHI data. If required, customers should have Complementary End User Controls for privacy and health information.

User authorization is the responsibility of the customer. Customers must ensure role-based permissions and memberships are appropriate to the users to which they have been assigned.

Privacy Commitments

The following excerpt is from Resolver’s privacy policy taken directly from Resolver’s website.

1. Resolver values Your Privacy

This Privacy Statement (the “Statement”) governs all aspects of how RESOLVER INC. and it affiliates (collectively “Resolver”, “We”, “Us” or “Our”), collects, uses, maintains, discloses and processes Personal Data (as defined below) from prospects, customers, suppliers, business partners and other individuals (“Users“, “You” or “Your” and similar words).

By accessing a Resolver website, registering for events, downloading content, obtaining information from Us, communicating with Us via e-mail, in person or through Our websites (or service providers’ websites on our behalf) or information volunteered by You and/or by using any Resolver software (“Software”), You agree to the terms of this Statement.

We are committed to protecting the confidentiality, integrity and security of all Personal Data entrusted to Us by You. Resolver has prepared this Statement to inform You of Our policy and practices concerning the collection, use, disclosure and processing of Personal Data.

2. Personal Data that We collect

We, from time-to-time, may collect information relating to an identified or identifiable natural person (“data subject”) who can be identified, directly or indirectly by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (“Personal Data”).

This includes Personal Data:

  1. that You provide to Us or one of our service providers about You (in which case, We are a data controller) or about other Users, where You are permitted to do so pursuant to applicable law (in which case, We are a data processor); or
  2. collected electronically about how You use a Resolver website or Our Software, via “cookies” or through Your use of any of Our Software.

“Cookies” are files or pieces of information that may be stored in Your computer’s hard drive when You visit a Resolver website or use Our Software. Cookies are also used to remember that You may have already provided Personal Data to Us and as a result, they help speed up Your future activities when accessing Our websites or Our Software. We share some Personal Data obtained through cookies with third parties that provide certain services, including marketing automation services, to Us. Most Internet browsers are initially set to accept cookies. If You do not wish to accept cookies, You can set Your Internet browser to refuse cookies or to alert You when cookies are being sent.

You may have received a unique client ID and created a password in order to use Our Software. You are requested not to divulge Your client ID or password to anyone other than Your own personnel or Our personnel and then only for the purpose of permitting Our personnel to provide services to You.

In addition to cookies and Personal Data You provide to Us, We may collect other information about (i) Your visits to Our websites; and (ii) Your access to Our Software. For example, We may collect information about Your computer, such as Your IP address; the type of Internet browser You are using; the type of computer operating system You are using; the domain name of the websites from which You linked to Our websites; and usage statistics in relation to Your use of Our Software. This information will only be collected for planning, forecasting and/or evaluation purposes.

Please note that this Statement does not cover aggregated and/or anonymized data from which the identity of data subject cannot be determined. We retain the right to use any aggregated/anonymized data in any way that We determine appropriate.

We have no control over the content of third-party websites that may be identified on Our websites or, if applicable, accessed through hyperlinks.

3. Your Consent

Your provision of Personal Data to Us means that You agree and consent that We may collect, use, disclose and process Personal Data that You provide in accordance with this Statement. If You do not agree with these terms, You are requested not to provide any Personal Data to Us. Certain services can only be offered if You provide Personal Data to Us and/or You may not be able to access any of Our Software. Consequently, if You choose not to provide Us with any required Personal Data, We may not be able to offer You certain services or You may not be able to access any of Our Software.

4. How We Use Personal Data

We may, from time-to-time, use Personal Data that We collect from You (including through Our Software) or that You provide to Us to:

  1. contact You directly regarding Our products, services and events;
  2. provide You with proper access to and use of Our Software;
  3. help You use Our Software;
  4. contact You to provide customer service support;
  5. research the effectiveness of Our corporate websites and Our marketing, advertising and sales efforts;
  6. keeping You informed and up-to-date with Our products and services and events; and
  7. sell or market Our products and services to You.

Our use of Personal Data is limited to these purposes. Unless permitted by law, no Personal Data about a User is collected, without an appropriate entity first obtaining the consent of the data subject to the collection, use, dissemination or processing of that information.

5. Disclosure of Personal Data

We will use Personal Data collected from You and Users for internal purposes only. We may disclose Personal Data to organizations that perform services on Our behalf (“Service Providers”). Service Providers include sub-processors and authorized resellers of Our products and services. We shall take reasonable and appropriate steps to ensure that Personal Data provided to Service Providers (including, using standard contractual clauses, as appropriate) is processed only for the purposes of providing services to Us, under Our instruction and in a manner consistent with the relevant principles articulated in this Statement.

Please note that there are circumstances where the use or disclosure of Personal Data may be justified or permitted or where We are obliged to disclose information without consent. Such circumstances may include:

  1. Where We believe in good faith that the law requires it;
  2. Where We believe, upon reasonable grounds, that it is necessary to protect the rights, privacy, safety or property of an identifiable person or group;
  3. Where it is necessary to protect Our rights or property and collect any money owing;
  4. Where the information is public; or
  5. If We are acquired by or merged with another entity (in which case We will require such entity to assume Our obligations under this Statement).

Where obliged or permitted to disclose information without consent, We will not disclose more information than is required. We do not sell any Personal Data that We have obtained.

6. International Transfers

Resolver Inc., a Canadian legal entity domiciled in Toronto, Canada, is the primary legal entity that provides goods and services (including Software). With respect to Personal Data originating from the European Economic Area (EEA) that may be transferred to Canada, You acknowledge that the European Commission, pursuant to decision 2002/2/EC has declared the Canadian Personal Data Protection and Electronic Documents Act, that applies to Us, provides an adequate level of protection for Personal Data transferred from the European Community. Accordingly, if Personal Data originates from the EEA and is transferred to Canada, no additional safeguards are needed to meet the requirements of the applicable European data protection laws.

Whenever Personal Data that originates from the EEA is processed by a Resolver affiliate in a country that the European Commission has deemed to be inadequate, We do so with approved legal adequacy mechanisms in place (e.g. EU standard contractual clauses). For transfers of Personal Data to the United States, We rely on EU-US Privacy Shield or on the implementation of the EU standard contractual clauses, as appropriate.

7. Maintenance and Security of Personal Data

We retain Personal Data about Users as long as We believe it is necessary to fulfill the purpose for which it was collected. Currently, We hold Personal Data in North America, Europe and Oceania. Personal Data maintained on Our systems is protected using industry standard security measures. However, We cannot guarantee that the information submitted to, maintained on, or transmitted from Our systems will be completely secure and transmission of information over the Internet is susceptible to possible loss, misrouting, interception and misuse.

8. Access to Personal Data

You may update Personal Data either by accessing Our Software or by contacting Us. If You would like for Us to return, remove or make any additional corrections to any Personal Data or exercise any other data subject right available to you under the EU GDPR, you can click here to complete the Data Subject Access Request form directly and We will consider Your request under applicable law. Requests to access, correct, or remove Personal Data, to the extent possible, will be handled within thirty (30) days and may be subject to a fee, as permitted by applicable law. To protect Your privacy and security, We may take steps to verify Your identity before complying with the request.

You also have the right to complain to a data protection authority about Our processing of Personal Data. For more information, please contact Your local data protection authority.

Please note that due to technical constraints and the fact that We back up Our systems, Personal Data may continue to reside in Our systems for up to sixty (60) days after deletion. Individuals, therefore, should not expect that their Personal Data would be completely removed from Our systems in response to an accepted request for deletion.

We reserve the right to decline access to Personal Data where the information requested:

  1. Would disclose the Personal Data of another data subject or of a deceased data subject;
  2. Would disclose business confidential information that may harm Us or the competitive position of a third-party;
  3. Is subject to solicitor-client or litigation privilege;
  4. Could reasonably result in:
    1. serious harm to the treatment or recovery of the data subject concerned;
    2. serious emotional harm to the data subject or another data subject; or
    3. serious bodily harm to another data subject;
  5. May harm or interfere with law enforcement activities and other investigative or regulatory functions of a body authorized by statute to perform such functions;
  6. Is not readily retrievable and the burden or cost of providing would be disproportionate to the nature or value of the information; or
  7. Does not exist, is not held, or cannot be found by Us.

Where information will not or cannot be disclosed, the data subject making the request will be provided with the reasons for non-disclosure. Where information will be disclosed, We will endeavor to provide the information in question within a reasonable time and no later than thirty (30) days following the request.

We will not respond to repetitious or vexatious requests for access. In determining whether a request is repetitious or vexatious, We will consider such factors as the frequency with which information is updated, the purpose for which the information is used, and the nature of the information.

To guard against fraudulent requests for access, We will require sufficient information to allow it to confirm the identity of the person making the request before granting access or making corrections.

9. Amendment of Resolver practices and this Statement

This statement is in effect and was last revised as of September 16, 2019. We will from time to time review and revise Our privacy practices and this Statement. In the event of any amendment, an appropriate notice will be posted on this site. Statement changes will apply to the information collected from the date of posting of the revised Statement to this site as well as to existing information held by Us.

10. Contact information

If You have any questions about the privacy practices of Resolver, or You wish to access Your Personal Data, please contact:

Outside of the EEA:

Privacy Officer
Resolver Inc.
804-111 Peter Street
Toronto, ON M5V 2H1
Canada
E-mail: privacy@resolver.com

Inside the EEA:

GDPR Representative
Resolver Inc. c/o Resolver Software Limited
1 Primrose Street
London, EC2A 2EX
England
E-mail: gdpr.representative@resolver.com

Processes, Policies and Procedures

Formal IT policies and procedures exist that describe physical security, logical access, computer operations, change control, and data communication standards. All teams are expected to adhere to the Resolver policies and procedures that define how services should be delivered. These are located on the Company’s intranet and can be accessed by any Resolver team member.

Security Management

Security is managed at a senior level by the CISO who reports directly to the CEO. With management approval, the CISO is responsible for defining and implementing the security policies, procedures, and mechanisms to enforce the organization information security needs. The CISO is supported by personnel that include informational security analysts, system administrators, network administrators and other subject matter experts.

Physical Security

Resolver uses properly certified hosting providers to house virtual environments; including application servers, database servers, webservers and other technical infrastructure. The hosting company also provide backup facilities and services. Access to the data center environment is restricted to the fully authorized and vetted staff or the provider.

Similarly, Resolver offices are governed by access control and visitor policies. Access to the facilities outside of business hours requires a valid electronic key fob. During business hours, visitors must check in with reception and are accompanied by Resolver staff during their visit.

Servers are hosted within AWS and Rackspace. As such, physical security controls around the data center that hosts critical information is the responsibility of the subservice provider. Refer to the subservice organizations section below for additional details.

Logical Access

Internal Users

User access is tightly governed by role and the user on-boarding and change procedures in which explicit permissions are required for any access to applications, data or the network. There is user and role segmentation, both of which are managed and reviewed regularly. Resolver follows Role Based Access Control (RBAC) security model with privileges set to the most restrictive by default and allow to the application administrator to create security roles with a granular and very strict sets of permissions.

Customer Users

User access and authorization is the responsibility of the customer. Resolver does not control or manage which users will have access to which systems or data. The Risk, Audit, Compliance, Controls and Incident Management systems follow a Role Based Access Control (RBAC) security model with privileges set to the most restrictive by default and allow to the application administrator to create security roles with a granular and very strict sets of permissions.

Customer User Data Access

Resolver Core

Customer data is stored in an AWS RDS PostgreSQL DB instance and in a AWS Simple Storage Service (S3) bucket.

On login, a user is issued a digitally signed, tamper proof JSON Web Token (JWT) that contains a customer ID. The token is passed to the web services on all requests.

In RDS, customer data is segregated into unique data tables created per customer. Data tables have a unique ID that the application matches to the customer ID in the JWT for all requests. The application limits users to only view the data in the data tables specific to their customer ID.

In S3, customer data is segregated into a directory structure linked to the customer ID. The application limits users to only see and search the files that are in the directory for the customer ID contained in the JWT.

Perspective

All customer data is stored in a Microsoft SQL Server DB. Each customer has a unique and dedicated DB to store their data. The DB is accessed through a unique account with a unique password. Database access accounts are contained in individual configuration files that are stored in a dedicated directory per customer. The directory is linked to the customers’ access URL.

RiskVision

All customer data is stored in PostgreSQL and MySQL DB. Each customer has a unique and dedicated DB to store their data. The DB is accessed through a unique account with a unique password. Each customer is running a dedicated instance of RiskVision.

GAL

All customer data is stored in a Microsoft SQL Server DB. Each customer has a unique and dedicated DB to store their data. The DB is accessed through a unique account with a unique password. Each customer is running a dedicated instance of GAL.

GRC Cloud

All customer data is stored in a Microsoft SQL Server DB. Each customer has a unique and dedicated DB to store their data. The DB is accessed through a unique account with a unique password. Each customer is running an instance of GRC Cloud in an separate memory space that only has access to the DB account for its DB.

WRM

All customer data is stored in a Microsoft SQL Server DB. Each customer has a unique and dedicated DB to store their data. The DB is accessed through a unique account with a unique password. Each customer is running a dedicated instance of WRB.

Hosting Access

Resolver’s hosting provider for the production environments is a Tier 1 provider with SOC2 certifications, including system access control standards. Both physical and logical controls are in place to ensure only permitted users are able to access equipment or the network or on which the equipment resides. The hosting providers do not have access to the databases within their environment other than for system administration purposes.

Password Management

Resolver centrally controls network, database and application account creation and rights assignments. Usernames follow a naming standard and must be accompanied by a strong password. For external facing systems Resolver requires password resetting per the security policy and procedure guidelines.

Network Access and Security

Network access is controlled in two levels, through hosting provider integrated mechanisms (e.g.; AWS Network Access Control Lists (ACLs) (AWS Firewall), AWS VPC Security Groups (SG)) and OS Firewall / IPsec Policy / IPtables mechanisms (Defense in Depth approach is implemented *) are enabled.

External activity is monitored, reviewed and escalations routed to and directly managed by the Resolver DevOps and Information Security teams.

Computer Operations – Backups

Core

For Core Database nightly full backups, Resolver utilizing automated AWS RDS backup feature providing an ability to recover a customer database to any point in time during the backup retention period (31 days).

All backups are encrypted on S3 or EBS Volumes utilizing AES 256.

Perspective, GRC Cloud and WRM

Resolver performs full weekly backup to EBS volume (highly available) cycled weekly after full backup, retain a copy of 5 weeks of full backups before cycling.

Snapshotted nightly (Backed by AWS S3, highly available and redundant) and retained for 31 days and Transaction log backup hourly to EBS volume (highly available). Cycled weekly after full backup.

All backups are encrypted on S3 or EBS Volumes utilizing AES 256.

GAL and RiskVision

Resolver performs full monthly backup, weekly incremental backup and hourly DB Transaction logs backup, retain a copy of 5 weeks of full backups before cycling.

All backups are encrypted utilizing AES 256.

Production Management, Server and Environment Management

Resolver’s production environments are built to be distributed, virtualized and interconnected with the environment through scripts with human interaction.

Resolver is able to provide customer with additional Scalability, Reliability and Security through the partnership with AWS. AWS provides server instances that are easily deployed with high availability for a variety of offerings focused on flexible and scalable. AWS provides physical security as well as reliable bandwidth. Refer to the subservice organizations section for additional details.

Computer Operations – Availability

Incident and Problem Management

The Resolver Incident Management team employs industry-standard diagnosis procedures to drive resolution during business-impacting events. Staff operators in Canada provide 24 x 7 x 365 coverage to detect incidents and to manage the impact and resolution.

All incidents are captured through a centralized ticketing system and then routed to the appropriate personnel for action. Incidents are categorized to indicate business impact and urgency.

AWS provides server instances that are easily deployed with high availability for a variety of offerings focused on flexible and scalable. AWS provides physical security as well as reliable bandwidth. Refer to the subservice organizations section for additional details.

Change Control

Resolver applies a systematic approach to managing change so that changes to customer impacting services are reviewed, tested, approved, and well communicated. All changes are recorded and tracked in a change ticketing system.

Change management processes are based on Resolver’s change management guidelines. These processes are documented and communicated to the necessary personnel. The goal of Resolver’s change management process is to prevent unintended service disruptions and maintain the integrity of service to the customer.

Changes deployed to production environments are:

  • Reviewed: by peers for technical aspects and appropriateness
  • Tested: to confirm the changes will behave as expected when applied and not adversely impact performance

Resolver physically separates the development/test environment from the production processing environment. There is a formal staging process for promoting tested and accepted changes from development to production. Developers do not have access to the Production environment.

Boundaries of the System

The scope of this report includes Resolver’s Global Alert Application, Risk Vision Application, WRM Application, Resolver Core Application, GRC Cloud Application, and Perspective PSV Application services system performed in the Toronto, Ontario facilities.

This report does not include the data center hosting services provided by AWS at multiple facilities or the data center hosting services provided by Rackspace at multiple facilities.

RELEVANT ASPECTS OF THE CONTROL ENVIRONMENT, RISK ASSESSMENT PROCESS, INFORMATION AND COMMUNICATION, AND MONITORING

Control Environment

Integrity and Ethical Values

The effectiveness of controls cannot rise above the integrity and ethical values of the people who create, administer, and monitor them. Integrity and ethical values are essential elements of Resolver’s control environment, affecting the design, administration, and monitoring of other components. Integrity and ethical behavior are the product of Resolver’s ethical and behavioral standards, how they are communicated, and how they are reinforced in practices. They include management’s actions to remove or reduce incentives and temptations that might prompt personnel to engage in dishonest, illegal, or unethical acts. They also include the communication of entity values and behavioral standards to personnel through policy statements and codes of conduct, as well as by example.

Specific control activities that the service organization has implemented in this area are described below:

  • Formally, documented organizational policy statements and codes of conduct communicate entity values and behavioral standards to personnel.
  • A confidentiality statement agreeing not to disclose proprietary or confidential information, including client information, to unauthorized parties is a component of the employee handbook.
  • Background checks are performed for employees as a component of the hiring process.

Commitment to Competence

Resolver’s management defines competence as the knowledge and skills necessary to accomplish tasks that define employees’ roles and responsibilities. Management’s commitment to competence includes management’s consideration of the competence levels for particular jobs and how those levels translate into the requisite skills and knowledge.

Specific control activities that the service organization has implemented in this area are described below:

  • Management has considered the competence levels for particular jobs and translated required skills and knowledge levels into written position requirements.
  • Training is provided to maintain the skill level of personnel in certain positions.

Training and Development

Resolver employees receive regular training as it pertains to their job functions. The training can take the form of supervised on-the-job training and externally through seminars and formal course work. As part of the on-boarding process of new personnel, employees undertake security awareness training and continue to do so on an annual basis.

Performance Appraisals and Advancement

Formal performance reviews are conducted on a quarterly basis by an employee’s immediate supervisor. Personnel are evaluated on objective criteria based on performance. The review also includes a Self-Evaluation and a Peer Evaluation from two team members who have worked directly with the individual over the quarter. Ratings are then generated based on summary results. Continuous improvement plans are put into place based on feedback.

Management’s Philosophy and Operating Style

Resolver’s management philosophy and operating style encompass a broad range of characteristics. Such characteristics include management’s approach to taking and monitoring business risks, and management’s attitudes toward information processing, accounting functions, and personnel.Specific control activities that the service organization has implemented in this area are described below:

  • Management is periodically briefed on regulatory and industry changes affecting the services provided
  • Executive management meetings are held to discuss major initiatives and issues that affect the business as a whole

Resolver’s activities are overseen by its applicable Board of Directors and members of its senior executive team. The Board and the senior executive team meet several times annually and have established and maintain the key operating policies and practices of the organization.

The senior executive team is led by the Chief Executive Officer and consists of the following key functional roles:

  • William Anderson, CEO
  • Mike Wertman, CTO & CISO
  • Uros Stekovic, CFO & CIO
  • Amanda Ono, VP Customer Experience.
  • Joe Crampton, VP Product
  • Katya Bovykina, Director Marketing
  • Peter Nguyen, General Counsel and Privacy Officer
  • Darren Hill, Director Sales

Organizational Structure and Assignment of Authority and Responsibility

Resolver’s processing activities are allocated among personnel that are organized along functional lines. The reporting lines are depicted in the organization chart below:

Resolver Organization Chart

Resolver has appointed a Chief Information Security Officer (CISO) who is responsible for security, technology, infrastructure and reports directly into the CEO. The CISO, CEO and executives are aware of the controls set within the organization and their importance. An approval process is in place in order to approve and implement technical policies and processes between the CISO and CEO. On an annual basis, the Resolver Executive team reviews policies to ensure that controls continue to be effective and verify that all changes and new policies adhere to how Resolver operates within its control set.

Resolver monitors resourcing and staffing through the semi-annual assessment of employee qualification alignment with entity objectives. As part of this process, management and employees formally evaluate, discuss, and recognize performance over the last half-year and set goals and priorities for the next half-year. Management further reviews operational plans and goals for the coming period to assess alignment of resources and employee skill sets.

Specific control activities that the service organization has implemented in this area are described below:

  • Organizational charts are in place to communicate key areas of authority and responsibility.
  • Organizational charts are communicated to employees and updated as needed.

Human Resources Policies and Practices

Resolver has formal hiring practices that are designed to help ensure that new personnel are qualified for their job responsibilities. These practices are outlined below:

Hiring

  • Role analysis – Partner with hiring manager to understand role requirements against strategic objectives. Job descriptions are revised regularly to meet the needs of the business and the labor market
  • Sourcing & Posting – Open role is posted in applicant tracking system (ATS), internally and through external channels. Specific roles are directly recruited for
  • Candidate Management – All candidate communications and activities are tracked within the ATS to ensure process consistency
  • Application Review – Applicants are evaluated against role requirements
  • Pre-screen – Candidates are telephone pre-screened based on essential criteria
  • Case Study – Candidates who are successfully evaluated at the telephone pre-screen stage, receive a role-specific case study compromised of 3-5 questions to further assess their capabilities
  • First Round Interview – Interview with hiring manager using Interview Evaluation Tool
  • Second Round Interview – Interview with executive and team members (as applicable) using Interview Evaluation Tool
  • Review and evaluation – Review candidates against role requirements and make selection on most suitable candidate
  • Background checks – Conduct criminal and credit checks using third-party provider, HR conducts two (2) references with reporting managers
  • Offer – Offer is extended and reviewed verbally with the candidate on receipt. The offer includes Resolver’s Code of Conduct, and an agreement on Confidentiality and Proprietary Rights. Completed offer documents are returned electronically and automatically filed in human resource information system (HRIS)

On-boarding

  • Employee File: Employee is created within the HRIS
  • On-boarding Provisioning: IT, HR and the Hiring Manager complete documentation in the HRIS for provisioning of assets and software. HRIS prompts task completion 5-7 days before start-date, with a reminder at 3 days. HR supports internal stakeholders (IT and Hiring Manager) for task completion if there are issues
  • Security Orientation – Completion of mandatory required Security Awareness training based on 3rd party industry leading new-school security awareness training platform KnowBe4 within 60 days of hire

Risk Assessment Process

Resolver’s risk assessment process includes an established process to identify and take into consideration the implications of relevant risks. Business planning processes also include risk assessments, which include the following:

• Management identifies risks that result from operations or compliance with laws and regulations (e.g., business strategy and plans)
• Management identifies risks relating to the ability of an employee to initiate and process unauthorized transactions
• Risks are documented and communicated throughout Resolver, as appropriate
• Risks are reviewed periodically with the appropriate governance functions
• When risks are identified, existing controls are examined to determine if there has been a failure in controls and, if so, to determine the reason for such failure

Integration with Risk Assessment

The environment in which the system operates; the commitments, agreements, and responsibilities of Resolver’s Resolver Core Application, GRC Cloud Application, and Perspective PSV Application services system; as well as the nature of the components of the system result in risks that the criteria will not be met. Resolver addresses these risks through the implementation of suitably designed controls to provide reasonable assurance that the criteria are met. Because each system and the environment in which it operates are unique, the combination of risks to meeting the criteria and the controls necessary to address the risks will be unique. As part of the design and operation of the system, Resolver’s management identifies the specific risks that the criteria will not be met and the controls necessary to address those risks.

Information and Communications Systems

Resolver has implemented various methods of internal communication at a global level to help employees understand their individual roles and responsibilities and to communicate significant events in a timely manner. These methods include orientation and training programs for newly hired employees; annual training programs; regular management meetings for updates on business performance and other matters; and electronics means such as video conferencing, electronic mail messages, instant messaging communication and the posting of information via the Resolver’s intranet.

At the customer level, Resolver has also implemented various methods of external communication to support its customer base and the community through its Marketing and Customer Success teams. Mechanisms are in place to allow the customer support team to be notified and to notify customers of potential operational issues that could impact the customer experience.

Monitoring Controls

Monitoring of performance, quality and adherence to company policies and internal controls is part of the day-to-day responsibilities of management. This is accomplished through regular review of established reports, which provide performance and quality results.

On-Going Monitoring

Resolver’s management conducts quality assurance monitoring on a regular basis and additional training is provided based upon results of monitoring procedures. Monitoring activities are used to initiate corrective action through department meetings, internal conference calls, and informal notifications.

Management’s close involvement in Resolver’s operations helps to identify significant variances from expectations regarding internal controls. Upper management evaluates the facts and circumstances related to any suspected control breakdown. A decision for addressing any control’s weakness is made based on whether the incident was isolated or requires a change in the company’s procedures or personnel. The goal of this process is to ensure legal compliance and to maximize the performance of Resolver’s personnel.

Reporting Deficiencies

An internal tracking tool is utilized to document and track the results of on-going monitoring procedures. Escalation procedures are maintained for responding and notifying management of any identified risks. Risks receiving a high rating are responded to immediately. Corrective actions, if necessary, are documented and tracked within the internal tracking tool. Annual risk meetings are held for management to review reported deficiencies and corrective actions.

HIPAA/HITECH REQUIREMENTS AND RELATED CONTROLS

Periodic Assessments

Resolver has developed a health information security management program to meet the information security and compliance requirements related to the Resolver Core Application, GRC Cloud Application, and Perspective PSV Application services and its customer base. The program incorporates the elements of the HIPAA and the HITECH. The description below is a summary of safeguards that Resolver has implemented to adhere to the applicable components of HIPAA Final Security Rule and the breach notification requirements of HITECH.

Policies and Procedures

Health information security policies and procedures have been implemented regarding the protection of information assets. The policies and procedures act as a guide for all Resolver personnel. These policies and procedures define guidelines for the health information security program related to scope of services, which includes implementing and managing logical access security and controls, including the following:

  • Health information security policy
  • Asset management
  • Data classification
  • Business continuity
  • Incident management
  • Access control
  • Physical security

These policies are reviewed and approved by management on at least an annual basis.

Security Awareness Training

Resolver employees receive security awareness training for health information security as part of the onboarding process. This training is reinforced by security awareness communications on current issues which are distributed periodically. Additionally, employees are also required to participate in annual security awareness training.

Periodic Testing and Evaluation

Resolver completes evaluations throughout each calendar year regarding the effectiveness of the health information security program that include, but are not limited to, the following:

  • Internal risk assessments
  • Corrective action plans
  • Management reviews

Remediation and Continuous Improvement

Areas of non-compliance Resolver’s internal control system surface from many sources, including the Company’s ongoing monitoring procedures, separate evaluations of the internal control system, and external parties. Management has developed protocols to help ensure findings, if identified, of internal control non-compliant items should be reported not only to the individual responsible for the function or activity involved, who is in the position to take corrective action. This process enables that individual to provide needed support or oversight for taking corrective action, and to communicate with others in the organization whose activities may be affected. Management evaluates the specific facts and circumstances related to areas of non-compliance in internal control procedures and make the decision for addressing any non-compliant items based on whether the incident was isolated or requires a change in the Company’s procedures or personnel.

Incident Response

Resolver maintains a documented incident response plan including breach notification requirements as mandated by HITECH. The procedures include, but are not limited to, the identification, response, escalation, and remediation of security breaches and other incidents. A formal breach notification process is utilized to document and track resolution of incidents noted. The incident response procedures are tested during the normal course of business and are updated as needed.

Changes to the System Since the Last Review

No significant changes have occurred to the services provided to user entities since the organization’s last review.

Incidents Since the Last Review

No significant incidents have occurred to the services provided to user entities since the organization’s last review.

Trust Services Criteria and HIPAA/HITECH Requirements Not Applicable to the System

The following Trust Services Criteria and HIPAA/HITECH requirements are not applicable to the system:

Category/SafeguardCriteria/RequirementReason
PrivacyP3.2Resolver provides services to customers that may collect or maintain private customer PII, but does not collect PII directly. Therefore, the Privacy Collection criteria does not apply.
Administrative Safeguard164.308
(a)(4)(ii)(A)
Resolver is not a healthcare clearinghouse.
164.308 (b)(1)
164.308
(b)(2)
164.308
(b)(3)
164.308
(b)(4)
Resolver is not a covered entity and would not require any business associate agreements executed with them. The organization would not share ePHI if it was in their possession.
Physical Safeguard164.310 (c)Resolver is not a covered entity.
Organizational Safeguard164.314
(a)(1)
164.314
(a)(2)(i)
Resolver is not a covered entity and would not require any business associate agreements executed with them. The organization would not share ePHI if it was in their possession.
164.314
(a)(2)(ii)
Resolver is not a government entity.
164.314
(b)(1)
164.314
(b)(2)
Resolver is not a plan sponsor.
Breach Notification 164.402
164.404
(a)
164.404
(b)
164.404
(c)(1)
164.404
(c)(2)
164.404
(d)(1)(i)
164.404
(d)(1)(ii)
164.404
(d)(2)
164.404
(d)(2)(i)
164.404
(d)(2)(ii)
164.404
(d)(3)
164.406
164.408
(a)
164.408
(b)
164.408
(c)
Resolver is a business associate; its responsibilities for breach notification are limited to its covered entity customers.

Subservice Organizations

This report does not include the data center hosting services provided by AWS and Rackspace at multiple facilities.

Complementary Subservice Organization Controls

Resolvers’ services are designed with the assumption that certain controls will be implemented by subservice organizations. Such controls are called complementary subservice organization controls. It is not feasible for all of the trust services criteria and HIPAA/HITECH requirements related to Resolvers’ services to be solely achieved by Resolvers’ control procedures. Accordingly, subservice organizations, in conjunction with the services, should establish their own internal controls or procedures to complement those of Resolver.

The following subservice organization controls should be implemented by AWS to provide additional assurance that the trust services criteria and HIPAA/HITECH requirements described within this report are met:

Subservice Organization Controls – AWS
Category/Security RuleCriteria/RegulationApplicable Controls
Common Criteria/Security
Physical Safeguard
CC6.4
164.310(a)(1)
164.310(a)(2)(ii)
164.310(a)(2)(iv)
AWSCA-4.12: KMS-Specific – Recovery key materials used for disaster recovery processes by KMS are physically secured offline so that no single AWS employee can gain access to the key material.
AWSCA-4.13: KMS-Specific – Access attempts to recovery key materials are reviewed by authorized operators on a cadence defined in team processes
AWSCA-5.1: Physical access to data centers is approved by an authorized individual.
AWSCA-5.2: Physical access is revoked within 24 hours of the employee or vendor record being deactivated.
AWSCA-5.3: Physical access to data centers is reviewed on a quarterly basis by appropriate personnel.
AWSCA-5.4: Physical access points to server locations are recorded by closed circuit television camera (CCTV). Images are retained for 90 days, unless limited by legal or contractual obligations.
AWSCA-5.5: Physical access points to server locations are managed by electronic access control devices.
AWSCA-5.6: Electronic intrusion detection systems are installed within data server locations to monitor, detect, and automatically alert appropriate personnel of security incidents.
AvailabilityA1.2AWSCA-5.7: Amazon-owned data centers are protected by fire detection and suppression systems.
AWSCA-5.8: Amazon-owned data centers are air conditioned to maintain appropriate atmospheric conditions. Personnel and systems monitor and control air temperature and humidity at appropriate levels.
AWSCA-5.9: Uninterruptible Power Supply (UPS) units provide backup power in the event of an electrical failure in Amazon-owned data centers.
AWSCA-5.10: Amazon-owned data centers have generators to provide backup power in case of electrical failure.
AWSCA-5.11: Contracts are in place with third-party colocation service providers which include provisions to provide fire suppression systems, air conditioning to maintain appropriate atmospheric conditions, Uninterruptible Power Supply (UPS) units, and redundant power supplies.
AWSCA-5.12: AWS performs periodic reviews of colocation service providers to validate adherence with AWS security and operational standards.
AWSCA-7.2: S3-Specific – S3 performs continuous integrity checks of the data at rest. Objects are continuously validated against their checksums to prevent object corruption.
AWSCA-7.3: S3-Specific – When disk corruption or device failure is detected, the system automatically attempts to restore normal levels of object storage redundancy.
AWSCA-7.4: S3-Specific – Objects are stored redundantly across multiple fault-isolated facilities.
AWSCA-7.5: S3-Specific – The design of systems is sufficiently redundant to sustain the loss of a data center facility without interruption to the service.
AWSCA-8.1: Monitoring and alarming are configured by Service Owners to identify and notify operational and management personnel of incidents when early warning thresholds are crossed on key operational metrics.
AWSCA-8.2: Incidents are logged within a ticketing system, assigned severity rating and tracked to resolution.
AWSCA-10.1: Critical AWS system components are replicated across multiple Availability Zones and backups are maintained.
AWSCA-10.2: Backups of critical AWS system components are monitored for successful replication across multiple Availability Zones.
Subservice Organization Controls – Rackspace
Category/Security RuleCriteria/RegulationApplicable Controls
Common Criteria/Security
Physical Safeguard
CC6.4
164.310(a)(1)
164.310(a)(2)(ii)
164.310(a)(2)(iv)
GRP22- On an annual basis, Rackspace performs formal risk assessments over its Data Center services systems.
GRP30- Security guards are present at Rackspace data center facilities to monitor physical activity and to respond to security incidents.
GRP31- Rackspace data center facilities have an alarm system at exit and entry points to alert security personnel if a door is forced open or left open. Alerts are delivered to the Physical Security Team who follow up and document actions taken.
GRP32- Visitors at Rackspace facilities must check in with reception/security before being granted access to Rackspace facilities. Personnel and visitors are required to display their identity badges when onsite at Rackspace data center facilities. Unescorted visitors are not allowed in sensitive areas.
GRP34- Two factor authentication is used to gain access to the data center.
GRP35- Closed circuit video surveillance is monitored by authorized personnel 24X7. CCTV retention period is at least 90 days for data centers.
GRP36- Physical access (badge access/biometric access) events are logged and monitored real time and alerts are generated and acted upon as appropriate. A Monthly review is conducted to identify unusual patterns. Action is taken to address any patterns discovered.
SOC 2.01- Proximity cards are used at Rackspace data center facilities to restrict access to only authorized personnel.
SOC 2.02- Physical safeguards are in place to restrict access to the server room within the data center.
SOC 2.03- The visitor log is compiled and retained for 12 months. The log is reviewed in the case of incident or emergency situations.
SOC 2.04- Appropriateness of physical access to Rackspace data center facilities is reviewed on a periodic basis.
SOC 2.05- Physical access is disabled within the timeframe specified by the User Access Standard.
SOC ELCo8- At least annually Rackspace reviews third-party assurance reports or performs a physical security and environmental controls onsite audit for each leased data center location.
AvailabilityA1.2GRP22- On an annual basis, Rackspace performs formal risk assessments over its Data Center services systems.
GRP52- The data center facilities are equipped with redundant HVAC units to maintain consistent temperature and humidity levels.
GRP53- Redundant lines of communication exist to telecommunication providers.
GRP54- Data center facilities are equipped with uninterruptible power supplies (UPS) to mitigate the risk of short term utility power failures and fluctuations.
GRP55- Data center facilities are equipped with diesel generators to mitigate the risk of long term utility power failures and fluctuations.
GRP56- Rackspace utilizes fully redundant routing and switching equipment for its core network infrastructure.
GRP59- Data centers are equipped with sensors to detect environmental hazards, including smoke detectors where chilled water systems are used as coolant.
GRP60- The data center facilities are equipped with raised flooring.
GRP61- Data center facilities are equipped with fire detection and suppression systems.
GRP62- Fire detection systems, sprinkler systems, and chemical fire extinguishers are inspected at least annually.
GRP63- The UPS systems are inspected and/or serviced at least annually.
GRP64- Generators are tested at least every 120 days and serviced at least annually.
GRP65- A Data Center business continuity plan (BCP) exists and provides the global business continuity plan for Rackspace data centers to manage significant disruptions to its operations and infrastructure.
SOC 7.01-D- Backups are scheduled and performed for customers who have subscribed to the managed backup service based on the backup frequency configured in the backup utility software.
SOC 7.02-D- Customers subscribed to offsite retention have media sent to an offsite storage facility in a locked container.
SOC 7.03-D- Backup tapes are securely destroyed when their useful life expires.
SOC 7.04-D- Rackspace performs weekly monitoring of retention services.
SOC ELCo8- At least annually Rackspace reviews third-party assurance reports or performs a physical security and environmental controls onsite audit for each leased data center location.

Resolver management, along with the subservice organizations, define the scope and responsibility of the controls necessary to meet all the relevant trust services criteria through written contracts, such as SLAs. In addition, Resolver performs monitoring of the subservice organization controls, including the following procedures:

  • Reviewing attestation reports over services provided by vendors and subservice organizations

COMPLEMENTARY USER ENTITY CONTROLS

Resolver’s services are designed with the assumption that certain controls will be implemented by user entities. Such controls are called complementary user entity controls. It is not feasible for all of the Trust Services Criteria related to Resolver’s services to be solely achieved by Resolver control procedures. Accordingly, user entities, in conjunction with the services, should establish their own internal controls or procedures to complement those of Resolver’s.

The following complementary user entity controls should be implemented by user entities to provide additional assurance that the Trust Services Criteria described within this report are met. As these items represent only a part of the control considerations that might be pertinent at the user entities’ locations, user entities’ auditors should exercise judgment in selecting and reviewing these complementary user entity controls.

  1. User entities are responsible for understanding and complying with their contractual obligations to Resolver.
  2. User entities are responsible for maintaining their own system(s) of record.
  3. User entities are responsible for developing their own disaster recovery and business continuity plans that address the inability to access or utilize Resolver services.
  4. User entities are responsible for immediately notifying Resolver of any actual or suspected information security breaches, including compromised user accounts, including those used for integrations and secure file transfers.
  5. User entities are responsible for ensuring media and electronic data is provided to Resolver via agreed-upon transfer methods. Tracking information is provided to Resolver’s project team to allow for identification, tracking, and secure management of media transferred to Resolver.
  6. User entities are responsible for ensuring specific client contacts as approvers for authorization of user access. Client contact changes are communicated to the designated Project Manager in a timely manner.
  7. User entities are responsible for ensuring user access requests are approved by designated client individuals prior to provision to Resolver for access provisioning.
  8. User entities are responsible for ensuring that client project instructions included but not limited to processing, search, and movement-to-host parameters are communicated to Resolver in a clear, documented format to direct completion of services.
  9. User entities are responsible for communicating data management instructions, including and not limited to retention and deletion instructions.
  10. User entities are responsible for communicating data classification specifications for data provided to Resolver.
  11. User entities are responsible for obtaining any and all consent information as well as processing all requests for consent revocation.
  12. User entities are responsible for notice requirements to data subjects.
  13. User entities are responsible for allocating standard and privileged access to the application systems in scope.
  14. User entities are responsible for configuring the front-facing security parameters utilized by their implemented application.
  15. User entities are responsible for reviewing access to the customer-facing application.

TRUST SERVICES CATEGORIES

In-Scope Trust Services Categories

Common Criteria (to all Security, Availability, Processing Integrity, Confidentiality and Privacy Categories)
Security refers to the protection of

  1. information during its collection or creation, use, processing, transmission, and storage and
  2. systems that use electronic information to process, transmit or transfer, and store information to enable the entity to meet its objectives. Controls over security prevent or detect the breakdown and circumvention of segregation of duties, system failure, incorrect processing, theft or other unauthorized removal of information or system resources, misuse of software, and improper access to or use of, alteration, destruction, or disclosure of information.
Availability
Availability refers to the accessibility of information used by the entity’s systems, as well as the products or services provided to its customers. The availability objective does not, in itself, set a minimum acceptable performance level; it does not address system functionality (the specific functions a system performs) or usability (the ability of users to apply system functions to the performance of specific tasks or problems). However, it does address whether systems include controls to support accessibility for operation, monitoring, and maintenance.
Processing Integrity
Processing integrity refers to the completeness, validity, accuracy, timeliness, and authorization of system processing. Processing integrity addresses whether systems achieve the aim or purpose for which they exist and whether they perform their intended functions in an unimpaired manner, free from error, delay, omission, and unauthorized or inadvertent manipulation. Because of the number of systems used by an entity, processing integrity is usually only addressed at the system or functional level of an entity.
Confidentiality
Confidentiality addresses the entity’s ability to protect information designated as confidential from its collection or creation through its final disposition and removal from the entity’s control in accordance with management’s objectives. Information is confidential if the custodian (for example, an entity that holds or stores information) of the information is required to limit its access, use, and retention and restrict its disclosure to defined parties (including those who may otherwise have authorized access within its system boundaries). Confidentiality requirements may be contained in laws or regulations or in contracts or agreements that contain commitments made to customers or others. The need for information to be confidential may arise for many different reasons. For example, the information may be proprietary, intended only for entity personnel.

Confidentiality is distinguished from privacy in that privacy applies only to personal information, whereas confidentiality applies to various types of sensitive information. In addition, the privacy objective addresses requirements regarding collection, use, retention, disclosure, and disposal of personal information. Confidential information may include personal information as well as other information, such as trade secrets and intellectual property.

Privacy
Personal information is collected, used, retained, disclosed, and disposed to meet the entity’s objectives.

Although the confidentiality applies to various types of sensitive information, privacy applies only to personal information.

The privacy criteria are organized as follows:

  1. Notice and communication of objectives. The entity provides notice to data subjects about its objectives related to privacy.
  2. Choice and consent. The entity communicates choices available regarding the collection, use, retention, disclosure, and disposal of personal information to data subjects.
  3. Collection. The entity collects personal information to meet its objectives related to privacy.
  4. Use, retention, and disposal. The entity limits the use, retention, and disposal of personal information to meet its objectives related to privacy.
  5. Access. The entity provides data subjects with access to their personal information for review and correction (including updates) to meet its objectives related to privacy.
  6. Disclosure and notification. The entity discloses personal information, with the consent of the data subjects, to meet its objectives related to privacy. Notification of breaches and incidents is provided to affected data subjects, regulators, and others to meet its objectives related to privacy.
  7. Quality. The entity collects and maintains accurate, up-to date, complete, and relevant personal information to meet its objectives related to privacy.
  8. Monitoring and enforcement. The entity monitors compliance to meet its objectives related to privacy, including procedures to address privacy-related inquiries, complaints, and disputes.

HEALTH INFORMATION SECURITY PROGRAM

Resolver has developed a health information security management program to meet the information security and compliance requirements related to Core Application, GRC Cloud Application, and Perspective PSV Application services system services and its customer base. The program incorporates the elements of the HIPAA and the HITECH. The description below is a summary of safeguards that Resolver has implemented to adhere to the applicable components of HIPAA Final Security Rule and the breach notification requirements of HITECH.

Administrative Safeguards – policies and procedures designed to show how Resolver complies with the act:

  • Management has adopted a written set of health information security policies and designated the information security officer to be responsible for developing and implementing the required policies and procedures.
  • Procedures address access authorization, establishment, modification, and termination.
  • Documented incident response policies for reporting security incidents are in place to guide employees in identifying, reporting, of security incidents.
  • Business continuity plans are documented to enable continuation of critical business processes in the event of an emergency.
  • Privileged administrative access to systems is restricted to authorized individuals.
  • Automated backup systems are in place to perform scheduled replication of production data and systems at pre-defined intervals.
  • Antivirus software is utilized to detect and eliminate data or files that contain certain virus signatures on certain production servers.

Physical Safeguards – controlling physical access to protected data:

  • Documented physical security policies and procedures are in place to guide personnel in physical security administration.
  • Physical access procedures are in place restrict access, log visitors, and terminate access to the office facility.
  • Inventory listings are utilized to track and monitor hardware and removable media.
  • Data destruction procedures are in place to guide the secure disposal of data and media.

Technical Safeguards – controlling access to computer systems and enabling covered entities to protect communications containing PHI transmitted electronically over open networks from being intercepted by anyone other than the intended recipient:

  • Access to in-scope systems are restricted to authorized personnel based on a valid user account and password.
  • Systems are configured to enforce pre-determined thresholds to lock user sessions due to invalid login attempts.
  • Security monitoring applications and manual reviews are utilized to monitor and analyze the in-scope systems for possible or actual security breaches.

Organizational Safeguards – adherence to policies and procedures in regard to PHI documentation availability, as well as documentation retention:

  • Documented policies address the confidentiality threshold of PHI documents and the length of time they should be retained before being destroyed.
  • Contractual responsibilities by subparts of an organization are written and maintained in contracts.
  • Separation of duties is existent in order to protect to confidentiality, availability, and integrity of PHI.
  • Ensure that only appropriate parties gain access to PHI internally and external to the organization.

Breach Notification – a business associate shall, following the discovery of a breach of unsecured protected health information, notify the covered entity of such breach:

  • Documented policies and procedures are in place to guide personnel in notifying the covered entity upon discovery of a breach.
  • Documented policies and procedures are in place to guide personnel in responding to discovery of a breach.
  • Documented policies and procedures require disclosure of the unsecured protected health information and include, to the extent possible, the identification of each individual and a description of the event.
  • Documented policies and procedures are in place to guide personnel in the exception processes of delaying and documenting notifications.
  • Documented policies and procedures are in place to guide personnel in documentation of administrative requirements for demonstrating that all notifications were made as required.

Control Activities Specified by the Service Organization

The applicable trust criteria and HIPAA/HITECH requirements, risks, and related control activities are included in Section 4 of this report to eliminate the redundancy that would result from listing them in this section. Although the applicable trust criteria and HIPAA/HITECH requirements and related control activities are included in Section 4, they are, nevertheless, an integral part of Resolver’s description of the system. Any applicable trust services criteria or HIPAA/HITECH requirements that are not addressed by control activities at Resolver are described within Section 4 and within the Subservice Organizations and Criteria Not Applicable to the System sections above.

The description of the service auditor’s tests of operating effectiveness and the results of those tests are also presented in Section 4. The description of the tests of operating effectiveness and the results of those tests are the responsibility of the service auditor and should be considered information provided by the service auditor.