Security for Raffle Workplace
SOC 2 & ISO27001
At Raffle, we take security and transparency seriously. We take multiple security measures to protect both our platform and those who use it.
To prove our high commitment to strong security, availability, and privacy, we have completed the SOC 2 Type 2 certification in January 2023, which is your safety that Raffle continuously upholds the highest standards within these areas. We are very serious about security and display this through our certifications.
On top of SOC 2 Type 2, we will be finalizing our ISO27001 certification in 2023 displaying our commitment to the highest level of security as well as our commitment to our users. This is a process that is being certified by the International Organization of Standards which ensures that our processes, security, and quality are equal to the software as a service (SaaS) industry and the newest regulations.
Our products run on a dedicated network which is locked down and carefully monitored. We work with industry leading partners (FRSecure and Drata) and risk response teams to ensure that we continuously and effectively monitor, manage and evaluate risks.
Any questions or comments relating to Raffle security can be submitted to firstname.lastname@example.org
Data Protection applicable for Raffle Workplace
Raffle is on top of new regulations and laws, so you do not have to, ensuring compliance on all levels and across different countries.
European Union General Data Protection Regulation (GDPR)
Since May 25th, 2018, the GDPR has increased regulation and use of European citizens' data, increasing the privacy and security of personal information. Raffle was founded in mid-2018, which is why Raffle has been fully compliant with GDPR among other standard privacy regulations from the very beginning and has never compromised. Raffle will make sure to safely guide you through what is needed. When relevant to the services Raffle provides, we enter into a Data Processing Agreement (DPA, to protect both parties) performed by leading European Law firm Kromann Reumert (the winner of the prize: Europe's best law firm, three years in a row).
US HIPAA legislation
The United States of America Health Insurance Portability and Accountability Act of 1996 protects sensitive patient healthcare information from being disclosed without approval or knowledge of the patient. Since Raffle was founded in mid-2018 we have been dedicated to security and compliance without compromise. We are committed to being transparent and protecting our customers if there is any health data in the sources that raffle is searching.
Location of Data
For our customers in the EU the location of our Azure Data Center is West Europe (Netherlands) and data will never leave the EU. In a disaster recovery situation, our systems are guaranteed to be started up in another EU-based data center. Furthermore, we have Customer Lockbox enabled on our Azure subscription, which ensures that Microsoft cannot access content to do service operations without our explicit approval.
For our customers in the US the location of our Azure Data Center is in the US (New York). In a disaster recovery situation, our systems are being started up in the US or in an EU-based data center. Furthermore, we have Customer Lockbox enabled on our Azure subscription, which ensures that Microsoft cannot access content to do service operations without our explicit approval.
Generally on data
The Customer Data is stored in a PostgreSQL database in the Azure Cloud. It includes scraped content from customer documents (not in their original form, but broken into smaller sections), and anonymized search queries. All data is encrypted at rest with AES 256 and uses TLS for communication on the wire.
Data in Transit
To protect data in transit between our app and our servers, raffle.ai supports the latest recommended secure cipher suites to encrypt all traffic in transit, including the use of TLS 1.2 protocols, AES256 encryption, and SHA2 signatures, whenever supported by the clients.
Data at Rest
Data at rest in raffle.ai’s production network is encrypted using industry-standard 256-bit Advanced Encryption Standard (AES256), which applies to all types of data at rest within raffle.ai’s systems, relational databases, file stores, database backups, etc.
In Raffle, we follow a set of development practices, to ensure the our systems are at all time running and functioning according to our commitments:
- All code changes are thoroughly tested and reviewed according to our change processes.
- All code changes are tested in a staging environment before deploying to production.
- We use automatic security vulnerability detection tools to alert us when our dependencies have known security issues.
- We conduct a periodic third party manual penetration testing of our web applications.
- We use several tools and services to automatically monitor uptime and Services availability. Key employees receive automatic notifications in the case of downtime or emergencies.
- We perform weekly vulnerability scans against our main endpoints to detect weaknesses.
Risk Assessment Process
Raffle has established an organization-wide risk assessment process to identify and manage information security risks across the organization. Raffle regularly reviews the risks that may threaten the achievement of its service commitments and system requirements related to security.
Raffle’s Risk Assessment process takes into account a number of factors each of which contributes to both the likelihood and potential impact of a given risk. These include:
- The criticality of potentially impacted business processes as laid out in the Business Continuity and Disaster Recovery Policy.
- Whether a risk could potentially impact the confidentiality, availability, integrity, or privacy of customer data.
- Potential monetary loss.
- The ability of the risk to impact Raffle’s business objectives.
- Potential impact to Raffle’s customers or vendors
Raffle has adopted the following Security Policies (maintained and reviewed yearly):
- Acceptable Use Policy
- Asset Management Policy
- Backup Policy
- Business Continuity Plan
- Code of Conduct
- Data Classification Policy
- Data Deletion Policy
- Data Protection Policy
- Disaster Recovery Plan
- Encryption Policy
- Incident Response Plan
- Information Security Policy
- Password Policy
- Physical Security Policy
- Responsible Disclosure Policy
- Risk Assessment Policy
- Software Development Life Cycle Policy
- System Access Control Policy
- Vendor Management Policy
- Vulnerability Management Policy