– 16 dec. 2022
All of RevMap’s services are hosted in Amazon Web Services (AWS) facilities in Frankfurt.
You can find more information about AWS security practices on their cloud security page.
Data classification RevMap classifies the data they own, use, create, and maintain into the following categories:
Confidential - Customer and personal data
Internal - RevMap-internal operational data that should not be disclosed
Public - For example, the marketing material and content on the website
RevMap uses the AWS-managed data stores Postgres, and S3 to store customer data, including backups. All these AWS services have been configured to use encryption at rest using AES with 256-bit keys.
Secrets and encryption key management
RevMap uses AWS Parameter Store for securely storing and managing secrets that are used by services. RevMap uses AWS Key Management Service (KMS) to encrypt and decrypt these secrets as well as manage all encryption keys in use by RevMap services. Access to secrets and encryption keys are restricted to the services on a least privilege basis and are managed by the RevMap founding team.
Separation of environments
RevMap fully separates and isolates their production, staging, and development networks and environments.
RevMap practices continuous delivery. We have processes and automation in place that allow us to safely and reliably roll out changes to our cloud infrastructure and webbased applications in a rapid fashion. We deploy new changes to production several times a week.
All code changes are requested through pull requests and are subjected to code reviews and approval prior to being merged to the master and production branches.
RevMap uses GitHub. To merge PR into dev at least 1 approval is needed and CI should be green: all tests are passed, all e2e tests are passed, linting and typecheck are passed.
Infrastructure and network security
RevMap requires the use of TLS to secure the transport of data, both on the internal network between services as well as the public network between the RevMap applications and the RevMap cloud infrastructure. RevMap’s TLS configuration uses TLS version 1.3 and the use of strong cipher suites, which supports important security features such as Forward Secrecy.
External attack surface
RevMap only exposes public (web) applications and APIs to the public internet. All other services are only available on the internal network, and accessible by employees using a VPN or single sign-on proxy restricted to the RevMap domain.
Intrusion detection and prevention
RevMap maintains an extensive centralized logging environment in which network, host, and application logs are collected at a central location. RevMap has also enabled detailed audit trails with critical service providers like Google G Suite, GitHub, and AWS (CloudTrail). These logs and audit trails are analyzed by automated systems for security events, anomalous activity, and undesired behavior. These systems will generate events which are monitored around the clock by a security operations center (SOC).
All new hires are required to attend the security awareness training as part of their onboarding. And all employees are required to attend the annual security awareness training. RevMap engineers are required to attend an annual security training designed specifically for engineers.
RevMap maintains an accurate and up-to-date inventory of all its networks, services, servers, and employee devices. Access to customer data Access to RevMap customer data is provided on an explicit need-to-know basis and follows the principle of least privilege. Customer data is audited and monitored by the security team. RevMap employees are only granted access after explicit approval of the respective customer. All RevMap employees have signed a non-disclosure agreement.
Security incident management
RevMap aggregates logs and audit trails from various sources at a central location and uses tools to analyze, monitor and flag anomalous or suspicious activity. RevMap’s internal processes define how alerts are triaged, investigated, and, if needed, escalated. Both customers and non-customers are encouraged to disclose any potential security weaknesses or suspected incidents to RevMap. In case of a serious security incident, RevMap has the expertise to investigate security incidents and resolving them to closure. If needed, RevMap has also access to external subject matter experts.
Backups and disaster recovery
All RevMap customer data is stored redundantly at multiple AWS data centers (availability zones) to ensure availability. RevMap has well-tested backup and restoration procedures in place, which allow for quick recovery in the case of single data center failures and disasters. Customer data is continuously backed up and stored offsite. The restoration of backups are fully tested every quarter to ensure that our processes and tools work as expected.
RevMap exclusively uses Apple MacBook devices. These devices are all centrally managed through the internal mobile device management solution, which allow us to enforce security settings such as full disk encryption, network and application firewall, automatic updates, screen time-outs, and anti-malware solutions. In case employee devices get stolen or lost, data on these devices can be remotely wiped.
Risk management and assessment
RevMap performs a periodic risk analysis and assessment to ensure that our information security policies and practices meet the requirements and applicable regulatory obligations.
Single sign-on (SSO)
RevMap supports single sign-on (SSO). By using the customer’s existing identity management solution, RevMap provides an easy and secure way for companies to manage their team members’ access. RevMap currently supports Google G Suite.
Security vulnerability disclosure
If you would like to disclose a potential security vulnerability or have security concerns about RevMap’s product, please reach out to [email protected]. Please include a description of the security vulnerability, steps to reproduce, and the impact the vulnerability may have.