We take security seriously.

Application Security

NextRequest servers and databases are hosted on Amazon, which implements industry-leading physical, technical, and operational security measures. Amazon has received ISO 27001 certification and Federal Information Security Management Act (FISMA) Moderate Authorization. Accreditation from the U.S. General Services Administration, and is SOC-compliant. Amazon’s infrastructure is suitable to host CJIS, FIPS, FedRAMP, and FERPA-compliant applications.

More on Amazon's compliance.

Storage Security

NextRequest uses Amazon S3 to store customer image assets and documents. S3 is an industry leading simple storage service that offers software developers a highly-scalable, reliable, and low-latency data storage infrastructure. Access to resources within Amazon S3 is controlled through Access Control Lists (ACLs) and query string authentication.

More on Amazon Web Services compliance and security.

Reliability

Your data is backed up daily, weekly, and monthly to ensure your data remains secure and protected.

Data Center Security

Physical access is controlled at building ingress points by professional security staff utilizing surveillance, detection systems, and other electronic means. Authorized staff utilize multi-factor authentication mechanisms to access data centers. Entrances to server rooms are secured with devices that sound alarms to initiate an incident response if the door is forced or held open.

Redundancy

Our platform maintains redundancy to prevent single points of failure, is able to replace failed components, and utilizes multiple data centers designed for resiliency. In the case of an outage, the platform is deployed across multiple data centers using current system images and data is restored from backups.

Disaster Recovery Plan

We have a step-by-step plan in place to take precautions and minimize the effects of a disaster. This enables us to provide consistent operations and quickly resume mission-critical functions.

SOC 2 Type II Audit

NextRequest has successfully completed a SOC 2 Type II audit. This third party audit evaluates our internal controls, policies, and procedures and reports on controls that directly relate to the security, availability, processing integrity, confidentiality, and privacy of our services.

CJIS

NextRequest maps to Criminal Justice Information Services (CJIS) security controls.

Encryption

The NextRequest application uses AES-256 encryption and encrypts all documents at rest. These documents can only be accessed through a valid token which expires. Additionally all data is encrypted at rest and in transit.

Codebase

The NextRequest codebase is built on the latest version of Ruby and Ruby on Rails, one of the most common and well documented modern web development languages and frameworks. Ruby and Ruby on Rails provide robust internal tools to mitigate common attack patterns such as SQL injection and cross site scripting (XSS). NextRequest follows regular updates for security vulnerabilities and updates the codebase as appropriate.

NextRequest employs Github (owned by Microsoft) to securely manage all code that comprises the production platform. Github/Microsoft provides collaboration, distributed revision control, and source code management functions. NextRequest uses an agile development process with frequent, incremental testing and changes, rather than large-scale infrequent releases.

NextRequest uses GitHub/Microsoft and makes changes to its repositories via GitHub Pull Requests (PRs). All code is tested in a development environment prior to deployment to the production platform. Code changes are peer reviewed and approved. Logs of changes are stored in Github /Microsoft, with the ability to revert to prior versions easily.

HTTPS & SSL

All web requests between web clients and NextRequest are secured by TLS (Transport Layer Security) version 1.2. TLS is an industry standard that is used by millions of websites to secure web transactions.

Monitoring

NextRequest contains several layers of monitoring at the application level. NextRequest uses two services for monitoring performance and error tracking. Errors are logged within the application and NextRequest administrators are immediately notified when errors do occur. Standard application logs are collected daily and weekly. Individual user access is logged within the application and kept in application logs.

System status reports are available 24/7 here.

Auditing & Scanning

Our codebase and all dependencies are scanned for vulnerabilities every time we make changes. Additionally we perform weekly automated vulnerability scans of every part of our application which includes checks for SQL injection, XSS, and other common attack vectors. Logs are secured and archived for one year.

PCI Payment Processing

All payments are processed through Stripe, a PCI Level 1 Service Provider. NextRequest does NOT store customer credit card information on our servers.

Data Deletion/Destruction

At the request of a customer, we will expunge all customer data from NextRequest servers.

Confidentiality Agreements

All employee contracts include a confidentiality agreement.

Background Checks

All NextRequest employees undergo comprehensive background checks.

Real Time Security Updates

NextRequest's architecture allows security updates to be made to all customers in real time, preventing delays in the patching of security vulnerabilities.

Code Access

Access to the NextRequest codebase is limited to NextRequest employees. Employees must authenticate before accessing or changing any code within the codebase. Any changes to the production or development environment are logged. These logs include a timestamp and the user name of the person making the change.

Individual Computers

All individual computers are password protected. Individuals must encrypt all the data on their individual computers. Any lost or stolen computers are reported immediately. All employees are required to use two-factor authentication.

Application Access

Access to NextRequest is limited to administrators and members of the development team. Access to the NextRequest application or the underlying database is logged by user name and the time of the access.

Database Access Controls

Access to the NextRequest production database and backups is limited to NextRequest developers. Each developer has unique login credentials and access to the database is logged in the database log files.

Individual NextRequest users interact with the database at the application level where access is controlled through role-based permissions. Any interactions with the database happen through common web forms within the application.

User Authentication

Users accessing the system must authenticate through a standard user name/password challenge. All user passwords are encrypted at rest. Randomly generated tokens that expire are used for password resets. Additionally, user access is controlled at the application level by the use of application roles. Each user is assigned a specific role, which is used to allow read, edit, delete access to actions within NextRequest.

Two-Factor Authentication

Two-factor authentication can be turned on by application administrators to improve security at the user level.

Single Sign-On (SSO)

NextRequest can add SSO integrations including Active Directory and OAuth to improve password security and access controls across the enterprise organization.

Password
Complexity
Standards

Password strength is tested at creation and common passwords as well as passwords below the length limit are denied.  Additionally multiple incorrect authentication attempts result in the account being locked.

We enforce strong passwords based on the NIST 800-63B guidelines.

Where is your data hosted?

In the United States. (See "Infrastructure: Application Security" section for details)

Do you support "Fortress Security"?

This is an invented marketing term that another company uses to summarize their capabilities. This term does not signify accreditation by any regulatory institution.

Is open source
software less secure?

No. Almost every web application uses at least some amount of open source code, including those built by banks, the federal government, and major software companies. For example Microsoft's core language and framework .NET is open source and has been since 2007.
‍
Also see U.S. Federal CIO memorandum on open source software https://sourcecode.cio.gov/