Security Statement1. Introduction
This Security Statement applies to the platform, products, services, websites and applications offered by Rattlehub Digital Ltd, Rattlehub Digital (Pty) Ltd and their affiliates (collectively “Rattlehub Digital”), which are branded as “permyssion”, “Advisor Console” and “Estate Console”, except where otherwise noted. We refer to these platform, products, services, websites and apps collectively as the “services” in this Security Statement, which also forms part of the User Agreements for Rattlehub Digital customers.
2. Security Policies
Rattlehub Digital maintains and regularly reviews and updates its information security policies on an ongoing basis. Employees must acknowledge policies on an ongoing basis and undergo additional training such as Secure Coding practices, job specific security and skills development and/or privacy law training for all job functions. The training schedule is designed to adhere to all regulations applicable to Rattlehub Digital.
3. Physical Security and Compliance
Rattlehub Digital’s information systems and technical infrastructure are hosted within world-class, SOC 2 accredited data centers. Physical security controls at our data centers include 24x7 monitoring, cameras, visitor logs, entry requirements.
Rattlehub Digital’s platform infrastructure is built to comply with the Payment Card Industry’s Data Security Standards (PCI DSS 3.2).
4. Access Control
Access to Rattlehub Digital’s technology infrastructure is only permitted through secure authentication access control. Our production password policy requires complexity, expiration, and lockout and disallows reuse. Rattlehub Digital grants access on an as-needed basis, reviews permissions monthly, and revokes access within 8 hours of employee termination.
Rattlehub Digital communicates its information security policies to all personnel, requires acknowledgement of adherence to our security policies on a monthly basis, requires new employees to sign non-disclosure agreements, and provides ongoing privacy and security training.
6. Threat Detection Management and Penetration Testing
Rattlehub Digital strives to make use of platform as a service (PaaS) offerings from its cloud partner in as far a possible, which negates the requirement for ongoing updates and patches as these are managed by the cloud partner themselves. If and when virtualized servers are required, any critical patches are applied on a priorty basis and as appropriate for all other patches.
Rattlehub Digital conducts regular internal, and when required external, penetration testing from which appropriate action is taken on the results found.
Rattlehub Digital makes use of advanced analytics and the Microsoft Intelligent Security Graph to get an edge over evolving cyber-attacks. We leverage built-in behavioral analytics and machine learning to identify attacks and zero-day exploits. Continuous monitoring of networks, machines, and cloud services for incoming attacks and post-breach activity. Streamline investigation with interactive tools and contextual threat intelligence.
Rattlehub Digital infrastructure encrypts all data in transit using secure cryptographic protocols. All sensitive data which is regulated under data privacy laws and regulation is encrypted at rest.
The encryption keys are never revealed to the database engine due to strict design principles which purposefully provides a separation between those that own the data (and can view it) and those who manage the data (but should have no access).
8. Development Principles
Our team of highly skilled developers employ secure coding techniques and best practices, focused around the OWASP Top Ten. Developers are formally trained in secure web application development practices and adhere to strict code review practices.
Development, testing, and production environments are separated. All changes are peer reviewed and logged for performance, audit, and forensic purposes prior to deployment into the production environment.
9. Logging and Auditing
Rattlehub Digital applications log information to a centrally managed log repository for troubleshooting, security reviews, and analysis by authorized Rattlehub Digital personnel. Logs are preserved in accordance with regulatory requirements. We will provide customers with reasonable assistance and access to logs in the event of a security incident impacting their account. All customers have real-time access to audit trail data relating to any activity on data residing within their personal profile.
10. Information Security Incident Management
Rattlehub Digital maintains security incident response policies and procedures covering the initial response, investigation, customer notification (no less than as required by applicable law), public communication, and remediation. These policies and related threat detection reports are reviewed monthly and tested annually.
11. Breach Notification
Despite best efforts, no method of transmission over the Internet and no method of electronic storage is perfectly secure. We cannot guarantee absolute security. However, if Rattlehub Digital learns of a security breach, we will notify all affected users so that they can take appropriate protective steps.
Our breach notification procedures are consistent with our obligations under applicable country level, state and federal laws and regulations, as well as any industry rules or standards applicable to us. We are committed to keeping our customers fully informed of any matters relevant to the security of their account and to providing customers all information necessary for them to meet their own regulatory reporting obligations.
12. Business Continuity Management
Rattlehub Digital databases are replicated to data centers residing in alternate juridictions which form our disaster recovery infrastructure. Backups are encrypted and stored within the production environment to preserve their confidentiality and integrity. The disaster recovery sites as well as the backups are tested regularly to ensure availability.
13. Your Responsibilities
Keeping your data secure also requires that you maintain the security of your account by using sufficiently complicated passwords and storing them safely. You should also ensure that you have sufficient security on your own systems. Two Factor Authentication is a compulsory access management principle which we make use of. We offer secure transmission of data in transit, but you are responsible for ensuring that your own systems have the latest updates installed as well as the recommended level of anti-virus and malware protection installed.