Security isn’t just embedded into our products---it’s embedded into the very fabric of our organization.Learn More
Our policies & controls safeguard the collection, use, & disclosure of your information.Learn More
Each component of our trusted platform undergoes regular and thorough security scrutiny.Learn More
All of the server, email, and database infrastructure for NextRequest is managed by Heroku, a subsidiary of SalesForce. Heroku uses certified data centers managed by Amazon, which implements industry-leading physical, technical, and operational security measures and has received ISO 27001 certification and Federal Information Security Management Act (FISMA) Moderate Authorization; Accreditation from the U.S. General Services Administration and is SOC compliant. Additionally, Heroku maintains its own set of policies for security testing, environmental safeguards, network security, data security, and system security.
More on Heroku’s security policy.
NextRequest uses Amazon S3 to store customer image assets and documents. S3 is an industry leading simple storage service that offers software developers a highly-scalable, reliable, and low-latency data storage infrastructure. Access to resources within Amazon S3 is controlled through Access Control Lists (ACLs) and query string authentication.
More on Amazon Web Services compliance and security.
Your data is backed up daily, weekly, and monthly to ensure your data remains secure and protected.
Physical access is controlled at building ingress points by professional security staff utilizing surveillance, detection systems, and other electronic means. Authorized staff utilize multi-factor authentication mechanisms to access data centers. Entrances to server rooms are secured with devices that sound alarms to initiate an incident response if the door is forced or held open.
Our platform maintains redundancy to prevent single points of failure, is able to replace failed components, and utilizes multiple data centers designed for resiliency. In the case of an outage, the platform is deployed across multiple data centers using current system images and data is restored from backups.
We have a step-by-step plan in place to take precautions and minimize the effects of a disaster. This enables us to provide consistent operations and quickly resume mission-critical functions.
The NextRequest codebase is built on the latest version of Ruby and Ruby on Rails, one of the most common and well documented modern web development languages and frameworks. Ruby and Ruby on Rails provide robust internal tools to mitigate common attack patterns such as SQL injection and cross site scripting (XSS). NextRequest follows regular updates for security vulnerabilities and updates the codebase as appropriate.
NextRequest employs Github to securely manage all code that comprises the production platform. Github provides collaboration, distributed revision control, and source code management functions. NextRequest uses an agile development process with frequent, incremental testing and changes, rather than large-scale infrequent releases.
NextRequest uses GitHub and makes changes to its repositories via GitHub Pull Requests (PRs). All code is tested in a development environment prior to deployment to the production platform. Code changes are peer reviewed and approved. Logs of changes are stored in Github, with the ability to revert to prior versions easily.
The NextRequest application encrypts all documents at rest. These documents can only be accessed through a valid token which expires. Additionally all data is encrypted at rest and in transit.
All web requests between web clients and NextRequest are secured by TLS (Transport Layer Security) version 1.2. TLS is an industry standard that is used by millions of websites to secure web transactions.
NextRequest contains several layers of monitoring at the application level. NextRequest uses two services for monitoring performance and error tracking. Errors are logged within the application and NextRequest administrators are immediately notified when errors do occur. Standard application logs are collected daily and weekly. Individual user access is logged within the application and kept in application logs.
System status reports are available 24/7 here.
Our codebase and all dependencies are scanned for vulnerabilities every time we make changes. Additionally we perform weekly automated vulnerability scans of every part of our application which includes checks for SQL injection, XSS, and other common attack vectors. Logs are secured and archived for one year.
All payments are processed through Stripe, a PCI Level 1 Service Provider. NextRequest does NOT store customer credit card information on our servers.
At the request of a customer, we will expunge all customer data from NextRequest servers.
All employee contracts include a confidentiality agreement.
All NextRequest employees undergo comprehensive background checks.
NextRequest's architecture allows security updates to be made to all customers in real time, preventing delays in the patching of security vulnerabilities.
NextRequest maps to Health Insurance Portability and Accountability Act (HIPAA) Security Rule controls.
NextRequest maps to Criminal Justice Information Services (CJIS) security controls.
Access to the NextRequest codebase is limited to NextRequest employees. Employees must authenticate before accessing or changing any code within the codebase. Any changes to the production or development environment are logged. These logs include a timestamp and the user name of the person making the change.
All individual computers are password protected. Individuals must encrypt all the data on their individual computers. Any lost or stolen computers are reported immediately. All employees are required to use two-factor authentication.
Access to NextRequest is limited to administrators and members of the development team. Access to the NextRequest application or the underlying database is logged by user name and the time of the access.
Access to the NextRequest production database and backups is limited to NextRequest developers. Each developer has unique login credentials and access to the database is logged in the database log files.
The NextRequest production database is hosted on Heroku and developers use two-factor authentication for accessing the Heroku platform. Individual NextRequest users interact with the database at the application level where access is controlled through role-based permissions. Any interactions with the database happen through common web forms within the application.
Users accessing the system must authenticate through a standard user name/password challenge. All user passwords are encrypted at rest. Randomly generated tokens that expire are used for password resets. Additionally, user access is controlled at the application level by the use of application roles. Each user is assigned a specific role, which is used to allow read, edit, delete access to actions within NextRequest.
Two-factor authentication can be turned on by application administrators to improve security at the user level.
NextRequest can add SSO integrations including Active Directory and OAuth to improve password security and access controls across the enterprise organization.
Password strength is tested at creation and common passwords as well as passwords below the length limit are denied. Additionally multiple incorrect authentication attempts result in the account being locked.
We enforce strong passwords based on the NIST 800-63B guidelines.
In the United States. (See "Infrastructure: Application Security" section for details)
This is an invented marketing term that another company uses to summarize their capabilities. This term does not signify accreditation by any regulatory institution.
No. Almost every web application uses at least some small amount of open source code, including those built by banks and the federal government.
See U.S. Federal CIO memorandum on open source software https://sourcecode.cio.gov/
If you have additional questions about our security and compliance,
please get in touch at firstname.lastname@example.org.