SOC2 compliance is a component of the American Institute of CPAs (AICPA)’s Service Organization Control reporting platform.
Application Security
Our web application architecture and API implementation follows OWASP guidelines.
Application actions have unique permissions that are evaluated based on context such as the user and roles.
We support Single Sign-On (SSO) via Auth0. New SSO users can be automatically provisioned with RBAC support.
Secrets and API tokens are stored encrypted at rest.
A risk assessment is performed annually.
An incident response plan is in place to trace issues to their resolution and to perform post-incident reviews.
Data Security
All data transmissions are protected with TLS (HTTPS) encryption and HSTS.
Customer information is encrypted during transit.
Data is stored and managed by AWS with full encrypted database backups performed every 1 hour.
Access to systems is authorized on a need-to-know basis and follows the principle of least privilege.
Access to prod AWS is restricted to a few key employees and is controlled by secure IdP and protected by two-factor authentication (FIDO U2F Security Key).
Customer data can be requested and erased from Resourcely in accordance with the Terms of Service and Privacy Policy after the termination of the contract.
Software Development Life Cycle
Application code changes require mandatory review and at least one approval.
Architecture and sensitive code undergo periodic security reviews.
Production environment is separate from development, testing, and staging environments.
Customer data stays within the production environment.
Infrastructure
Our production infrastructure is designed with redundancy measures, such as failover, content delivery networks, load balancing, and standby replicas, to ensure seamless and uninterrupted operations.
We have a comprehensive Business Continuity Plan and Disaster Recovery Plan that undergoes an annual review to ensure our ability to respond to unforeseen events and minimize disruptions to our business.
We utilize a third-party service to monitor the performance and system information, enabling us to detect and address issues promptly.
Security Policies
New employees undergo a thorough background check as part of the hiring process to ensure they have a clean record.
Regular security awareness training is provided to all new hires to identify and prevent potential security threats.
Employee workstations are managed remotely using a secure MDM solution to minimize security risks and ensure all software is up-to-date and correctly configured.
Disk encryption technology is used on all employee workstations to provide an extra layer of protection for sensitive data, and remote wipe capability is available to erase a lost or stolen device.
Responsible Disclosure
We take security seriously at Resourcely and are committed to ensuring the safety and privacy of our users and their data.
If you happen to discover a security vulnerability in our system, please report it to us as soon as possible by simply sending an email to our security team at security@resourcely.io with details of the vulnerability and any supporting information that you have.
We will make every effort to respond to your email as quickly as possible and keep you informed throughout the process of resolving the issue.
