Reputation Security Posture
Reputation places a very high importance on the security of our organization and customer data. Below please find an outline of the organizational and technical measures that Reputation undertakes to protect customer data from unauthorized access or disclosure.
Reputation subscribes to least privilege access as a part of our access control and conduct quarterly audits of our accounts to validate this control. Physical access to Reputation locations are controlled by card access readers, monitored by security cameras and all guest access is logged and monitored.
All offers of employment at Reputation are contingent on the completion of a background screening and reference check. Employees and contractors all sign a confidentiality agreement.
Business Continuity and Disaster Recovery
We have a full Business Continuity Plan as well as a Disaster Recovery Plan. We maintain separate regions in our public cloud that are used for the purpose of disaster recovery with a full synchronization of platform data baked in. The regions are also separated between the United States and well as the EU region to ensure compliance with GDPR. With this separation, no data will ever leave the geographical region a customer has been assigned per their contract.
Reputation is SOC2 Type II compliant and ISO 27001 certified as attested by a third-party auditor and is HIPAA compliant to ensure all customer PII and PHI are properly handled. Reputation will share the latest SOC2 Type II report, ISO 27001 Certificate and our HIPAA Business Associates Agreement upon request and under NDA. Our public cloud provider, Google Cloud Platform adheres to the highest security standards. You may review the Google Cloud Platform security certifications here.
We maintain stringent datastore specifications for customer data and all customer data is encrypted at rest using the AES symmetric block cipher and data is encrypted in transit using TLS. We do not disclose or sell the data and PII that you provide to Reputation about your customers. We use the data you provide us about your customers only to provide your services and for no other purpose.
The Federal Trade Commission’s Safeguards Rule under the Gramm-Leach-Bliley Act applies to certain customers that provide or facilitate financial services, including auto dealerships (“Covered Entities”). The Safeguards Rule requires Covered Entities to select service providers that have measures in place to keep their customer information secure. As outlined in this Security Posture, Reputation has implemented robust measures to safeguard all customer data.
Reputation has a strong commitment to your privacy. We have a dedicated privacy section on our website which can be reviewed here: Privacy Notice
Reputation maintains a formal incident response plan which defines the individuals responsible for responding to an incident, the responsibilities of those individuals during each phase of the incident response process.
Monitoring and Alerting
Monitoring tools and services are employed to monitor our infrastructure and application on a continuous basis for anomalous behavior and attacks.
We securely encrypt your passwords. Passwords are one-way encrypted using the bcrypt algorithm, with a random salt for each password. This means that only the original creator of the password knows its value. This type of encryption is extraordinarily difficult to break. When passwords must be retrieved, public/private key encryption is used, with a key length of 4096 or greater. Access and retention of passwords are strongly controlled and logged.
Penetration tests are conducted by an independent third-party assessor at least annually. Reputation will share the latest Penetration Test report upon request and under NDA.
Security Awareness Training
All employees undergo training on security in the workplace as well as HIPAA training. Awareness education on security and data privacy topics are provided to employees on an ongoing basis. Employees must also renew the completion of Security Awareness training modules annually as well as adhere to our information security policies including our Information Security Policy as well as our Data Security Policy and Customer Confidentiality Policy.
We deploy the latest in threat detection/threat protection and monitor our infrastructure and application on a continuous basis for anomalous behavior and attacks. Additionally we have baked security into the SDLC and perform Application Security Testing on our code.