Overview

Our highest priority at Rosterfy is keeping our customers' data, and that of their users protected at all times. This security overview provides a top-level summary of the security processes and practices put in place to achieve that objective. Our security team can be reached at security@rosterfy.com with any questions or comments.

Infrastructure

Cloud infrastructure

Amazon Web Services provides all computing services. All infrastructure including but not limited to physical servers, cloud servers, database providers, load balancers and security infrastructure is managed and provided by Amazon. We operate in different geographical regions to maintain data sovereignty rights where required including in Australia, Germany, the UK, and USA. Our service is built on the services provided by AWS. They provide strong security measures to protect our infrastructure. Their security information can be found here.

Service Providers

Rosterfy delivers its service using a number of 3rd party service providers. These service providers offer their features through different integrations. Each integration has protection in place to ensure data is secured when in transit between systems. IP filtering, rotating tokens and consumer secrets are all methods used to ensure secure service delivery 

Network level security monitoring and protection

Our network security architecture consists of multiple security zones. We monitor and protect our network, to make sure no unauthorized access is performed using:

• A virtual private cloud (VPC), with private / public subnet segmentation with network access control lists (ACL’s) and no public IP addresses.

• Strong data encryption for storage (production and backup) and in transmission

• Firewall for monitoring and controlling inbound/outbound network traffic.

• IP address and port filtering

• Multiple security checkpoints to access network including private key pairs, multi factor authentication and password control

Data encryption

Encryption in transit: All data sent to or from our infrastructure is encrypted in transit via industry best-practices using Transport Layer Security (TLS). You can see our SSLLabs report here Encryption at rest: All our user data is encrypted using battled-proofed encryption algorithms in the database. 

Data retention and removal

Every user can self delete their data from the Rosterfy platform. Once a customer license expires, all data related to that customer will be deleted securely. Read more about our privacy settings at rosterfy.com/privacy-policy.

Business continuity and disaster recovery

We back up all our critical information assets regularly. All our backups are encrypted and securely stored. As a risk mitigation strategy we also regularly restore data and services from backups to be able to response if a disaster was to strike.

Application security monitoring

• We use technologies to monitor exceptions, logs and detect anomalies in our applications.
• We collect and store logs to provide an audit trail of our applications activity.
• File integrity management systems for monitoring changes to network systems and containers
• Dynamic host scanning for vulnerabilities and unauthorized access to host networks and underlying systems.

Secure development

We develop following security best practices and frameworks (OWASP Top 10, SANS Top 25). We use the following best practices to ensure the highest level of security in our software:

• Developers participate in regular security training to learn about common vulnerabilities and threats
• Automated testing pipeline for code quality, security, functionality and API testing
• We regularly update our dependencies and make sure none of them has known vulnerabilities
• Regular penetration testing by 3rd party providers
• Quality control gates across multiple development environments to ensure production environments have reliable, stable, secure code bases.
• Full time employees develop, test and manage all code. Contractors are not used or given access to the Rosterfy platform or code base.

User protection

Single sign-on

Federated Single sign-on (SSO) is offered for our enterprise customers through SAML2.0 authentication. Google and Facebook Single sign-on (SSO) is also available to workforce users to login to their portal.

Multi Factor Authentication

Time-based One-time Passwords are available for all users of the Rosterfy platform to implement two-factor authentication on all devices they login from

Role-based access control

Role-based access control (RBAC) is offered on all our accounts and allows our users to define roles and permissions.

Entity-based access control

Entity-based access control is offered on all our accounts and allows our users to define boundaries for users to access segmented records within the same entity.

Compliance

GDPR

We’re compliant to the General Data Protection Regulation (GDPR). The purpose of GDPR is to protect the private information of EU citizens and give them more control over their personal data. Contact us for more details on how we comply to GDPR.

Payment information

All payment instrument processing is safely outsourced to Stripe which is certified as a PCI Level 1 Service Provider. We don’t collect any payment information and are therefore not subject to PCI obligations. 

Employee access

Our strict internal procedure prevents any employee or administrator from gaining access to user data. Limited exceptions can be made for customer support where data does not cross borders. All our employees that do have limited access to customer data are background checked before beginning employment. Auditing and logging of all employee actions within our platforms is maintained for transparency.