ReferScout Security Documentation
ReferScout offers a robust, secure, and scalable platform to source quality candidates from employee referrals.
Our Commitment to Privacy and Security
ReferScout is committed to keeping any and all data we collect from clients safe and secure, following best-in-class industry standards and protocols. The following document provides a summary of ReferScout's approach to information privacy and security for our client-facing solutions.
Data Privacy Approach
ReferScout has a strong commitment to maintaining the integrity of information you allow us to process and has a privacy policy to match. Details on the information we collect and how we use it can be found at ReferScout's Privacy Policy statement.
Additionally, ReferScout uses third-party sub-processors to help us provide our services to you. These sub-processors process data that you input into the services, which may include personal data. Like ReferScout, our sub-processors prioritize data privacy and, where applicable, have contractually agreed to protect the personal data of ReferScout's customers in accordance with global data privacy regulations and standards. A list of sub-processors is maintained on this page.
Security for Customer-Facing Application
When we designed and developed ReferScout's Employee Referral Management solution, data privacy and security were top priorities. We carefully selected partners who could provide the level of protection we felt was needed.
We selected Salesforce's Heroku application platform environment to host and manage our solutions, with the most rigorous security and privacy protocol available.
Heroku Overview
The application code and information database for our complete solution is hosted on Heroku, a secure cloud software hosting platform owned by Salesforce. The platform is designed to protect customers from threats by applying security controls at every layer from physical to application, isolating customer applications and data, and with its ability to rapidly deploy security updates without customer interaction or service interruption.
Security Assessments and Compliance
Heroku's physical infrastructure is hosted and managed within Amazon's secure data centers utilizing AWS technology. Amazon continually manages risk and undergoes recurring assessments to ensure compliance with industry standards.
ISO 27001
SOC 1 & SOC 2
PCI Level 1
FISMA Moderate
Sarbanes-Oxley
PCI
Physical Security
Heroku utilizes ISO 27001 and FISMA certified data centers managed by Amazon. AWS data centers are housed in nondescript facilities with extensive setback and military-grade perimeter control. Physical access is strictly controlled at the perimeter and at building ingress points by professional security staff utilizing video surveillance and state-of-the-art intrusion-detection systems. Authorized staff must pass two-factor authentication no fewer than three times to access data center floors.
Environmental Safeguards
Fire Detection and Suppression
Automatic fire detection and suppression equipment utilizing smoke detection sensors in all data center environments, mechanical and electrical infrastructure spaces, chiller rooms, and generator equipment rooms. Areas are protected by wet-pipe, double-interlocked pre-action, or gaseous sprinkler systems.
Power
Data center electrical power systems are designed to be fully redundant and maintainable without impact to operations, 24/7. Uninterruptible Power Supply (UPS) units provide backup power in the event of an electrical failure for critical and essential loads.
Climate and Temperature Control
Data centers are conditioned to maintain atmospheric conditions at optimal levels. Monitoring systems and personnel ensure temperature and humidity are at the appropriate levels, preventing overheating and reducing service outages.
Management
Data center staff monitor electrical, mechanical and life support systems and equipment so issues are immediately identified. Preventative maintenance is performed to maintain the continued operability of equipment.
Platform Security
Network Security
Firewalls restrict access to systems from external networks and between systems internally. By default, all access is denied and only explicitly allowed ports and protocols are permitted based on business need. Host-based firewalls restrict customer applications from establishing localhost connections to further isolate applications.
System Security
System configuration and consistency is maintained through standard, up-to-date images and configuration management software. Systems are deployed using up-to-date images with configuration changes and security updates before deployment. Existing systems are decommissioned and replaced with current systems.
Customer Application Isolation
Applications run within their own isolated environment and cannot interact with other applications or areas of the system. Self-contained environments isolate processes, memory, and the file system while host-based firewalls restrict applications from establishing local network connections.
System Authentication
Operating system access is limited to Heroku staff and requires username and key authentication. Operating systems do not allow password authentication to prevent password brute force attacks, theft, and sharing.
Penetration Testing & Vulnerability Assessments
Third-party security testing is performed by independent and reputable security consulting firms. Findings from each assessment are reviewed with the assessors, risk ranked, and assigned to the responsible team for resolution.
Vulnerability Management
The vulnerability management process remediates risks without customer interaction or impact. Vulnerabilities are identified through internal and external assessments, system patch monitoring, and third-party services. New systems are deployed with latest updates while existing systems are decommissioned.
Application Security
Heroku undergoes penetration tests, vulnerability assessments, and source code reviews covering all platform areas including OWASP Top 10 web application vulnerabilities and customer application isolation. Issues are risk ranked, prioritized, and assigned for remediation.
Backups & Disaster Recovery
Customer Applications
Applications deployed to the Heroku platform are automatically backed up as part of the deployment process on secure, access-controlled, and redundant storage. Heroku uses these backups to deploy applications and to automatically bring them back online in the event of an outage.
Customer Postgres Databases
Data is stored and managed in Heroku Postgres. Continuous Protection keeps data safe — every change is written to write-ahead logs, shipped to multi-data center, high-durability storage. In the event of hardware failure, these logs can be automatically replayed to recover the database to within seconds of its last known state.
Disaster Recovery
The Heroku platform automatically restores customer applications and databases in the case of an outage. The platform is designed to dynamically deploy applications, monitor for failures, and recover failed platform components including customer applications and databases. Infrastructure is designed to scale and be fault tolerant by automatically replacing failed instances.
Privacy & Data Access
Both Heroku and our development team staff DO NOT access or interact with customer data or applications as part of normal operations. There may be cases where access is requested by the customer for support purposes or where required by law.
Customer data is access controlled and all access by staff is accompanied by customer approval or government mandate, reason for access, actions taken by staff, and support start and end time.
ReferScout personnel only have access on a need-to-know, specifically granted-access basis. ReferScout will not extract or use customer-specific data except where we have a legal basis to do so in order to fill the purpose for which the data was collected. ReferScout will look at metadata so that we can understand which portions of the systems are being used to best meet client needs.
ReferScout Customer Security Best Practices
Encrypt Sensitive Data at Rest and in Transit
Customer data is encrypted both in transit via HTTPS / SSL and at rest in the database. Common data attributes such as passwords and two-factor authorization secrets are encrypted at rest and filtered out of data logs.
Logging
Redundant monitoring systems enable log capture at an app level, providing the ability to accurately pinpoint error root causes with full traceability.
Application Hierarchy
The ReferScout solution was built on the Heroku-20 Stack with a 2-tier access control. Access to the Heroku environment is controlled by multi-factor authentication to limit any unauthorized access.
Have Security Questions?
Our team is ready to discuss ReferScout's security measures and how we protect your data.