We take security seriously.

How our employees protect you

Security isn’t just embedded into our products---it’s embedded into the  fabric of our organization.

Learn More

How our business protects you

Each component of our trusted platform undergoes regular and thorough security scrutiny.

Learn More

How our technology protects you

We’ve designed policies and controls to safeguard the collection, use, and disclosure of your information.

Learn More

Infrastructure

Application Security

All of the server, email, and database infrastructure for NextRequest is managed by Heroku, a subsidiary of SalesForce. Heroku uses certified data centers managed by Amazon, which implements industry-leading physical, technical, and operational security measures and has received ISO 27001 certification and Federal Information Security Management Act (FISMA) Moderate Authorization; Accreditation from the U.S. General Services Administration and is SOC compliant. Additionally, Heroku maintains its own set of policies for security testing, environmental safeguards, network security, data security, and system security.

More on Heroku’s security policy.

Storage Security

NextRequest uses Amazon S3 to store customer image assets and documents. S3 is an industry leading simple storage service that offers software developers a highly-scalable, reliable, and low-latency data storage infrastructure. Access to resources within Amazon S3 is controlled through Access Control Lists (ACLs) and query string authentication.

More on Amazon Web Services compliance and security.

Reliability

Your data is backed up daily, weekly, and monthly to ensure your data remains secure and protected.

Data Center Security

Physical access is controlled at building ingress points by professional security staff utilizing surveillance, detection systems, and other electronic means. Authorized staff utilize multi-factor authentication mechanisms to access data centers. Entrances to server rooms are secured with devices that sound alarms to initiate an incident response if the door is forced or held open.

Redundancy

Our platform maintains redundancy to prevent single points of failure, is able to replace failed components, and utilizes multiple data centers designed for resiliency. In the case of an outage, the platform is deployed across multiple data centers using current system images and data is restored from backups.

Disaster Recovery Plan

We have a step-by-step plan in place to take precautions and minimize the effects of a disaster. This enables us to provide consistent operations and quickly resume mission-critical functions.

Compliance

Codebase

The NextRequest codebase is built on the latest version of Ruby and Ruby on Rails, one of the most common and well documented modern web development languages and frameworks. Ruby and Ruby on Rails provide robust internal tools to mitigate common attack patterns such as SQL injection and cross site scripting (XSS). NextRequest follows regular updates for security vulnerabilities and updates the codebase as appropriate.

NextRequest employs Github to securely manage all code that comprises the production platform. Github provides collaboration, distributed revision control, and source code management functions. NextRequest uses an agile development process with frequent, incremental testing and changes, rather than large-scale infrequent releases.

NextRequest uses GitHub and makes changes to its repositories via GitHub Pull Requests (PRs). All code is tested in a development environment prior to deployment to the production platform. Code changes are peer reviewed and approved. Logs of changes are stored in Github, with the ability to revert to prior versions easily.

Encryption

The NextRequest application encrypts all documents at rest. These documents can only be accessed through a valid token which expires. Additionally all data is encrypted at rest and in transit.

HTTPS & SSL

All web requests between web clients and NextRequest are secured by TLS (Transport Layer Security) version 1.2. TLS is an industry standard that is used by millions of websites to secure web transactions.

Monitoring

NextRequest contains several layers of monitoring at the application level. NextRequest uses two services for monitoring performance and error tracking. Errors are logged within the application and NextRequest administrators are immediately notified when errors do occur. Standard application logs are collected daily and weekly. Individual user access is logged within the application and kept in application logs.

System status reports are available 24/7 here.

Auditing & Scanning

Our codebase and all dependencies are scanned for vulnerabilities every time we make changes. Additionally we perform weekly automated vulnerability scans of every part of our application which includes checks for SQL injection, XSS, and other common attack vectors. Logs are secured and archived for one year.

PCI Payment Processing

All payments are processed through Stripe, a PCI Level 1 Service Provider. NextRequest does NOT store customer credit card information on our servers.

Data Deletion/Destruction

At the request of a customer, we will expunge all customer data from NextRequest servers.

Employee Confidentiality Agreements

All employee contracts include a confidentiality agreement.

Real Time Security Updates

NextRequest's architecture allows security updates to be made to all customers in real time, preventing delays in the patching of security vulnerabilities.

Permissions

Code Access

Access to the NextRequest codebase is limited to NextRequest employees. Employees must authenticate before accessing or changing any code within the codebase. Any changes to the production or development environment are logged. These logs include a timestamp and the user name of the person making the change.

Individual Computers

All individual computers are password protected. Individuals must encrypt all the data on their individual computers. Any lost or stolen computers are reported immediately. All employees are required to use two-factor authentication.

Application Access

Access to NextRequest is limited to administrators and members of the development team. Access to the NextRequest application or the underlying database is logged by user name and the time of the access.

Database Access Controls

Access to the NextRequest production database and backups is limited to NextRequest developers. Each developer has unique login credentials and access to the database is logged in the database log files.

The NextRequest production database is hosted on Heroku and developers use two-factor authentication for accessing the Heroku platform. Individual NextRequest users interact with the database at the application level where access is controlled through role-based permissions. Any interactions with the database happen through common web forms within the application.

User Authentication

Users accessing the system must authenticate through a standard user name/password challenge. All user passwords are encrypted at rest. Randomly generated tokens that expire are used for password resets. Additionally, user access is controlled at the application level by the use of application roles. Each user is assigned a specific role, which is used to allow read, edit, delete access to actions within NextRequest.

Two-Factor (Coming Soon!)

Two-factor authentication can be turned on by application administrators to improve security at the user level.

Single Sign-On (SSO)

NextRequest can add SSO integrations including Active Directory and OAuth to improve password security and access controls across the enterprise organization.

Password
Complexity
Standards

Password strength is tested at creation and common passwords as well as passwords below the length limit are denied.  Additionally multiple incorrect authentication attempts result in the account being locked.

Questions about Security?

If you have additional questions about our security and compliance,
please get in touch at info@nextrequest.com.