Last update: April 3, 2023

Security

Our security statement.

Your trust, our responsibility.

At 3rdRisk, we understand the critical importance of security in the digital age. Our approach to security is not just a feature – it's a fundamental principle that underpins everything we do.

SOC2 Type II assurance report

We adhere to the latest industry standards to ensure our systems and your data are protected against evolving threats. Our commitment to these standards is reflected in our SOC2 Type II assurance report, which demonstrates our dedication to security, availability, processing integrity, confidentiality, and privacy.

Continuous security monitoring

We have implemented continuous security monitoring to stay ahead of potential threats. This proactive approach helps us identify and address vulnerabilities swiftly, ensuring the safety and integrity of your data at all times.

Visit: https://trust.3rdRisk.com

Independent Penetration Testing

We regularly conduct independent penetration tests on our infrastructure. These rigorous tests are crucial in identifying and rectifying potential security weaknesses, ensuring that our platform remains secure against the most sophisticated attacks.

Certified security experts

Our security measures are executed in a structured manner, overseen by a team of experts. Our personnel have professional security certifications such as CISSP, CCSP, and CISA, showcasing their expertise in information security, cloud security, and systems auditing. This level of expertise means we are well-equipped to manage and mitigate a wide range of security risks.

3rdRisk security framework

Our security framework is designed to safeguard every aspect of our platform, ensuring the highest standards of data protection, privacy, and operational continuity. We achieve this through a multi-layered approach, addressing security at the identity, data, application, network, and infrastructure levels, as well as ensuring robust physical security and business continuity.

Our framework is continually evolving, integrating the latest industry standards and best practices to stay ahead of emerging threats.

Identity & Access Management
  • 24/7 Access Monitoring: Continuous monitoring of all customer environments.
  • Alert Forwarding: Capability to forward alerts to SIEM, Microsoft Teams, or SMS.
  • Multi-Factor Authentication: Available for all accounts for enhanced security.
  • SSO Integration: Compatibility with Microsoft Azure AD & OKTA.
  • Password Complexity: Enforced based on industry best practices.
  • Brute-Force Protection: Implemented to safeguard against unauthorised access attempts.
  • Protected Logging: Secure logging of all account activities.
  • Role-Based Access: Ensuring access control throughout the platform.
  • Account Creation Control: Only customers can create accounts in their environment.
Data Level
  • Protected Audit Logging: Activated for all key data tables.
  • Segmented Document Repositories: Individual repositories per customer environment.
  • Continuous Backup: Regular backup processes in place.
  • Secure Data Exit Procedure: Includes secure data transfer and removal.
  • Responsible Disclosure: Established process for responsible disclosure.
Application Level
  • Continuous Penetration Testing & Vulnerability Scanning: Performed by independent security firm.
  • 24/7 Application Monitoring: Timely detection of malicious activities and health issues.
  • Alert Forwarding for Monitoring: Capability to send alerts to local SOC, Microsoft Teams, or via SMS.
  • Yearly Penetration Audit-Rights: Available for all customers.
  • OWASP and ASVS Best Practices: Adherence to secure code best practices.
  • Technical Security Measures: Including data sanitation, CSRF protection, XSS protection, request rate limiting, and content security policy.
Network Level
  • TLS (Transport Layer Security): For secure communications.
  • Strict Network Segmentation: To control and secure network traffic.
  • Web Application Firewall (WAF): Deployed for additional security.
  • IP/Country Allowlisting: Option for enhanced access control.
Platform Infrastructure
  • Infrastructure Scanning: Regular scanning for vulnerabilities.
  • Serverless Infrastructure: Increases platform resilience.
  • Isolated Server Instances: Separate instances for each customer environment.
  • AWS Systems Manager Parameter: For secure storage of configuration data and secrets.
Continuity & Physical Security
  • AWS Hosting: Securely hosted in three geographically separated data centres in Europe (Germany).
  • Resilience and Redundancy: Ensuring high availability and continuity.