SECURITY OVERVIEW AND PURPOSE
Before we begin, know two things:
- ServiceReef is honored to be a steward of your data
- We want to protect it as much as you do and have taken as many industry-recognized steps to help you feel secure with ServiceReef as your provider.
We try to provide efficiency in everything and this security document is no exception. So let’s look at security from a different angle as we dig into how your data is secured on ServiceReef.com. For obvious reasons, we are not exposing information that could be exploited by others. Therefore, if you would like to receive a PDF of our security overview, including information not contained here, please contact us directly.
CREATING A PROFILE
The first time a user visits ServiceReef.com to sign up for a trip, he or she is prompted to complete a profile with some basic data. All activity on the site is encrypted and transmitted using HTTPS TLS 1.2.
The user is prompted to select their desired login method, which includes a secured Single Sign-On (SSO) using Facebook or the creation of an email/password pair. All password and login information is one-way hashed and stored in our database. Additionally, to help users protect themselves, we prompt users to create strong passwords and avoid the most commonly used passwords.
If users attempt to log in with an invalid password, we lockout their accounts after a few invalid attempts. The account can be unlocked by ServiceReef.com personnel.
The user’s profile information is securely transmitted to our database. Microsoft Azure hosts our servers and the data layer is a SQL database in this cloud environment. Azure meets a broad set of international and industry-specific compliance standards, such as ISO 27001/27002:2013, HIPAA, PCI DSS Level 1, FedRAMP, SOC 1, and SOC 2. For a full list, please see additional information provided in Appendix A.
Azure blocks unauthorized traffic to and within Microsoft datacenters using firewalls, partitioned local area networks (LANs), and the physical separation of back-end servers from public-facing interfaces. Microsoft conducts regular penetration testing to improve Azure security controls and processes. Data in transit and at rest is encrypted.
Access and modifications to your data is performed only by your team and ServiceReef personnel.
ServiceReef has implemented multi-factor authentication for support personnel to access the databases. Technological safeguards, such as encrypted communications, operation processes, and separation of key storage, help provide additional layers to keep customer data secure.
Azure SQL Database automatically creates a backup of every active database on a regular schedule. Full backups are taken every day with incremental backups every hour.
Once a user has a profile on ServiceReef.com, each organization can grant users specific admin permissions to functions within their control. These include:
- Potential Admin permissions at the organization level
- Potential Admin permissions are more granular and include approximately 25 different options within each trip
All activity within ServiceReef is validated against the permissions that the user currently has, thereby restricting any elevation of privileges. In essence, each time a request is made, we double-check to see that this specific user has the right to this action for this particular organization.
If the user is denied access for that request, ServiceReef displays a generic error page indicating that the user might have gone “off course”. This generic page serves a key purpose in that it does not grant a potential hacker any information regarding their attempted request, making it more difficult for them to learn how the system works.
Additionally, all activity in the ServiceReef.com site is monitored and logged. Any errors or attempts at unauthorized transactions are reviewed periodically to ensure patterns are identified and appropriate action is taken.
SECURITY IN THE SOFTWARE DEVELOPMENT LIFECYCLE
Since the security of our organizations is so important, we want to make sure that it is a top priority even prior to writing a single line of code. Our leadership team meets with our development team regularly to discuss the projects that are currently underway (or coming up) and we ask the following question with each project: What potential security concerns are we introducing/reducing with this effort? This keeps the security top of mind during the entire development effort.
Additionally, ServiceReef manages a strict development process with the protocol for the following development areas:
- General Coding Procedure
- Project Design
- Handling Primitives
- Input Validation
- HTML & Command Injection
- Data Sanitation & Serialization
- Storage Variables
- Garbage Collection
- Application Shutdown
- Segregation of Duties
ServiceReef.com has partnered with an outside vendor to perform security vulnerability scans on an ongoing basis. ServiceReef is committed to having zero Critical or High findings in each vulnerability scan.
ServiceReef does provide an additional service that allows organizations to retrieve their trip and participant information via API. As with other forms of data, this has its own layers of security.
First, upon configuring this service, a unique key is created for each organization that will be used in authenticating each request for information. Each API request from an organization must be made over HTTPS and authorized with a unique API Key.
When a request is received, ServiceReef decrypts the request, validates the key used, validates the time is within the allowed range, and then ensures the organization's request is valid. All data transmitted back to the organization via the API is also encrypted and transmitted using HTTPS.
Whenever an email is triggered (e.g. a reminder for a meeting or an upcoming payment deadline), ServiceReef.com sends the content to our email provider for delivery into the participant’s inbox. As a best practice, ServiceReef advises organizations to keep any protected data from being sent via email as it is not a secure method of delivering personally identifiable information (PII).
While data sent to our email provider is limited, they are committed to security best practices both in technical and operational controls. This provider’s data centers are SOC Type 2 compliant and encrypt all data in transit using TLS.
DONATIONS AND FINANCIAL TRANSACTIONS
The quick and easy ability for donors to give to participants is a huge benefit of running trips and events through ServiceReef.com. ServiceReef has partnered with industry-leading payment providers to ensure that any financial information that is gathered is encrypted and securely transmitted to the provider securely and stored in a manner compliant with PCI standards. All providers are PCI DSS Level 1 certified.
ServiceReef does not store credit card information, nor do we have access to the full credit card information provided by users or donors of our system. The beauty of our process is that ServiceReef sends the information to the provider and is given an encrypted and unique identifier for that user. This allows ServiceReef to send this single identifier (instead of credit card information) for any future transactions. ServiceReef does obtain the last four digits of the credit card number when we request information on this unique user (e.g. for support purposes), but can never access the full 16-digit card number.
ServiceReef.com does have a preferred provider, who has been audited by a PCI-certified auditor and is certified to PCI Service Provider Level 1. This is the most stringent level of certification currently available.
For security and integrity reasons, ServiceReef is not responsible for the financial transactions that are processed through payment providers as each client individually creates a private and unique financial profile on the provider itself. Transactions are then batched and periodically sent to the organization bank account on file.
APPENDIX A - Data Compliance with Microsoft Azure
Azure meets a broad set of international and industry-specific compliance standards, such as ISO 27001, HIPAA, FedRAMP, SOC 1 and SOC 2, as well as country-specific standards including Australia IRAP, UK G-Cloud, and Singapore MTCS. Microsoft was also the first to adopt the uniform international code of practice for cloud privacy, ISO/IEC 27018, which governs the processing of personal information by cloud service providers.
Rigorous third-party audits, such as by the British Standards Institute, verify Azure’s adherence to the strict security controls these standards mandate. As part of our commitment to transparency, you can verify our implementation of many security controls by requesting audit results from the certifying third parties or through your Microsoft account representative.
Azure cloud services, with independently verified compliance, give you the foundation to achieve compliance for the infrastructure and applications you run in Azure. Azure customers receive detailed information about Microsoft security and compliance programs, including audit reports and compliance packages, to help you assess our services against your own legal and regulatory requirements. Our team of compliance experts also works with Microsoft engineering and operations teams, as well as external regulatory bodies, to help ensure that customer needs are met.