Created on READZ
Security at Readz
Security at Readz
Customer trust and data security are critical to everything we do at Readz.
Customer trust and data security are critical to everything we do at Readz.
Why Your Security is Our Top Priority
A key reason enterprise communications have lagged behind consumer communications is a lack of enterprise readiness by vendors on issues like privacy, security, and authentication.
That’s why the Readz platform is built on a robust security architecture that provides you with the control you need to secure your users, content, and digital experiences. Security is a top priority.
1. Information Security Program
At Readz, we take security seriously. We map our security program to industry standards such as ISO 27001 (certification process in progress) and the CIS Critical Security Controls. We are constantly looking for ways to not only improve security for our product but also how we conduct business on a daily basis.
Being a widely distributed team brings its own set of challenges, which is why we ensure that every employee understands the role they play in securing Readz. We also use tools to help us enforce compliance with our internal security policies.
While we believe that security is everyone’s responsibility, our program is led by the Senior Information Security Manager.
Included below please find an overview of the key features relating to Readz architecture and its security for hosting, authentication, and content distribution.
Compliance
Our payment processor for clients paying with a credit card Recurly is PCI-DSS Level 1 compliant, the highest level of security a business can offer. Cardholder data is sent directly to Recurly to minimize risk to your business. Recurly meets and exceeds all industry-standard payment security practices to protect you and your customers. Readz never has access to raw payment details.
Legal
Terms of Service
Global Privacy Policy
2. Internal Security Measures
Policies
Readz has developed a comprehensive set of security policies covering a range of topics. These policies are updated frequently and shared with all employees.
Employee Vetting
Readz performs background checks on all new employees in accordance with local laws. The background check includes employment verification and criminal checks for US employees.
Identity and Access Management
Employees have unique logins for all business-critical systems and two-factor authentication is enforced wherever possible. We conduct regular access audits and operate on the principle of least privilege.
Hardware Security
All employee laptops are managed, have encrypted hard drives and are monitored with antivirus software.
Security Training
All employees complete Security and Awareness training annually. The importance of data security is regularly reiterated in team-wide meetings throughout the year.
Confidentiality
All employee contracts include a confidentiality agreement.
3. Network and Application Security
Data Center Security
- The Readz infrastructure is managed via Amazon Web Services’ ISO 27001 certified data centers (AWS EC2 and S3 instances) in the USA and Europe, giving us access to the benefits AWS provides their customers such as physical security, redundancy, scalability, and key management in multiple regions and availability zones.
- All database servers are isolated inside virtual private networks, and accessible only by key personnel.
- All access to production environments is logged, and access can be immediately revoked.
In addition to the benefits provided by AWS, our application has additionally built-in security features:
AWS EC2 world-class, highly secure data centers utilize state-of-the-art electronic surveillance and multi-factor access control systems. Data centers are staffed 24x7 by trained security guards, and access is authorized strictly on a least privileged basis. Environmental systems are designed to minimize the impact of disruptions to operations. And multiple geographic regions and Availability Zones allow you to remain resilient in the face of most failure modes, including natural disasters or system failures.
- SSO capabilities with SAML2.0
- Role-based permissions
- Free SSL certificate
- Backups
Once published, all digital publications, media, and other assets are distributed on a global CDN (Akamai or KeyCDN). The CDN’s role is to deliver web data to a user based on their geographic location. The CDN also reflects the same data found on the Amazon virtual servers.
For example, if someone in Sydney, Australia wants to check out your project, they will receive the data from a local node/server, rather than having to connect to an overseas one.
In addition to securing your Readz account, AWS and KeyCDN have many other security features available.
- CSRF (Cross-Site Request Forgery) validation
- AWS WAF
- Secure Token
- HTTP Strict Transport Security
- CORS (Cross-Origin Resource Sharing)
- Shared and custom SSL/TLS certificates
Protection from Data Loss and Corruption
- All data operations are mirrored to a redundant secondary database.
- All data is backed up on a daily basis, and stored on highly-redundant storage media in multiple availability zones.
- All data is encrypted at rest using Amazon’s EBS encryption functionality.
Access and Authentication
- All applications are served exclusively via TLS with a modern configuration.
- All login pages have brute-force logging and protection.
- For your digital publications and microsites, we offer multiple authentication options so that you can ensure your audiences can securely access private content:
- No Authentication - Anyone with the URL can access the page
- Optional for enterprise clients: Single Sign-On (SAML 2.0) Authentication - Visitors are required to authenticate through a provider configured by the customer
- Email Authentication - This token-based method restricts page access based on a whitelist of email domains and addresses that you configure. Visitors must authenticate through a secure link they receive in their email account
- Gated access with a lead form. Not really a secure solution but good enough to capture the email address of a user accessing content.
SAML 2.0 Single Sign-On
Enterprise customers may integrate their company’s identity provider with their Readz plan using SAML 2.0, an open standard for exchanging authentication and authorization data between parties. SAML allows our customers to take control of determining a user's identity. It can be used for quick access to private projects from the right people, and it can be used to allow Single Sign-On making it convenient for users to access the Readz design studio in a secured environment.
Customer Data and Privacy
Readz stores the following customer data in its cloud:
- Names
- Usernames and email addresses
- Billing email and address, payment history and invoices (Only for credit card data stored and processed by Recurly)
- Phone Number (optional)
- Company (optional)
- Location (city, country)
- Job Title (optional)
- Personal Website (optional)
- We use Google for product analytics. We track only enough data to segment users into product cohorts for internal optimization efforts.
We recommend customers who need to comply with HIPAA to integrate a 3rd party form provider rather than using a Readz form.
For more information, please contact security@readz.com.
Encryption
For all application interaction, SSL Encryption is used throughout Readz to protect PII and non-public data from unauthorized access. We run a zero-trust corporate network. There are no corporate resources or additional privileges from being on the Readz network.
All communication between Readz users and the Readz-provided web application is encrypted-in-transit while using the application.
Password and Credential Storage
Readz enforces a password complexity standard and credentials are stored salted and hashed in our database using a PBKDF function (bcrypt). We follow NIST’s current best practices for passwords and password complexity.
Data Retention
Customers can request all of their data, or have it deleted by sending an email to: support@readz.com as long as it is not subject to a legal hold or investigation.
Once an account or project is deleted, all associated data (account settings, etc.) are removed from the system within max. 30 days. This action is irreversible.
Access to Data
Customer data is limited to only those with roles that require access to perform their job duties. An example of this is our Support team.
3rd Party Sub-processors
At Readz, we use 3rd party service providers to help with analytics, payments, sending transactional emails, and hosting our service.
All 3rd party services undergo a due diligence check to ensure your data stays secure. The data provided for these services is limited to the minimum required to perform their processing duties.
Failover and Backups
Readz was built with disaster recovery in mind. We maintain 30 days of backups for point-in-time recovery.
Monitoring
Our backend infrastructure is hosted in AWS and is fully monitored to detect any downtime. Any access or change to our infrastructure is logged using AWS CloudTrail.
Uptime
We have greater than 99.9% uptime.
Penetration Testing (Pentest)
Security experts regularly perform detailed penetration tests on the Readz application and infrastructure.
Responsible Disclosure
If you believe you have discovered a vulnerability within Readz’s application, please submit a report to us by emailing security@Readz.com.
If you believe your account has been compromised or you are seeing suspicious activity on your account please report it to security@Readz.com.
4. Additional Information
Hosting on Readz
https://www.readz.com/hosting-on-readz
Amazon AWS
https://aws.amazon.com/security/
https://aws.amazon.com/dynamodb/sla/
CDN and Compliance
Using a Secure CDN to Accelerate Your Content
World's Best Digital Experiences
https://www.akamai.com/uk/en/about/compliance/