Skip to main content
Feedback

Security regulations and practices

Vulnerability management

Data Integration implemented a continuous vulnerability program for early detection and remediation of vulnerabilities. We combine an internal scanning process using AWS tools (For example, Amazon Inspector) to assess exposure and vulnerabilities within our network and infrastructure automatically, and perform external vulnerability scanning using third-party security vendors to identify potential vulnerabilities in externally facing assets. Vulnerabilities are remediated by applying patches, making code or infrastructure changes, or other procedural means as needed.

Penetration testing

Annual penetration testing is performed on the application and its underlying infrastructure using a gray-box method that addresses the OWASP Top 10 vulnerabilities.

Customers receive an executive summary of the penetration test reports (under NDA). These reports include the test results and measures to address any concerns.

Configuration and patch management

Data Integration uses centrally managed configuration management systems, including infrastructure-as-code systems, to enforce predefined configurations on its servers and maintain the desired patch levels of the software components.

Physical security

Data Integration relies on AWS in the US global infrastructure, including the facilities, network, hardware, and operational software (For example, host OS, virtualization software) that support the provisioning and use of basic computing resources and storage.

This infrastructure is designed and managed according to security best practices and security compliance standards: FedRAMP, HIPAA, ISO 27001:2013, AICPA SOC 1, SOC2, SOC 3, PCI-DSS, and more. AWS constantly updates its compliance programs. For a complete and up-to-date list, refer to:

Data Integration restricts physical access to its offices using a designated access control system, letting only authorized personnel. The company grants access to its employees. Company employees must accompany visitors at all times while on-premises.

Third-party feature

Data Integration may combine personal information you provide with information obtained from other sources, such as customers, data providers, business partners, joint marketing partners, and event co-sponsors, and publicly accessible sources, such as social media platforms. However, Data Integration does not gather PII through these services.

Organizational security

Data Integration established a set of organizational measures that follow leading practices and ensure security posture is maintained with rigid controls and processes, such as:

Organizational structure

Security issues are paramount to business and are supervised by a dedicated CISO. Security issues on strategic issues are reported directly to the company’s management, including the co-founder and chief architect, the company’s co-founder and CTO, and the CEO. Data Integration founded a dedicated committee to discuss infosec and risk issues quarterly, including relevant stakeholders.

Information security policies

Data Integration maintains a comprehensive and transparent acceptable use policy, which is communicated to all employees and contractors. The policies outline the acceptable use of all equipment, information, electronic mail, computing devices, and network resources. We ensure that its employees understand and comply with information security policies to reduce the risk of virus attacks, legal issues, and compromised systems or services. All Data Integration’s security policies are reviewed annually as part of the SOC certification.

Vulnerability awareness training

Our key focus is security education. All employees are well-versed in security best practices and good habits to avoid ransomware and malware.

Risk assessment framework

The process of Risk Assessment is a critical component of Data Integration’s internal control system. Data Integration’s Risk Assessment process aims to identify, assess, and manage risks that affect the organization’s ability to achieve its objectives. As part of the Risk Assessment process, a specific procedure is taken to identify, assess, and reduce security and privacy risks of projects, systems, or policies involving collecting, using, or disclosing personal data (“Data Protection Impact Assessments”).

Confidentiality procedures

Data Integration has implemented security measures to ensure the confidentiality of its customers’ sensitive personal information (SPI). The security measures prevent unauthorized access, disclosure, alteration, or destruction of sensitive personal information. Customer data has a single classification according to Data Integration’s information security policy. The company obtains commitments from vendors and other third parties that may have access to personal information processed by the systems. Third-party infrastructure providers sign confidentiality agreements with Data Integration to maintain system confidentiality, which conforms to Data Integration’s confidentiality policy.

Breach management and notifications

Data Integration creates and retains a complete, accurate, and timely record of detected or reported unauthorized disclosures (including breaches) of personal information.

We receive commitments from vendors and other third parties with access to personal information to notify the entity in the event of actual or suspected unauthorized disclosures of personal information. Such notifications are reported to appropriate personnel and acted on according to established incident response procedures.

While organizations like Data Integration does everything possible to protect against and prevent data breaches, they may occur. In the event of a violation, it is essential to feel confident that you are notified in a timely manner. When a data breach is discovered, Data Integration notifies the individuals who are affected.

Network security

Our system's networks and access control policies are designed carefully to follow the principle of least privilege. Our data pipeline ensures that data is always encrypted, whether at rest or in motion.

  • Network separation - isolates critical and sensitive systems into network segments separate from those with less sensitive systems. This mitigates attackers' access to unauthorized resources and performs lateral movement.
  • AWS Virtual Private Cloud (VPC) - Data Integration makes use of an AWS VPC. Data Integration production environment is accessible only to authorized individuals who meet the job function and have the least privilege.
  • Data Integration VPC - network is private, and provides client access only to our console.rivery.io and API services. We connect to the internet via a NAT Gateway.
  • Restricted AWS Security Groups safeguard all servers, letting limited connectivity to and between them. AWS Security Groups can be configured by authorized individuals only.
  • Intrusion prevention – Monitoring tools are implemented to detect unusual or unauthorized activities and conditions at ingress and egress points. These tools monitor server and network usage, port scanning activities, application usage, and unauthorized intrusion attempts.
  • Denial of Service (DOS) protection – AWS security monitoring tools can identify a variety of denial of service (DoS) threats, including distributed, flooding, and software/logic attacks. As a mitigation layer, we use AWS WAF. The AWS incident response mechanism is launched when a DoS attack is discovered. Each region has redundant communications providers and additional capacity to protect against DoS assaults with the DoS preventive mechanisms.
  • Identity and Access Management (IAM) – The IAM web service controls users' access privileges and interacts securely with AWS resources.
  • Anomaly detection—anomaly-based security monitoring is deployed to continuously collect cloud configuration and audit events, network/process information, and container-related vulnerabilities to establish a baseline of normal expected behavior.
  • Multi factor authentication – All Data Integration employee accounts with access to sensitive resources require Two-factor authentication.

Application security

  • Web Application Firewall (WAF) – Deployed and protects Data Integration’s sensitive domains against application-level attacks, such as OWASP Top 10, are listed as additional visibility to web vulnerabilities.
  • Privacy by design ‘Shift left’ - To ensure the delivery of highly secure services to customers, security and privacy are an inherent part of Data Integration’s Software Development Life Cycle. We follow the ‘shift left approach that integrates security from earlier phases of development.

Secure coding practices are essential for applications designed and implemented with strong security requirements. These practices ensure that privacy and security risks are addressed not only during development but also in day-to-day operations. Changes affecting the level of security, privacy, availability, and confidentiality issues within the production environment are reviewed as part of risk assessment sessions.

  • Strong password policiesData Integration’s strong password policy requirements govern the creation, protection, and frequency of password changes. These requirements follow industry best practices and serve as a baseline or minimum recommended password requirement. Additional measures include account dkout policies and anti-bot mechanisms to protect against dictionary-based, brute-force attacks.
  • Single sign-on (SSO) and two-factor authentication—Our platform integrates with many SAML2.0-compliant services to provide a single sign-on (SSO) solution. Using the SSO integration, organizations can require their employees to use a strong authentication factor along with their password when they sign in.
  • Application session time-out - We help to secure user accounts with an application session time-out. Once an account is inactive or idle session, users must re-authenticate to access their account.
On this Page