Updated: 24 May 2018
At Rigor we take data security seriously and work to ensure that the data you provide is secure. In addition to partnering with some of the best cloud providers to ensure that we keep your information private, available, and unaltered, to the extent possible we maintain administrative, physical, and technical safeguards for protection of the security, confidentiality, and integrity of your data.
The Rigor application infrastructure is hosted in the cloud using world-class providers, so your checks will still run and your data is available even if our office is not. The providers we use and their respective security policies and standards are below:
- SOC1/SSAE 16/ISAE 3402 (formerly SAS 70)
- SOC 2
- SOC 3
- FISMA, DIACAP, and FedRAMP
- CSM Levels 15
- PCI DSS Level 1
- ISO 9001 / ISO 27001
- ISO 27002
- ISO 27001
- SOC 1
- SOC 2
- SOC 3
- SAFE HARBOR CONTENT PROTECTION AND SECURITY STANDARD
System and Network Security
We regularly engage third parties to test the security of our network and applications – and work quickly to implement any needed fixes to bolster the safeguards and processes that we have in place. Additionally, we take steps to ensure that traffic between you and our systems and networks, as well as within our infrastructure, is secure. All network traffic runs over SSL/HTTPS, the most common and trusted communications protocol on the Internet. Internal infrastructure is isolated using strict firewalls and network access list and systems are segmented with technologies such as firewalls and Access Control Lists. By default all access is denied and only explicitly allowed ports are exposed. Persistence and storage layers are secured with strict firewall rules that limit incoming traffic.
Application Security and Restricted Access
All pages in the web application are accessed over SSL/TLS with certificates signed by known, trusted third party Certificate Authorities. This applies for public and private networks. Access is limited to members of your team via credentials that they create and maintain. We have strict access limitations to our internal systems. Only certain members of the Rigor team have access and they are required to use multi-factor authentication to all systems that allow it.
Additional security measures are in place for users and accounts including the secure transmission of user credentials and the use of the SCrypt algorithm. Access is further limited by access rights granted based on assigned user roles. Rigor also takes additional steps of having automated static analysis security scans, which are triggered each time application source code is updated. This alerts us immediately to any change that violates our security standards.
Data Collection and Retention
Rigor monitors and analyzes the performance characteristics of public network and web systems or systems granted access by whitelisting; accordingly, anyone with a web browser and a basic computer would be able to collect the same information that Rigor collects. Any confidential information that Rigor collects is provided solely at the initiative of the user in connection with the checks the user configures themselves. Users remain in control of this data and can edit, modify, or delete it at any time.
Rigor only collects and stores information that you provide us and that which you submit in order for us to gather and process during our services. Depending on how you use Rigor, this may include: Performance characteristics of network/web services (timing information, network accessibility information, etc.); requests sent to, and responses received from those networking services; screenshots of web properties; and/or performance test configuration information.
This data is provided by the customer and could contain credentials. These tests are configurable and test configuration information supplied for running the tests is controlled by the user. Rigor teams may have access to customer data to troubleshoot bugs and reproduce problems. You maintain control over this data at all times and can add or delete user information or information specific to Rigor checks that you configure.
If you choose to no longer partner with Rigor, we secure your data. After your account has been closed, all the data in the account may be permanently deleted from our systems within a reasonable time period, as permitted by law, and we will disable your access to any other Rigor services. It is your responsibility to export the data you need or to request it within 30 days of cancelling services. We will respond to any such request, and any appropriate request to access, correct, update, or delete your personal information within the time period specified by law (if applicable) or without unreasonable delay. We will promptly fulfill requests to delete personal data unless the request is not technically feasible or such data is required to be retained by law (in which case we will block access to such data, if required by law).
Rigor’s maximum storage and retention guidelines are as follows: Detailed performance metrics for 180 days, aggregate performance data (min, max, average, median, 95th and 99th percentile, etc., of performance metrics) for two years, and test configuration information up to one year after an account is no longer active.
List of Sub-Processors
Sub-Processors are any entities that process personal data on behalf of Rigor, such as the collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction of any information relating to (i) an identified or identifiable person and, (ii) an identified or identifiable legal entity, where such information is protected similarly as personal data or personally identifiable where such data is submitted to Rigor as customer data.
The list of Rigor Sub-Processors are as follows:
- Amazon Web Services
- Enter Cloud Suite
- Redis Labs
- Google “Office” Suite and Drive
- Google Analytics
- Scout App