Written By David Watson
Last updated 3 months ago
On a Mac, you can press ⌘+K (or Ctrl+K on Windows) to access the AI-powered assistant. Simply ask your question, and the AI will provide helpful answers to guide you.
General Security Information
Who is responsible for security at your company?
While we do not currently engage external cybersecurity consultants or services, cybersecurity efforts are a collaborative endeavor between our CEO and CTO, ensuring a comprehensive approach to protecting our systems and data. If you have any questions, please email David Watson at david@riskadvisor.insure.
What cybersecurity best practices are followed?
RiskAdvisor adheres to industry-standard cybersecurity practices to ensure the security and integrity of our systems and data. Our development team is certified in the OWASP Top 10, which covers the most critical security risks to web applications. Additionally, we require all contractors working with us to obtain and maintain cybersecurity insurance, providing an extra layer of protection and assurance that best practices in cybersecurity are followed across all our operations.
Do you enforce multi-factor authentication (MFA) at the admin level?
Yes. Multi-factor authentication (MFA) is available for all user accounts, including admins, as an added layer of security against unauthorized access. While MFA is optional for general users, we can enforce it at the admin level upon request. This ensures that admins adhere to stricter security protocols to safeguard our systems and data. Users are encouraged to enable MFA to enhance their account security.
Cybersecurity Practices
What cybersecurity best practices are followed?
RiskAdvisor adheres to industry-standard cybersecurity practices to ensure the security and integrity of our systems and data. Our development team is certified in the OWASP Top 10, which covers the most critical security risks to web applications. Additionally, we require all contractors working with us to obtain and maintain cybersecurity insurance, providing an extra layer of protection and assurance that best practices in cybersecurity are followed across all our operations.
Do you have data security certifications or audits (e.g., SOC 2)?
RiskAdvisor is in the process of aligning our systems and processes with SOC 2 standards. While we have not completed a formal certification, our practices adhere to its principles, including security, availability, processing integrity, confidentiality, and privacy. Regular internal audits are conducted to assess and improve our security measures.
How often is the system updated?
At RiskAdvisor, we prioritize keeping our systems secure and efficient through regular updates. Our software is updated daily, ensuring that we address any potential vulnerabilities swiftly. Infrastructure updates are managed by our cloud provider, Digital Ocean, leveraging their expertise to maintain the integrity of our underlying systems. Additionally, we use automated processes for other updates, ensuring that all software components remain up-to-date without manual intervention.
What system monitoring procedures are in place?
RiskAdvisor utilizes Digital Ocean's monitoring services to oversee our system's health and performance. These services are complemented by a robust alert and notification system designed to identify and alert us to unusual activity patterns.
What are your audit logging capabilities?
Audit logs are maintained to track key activities, including user logins and system access. These logs are monitored for suspicious activity and are accessible upon request for compliance purposes. Customers like Hummel can request access to their activity logs to review system usage and detect potential security issues.
Disaster Recovery and Business Continuity
Do you have a disaster recovery / business continuity / breach recovery plan in place?
We maintain rigorous backup procedures for our infrastructure, code, and databases. These backups are performed regularly and are designed to ensure that we can restore our systems to operational status quickly in the event of an incident.
Have you had any breaches?
To date, RiskAdvisor has been fortunate not to experience any breaches, nor have any of our subprocessors, to our knowledge. In the event of a breach, our protocol involves consulting with external cybersecurity experts to thoroughly assess the situation and determine the appropriate course of action.
How are customers notified of a breach?
Should any of our customers' data be affected, we are committed to notifying them via email as soon as possible, ensuring transparency and swift action to protect their information.
Data Protection and Management
How & where is data stored?
RiskAdvisor's data is securely stored on a managed MySQL instance on DigitalOceans cloud.
How is data protected?
We ensure the protection of our data by restricting server access exclusively to SSH, and all data communication to and from our server is encrypted using TLS 1.2. This comprehensive security approach guarantees that our data is not only encrypted in transit but also safeguarded by stringent access controls, ensuring that only authorized users can access sensitive and confidential information.
Is data encrypted both at transit & rest?
We ensure the protection of our data by restricting server access exclusively to SSH, and all data communication to and from our server is encrypted using TLS 1.2. This comprehensive security approach guarantees that our data is not only encrypted in transit but also safeguarded by stringent access controls, ensuring that only authorized users can access sensitive and confidential information.
What is your data retention policy? Can data be deleted upon termination?
RiskAdvisor retains customer data indefinitely unless a specific request for deletion is made. Customers can request permanent erasure of their data at any time. Upon termination of services, we promptly and securely process data deletion requests.
How do you handle personally identifiable information (PII) or social security numbers?
RiskAdvisor employs stringent measures to secure PII and sensitive data such as social security numbers. This includes encryption in transit and at rest, restricted access to authorized personnel, and rigorous security protocols.
How are authorized users managed?
We ensure the protection of our data by restricting server access exclusively to SSH, and all data communication to and from our server is encrypted using TLS 1.2. This comprehensive security approach guarantees that our data is not only encrypted in transit but also safeguarded by stringent access controls, ensuring that only authorized users can access sensitive and confidential information.
Who owns the data?
RiskAdvisor owns all “Aggregated and Anonymized Statistics.” That term is defined as information related to Customer’s use of the RiskAdvisor Services including statistical and performance information related to the RiskAdvisor Services. (Section 2(e))
Customer owns Customer Data. (Section 9)
RiskAdvisor has a license to use Customer Data in order to provide the RiskAdvisor Services, and Customer Data can be incorporated for use within Aggregated and Anonymized Statistics. (Section 3(c))
Do any 3rd parties have access to data, including data sold to anybody?
In specific instances, data may be shared with subprocessors, but only at the explicit request of our customers. This ensures that any data sharing aligns with customer needs and complies with our rigorous privacy standards.
What happens to data if the partnership ends?
Should a partnership with a third party come to an end, RiskAdvisor ensures that any shared data is handled in accordance with both our privacy policies and the terms of the partnership agreement, prioritizing the security and privacy of our customers’ data throughout the process. Customers have the option to request the permanent erasure of their data by contacting our support team. Unless such a request is made, all customer data is retained indefinitely, ensuring that users can access their historical data at any point. This retention policy is designed with both user convenience and data security in mind.
When data is deleted is it permanently erased?
Yes.
Confidentiality and Agreements
Do you offer confidentiality agreements around data privacy?
Yes. RiskAdvisor offers confidentiality agreements (NDAs) to formalize our commitment to the privacy and security of customer data.
AI
Are you using AI in your service? If so, how?
Not as of today.