Information Security Summary

Data security is key for Redwood’s product development. This Information Security Summary (the “InfoSec Summary”) points out the organizational policies and controls in effect at Redwood that are aimed towards maintaining confidentiality, integrity, and availability of Client Data used with Redwood’s solutions or services (the “Software”). Capitalized terms not otherwise defined herein shall have the meaning set forth in the applicable Master Software Subscription and Services Agreement (hereinafter referred to as the “Agreement”). In the event of a conflict between the Agreement and this InfoSec Summary, the Agreement prevails.

Scope

This InfoSec Summary highlights the security measures maintained by Redwood with respect to its internal infrastructure and its Software, that could have an impact on the confidentiality, integrity, and availability of Client Data.

Security Certifications

Redwood recognizes the importance of implementing appropriate technical and organizational security measures and adequate security controls to prevent any unauthorized access, disclosure, alteration, or destruction of Client Data. Redwood maintains a comprehensive information security management system and engages independent auditors to provide industry standard certifications and attestations. Redwood has the following list of certifications:

1. ISO/IEC 27001 certification
2. SOC 1 Type 2 and SOC 2 Type 1 attestations
3. CSA STAR Level 1 certification

Redwood is constantly working to improve its quality and security standards and is working on an internal roadmap of certifications and standards relevant and adequate for the industry in which Redwood operates.

Redwood shall also comply with the controls in, and maintain, an ISO/IEC 27001 certification, providing that certification and a copy of the corresponding statement of applicability (SOA) to Client upon written request.

Security Features for More Control, Visibility & Flexibility

Platform & Network Security: Our dedicated security team approaches security holistically based on industry best practices and aligned to a common ISO 27001, SOC1, SOC2 and CSA STAR controls framework. Security threats are prevented using our detections program, secure software development process, and industry-accepted operational practices.

Scalability & Availability: Redwood’s network infrastructure relies on a secure cloud service platform with flexible capacity to ensure reliability for Redwood customers. Customers have access to https://staging.marketing.redwood.com/trust/ where they can find more security features & compliance status of Redwood’s Security Platform.

Security & Monitoring: Redwood has established and maintains a formal, documented company-wide Information Security Management Program that provides management direction and support for implementing information security within the Redwood environment. The objective of the program is to maintain the confidentiality, integrity, and availability of data and assets while complying with applicable legislative, regulatory, and contractual requirements.

Identity & Access Management: Ensure that only the right people can access your company’s data in Redwood with features like single sign-on (SSO) and granular data access permissions.

Data Protection: By default, Redwood encrypts data at rest and data in transit for all of our customers.

Incident Management & Responses: Redwood maintains ongoing documentation and verification of its incident response policy and procedures. We apply a 6-step approach that drives consistency and on-going improvements to our responses process: Preparation, Identification, Containment, Eradication, Recovery and Lessons Learned.

Vulnerability & Patch Management: Systems are scanned regularly for common vulnerabilities. Servers are patched automatically on a regular schedule, with critical and high severity patches applied with the highest priority.

DDoS Mitigation: Distributed Denial of Service mitigation is provided via AWS Shield Standard.

Third Party Penetration Testing: Redwood partners with external penetration testing vendors to conduct annual tests. Medium and higher severity findings are remediated, and reports are available upon request and under NDA.

Role Bases Access Control (RBAC) Mechanism: Redwood administrators can set user roles according to the principle of least privilege. Users only see what they need in order to perform their job.

Certifications: Redwood undergoes annual audits with external vendors to ensure its products and processes follow the strictest norms.

Information Security Policies & Procedures: Redwood uses the SOC1, SOC2, ISO 27001 and CSA STAR frameworks as the foundation for its policies and procedures. All Employees acknowledge their responsibilities in protecting customer data as a condition of employment.

Report a Vulnerability

At Redwood Software, we take the responsibility for your data security and privacy very seriously. As your trusted partner in automation, we understand the paramount importance of ensuring that your information stays protected.

Along with a strict security posture and adhering to the industry’s highest security and data protection standards, we are continuously making advancements to address an evolving digital landscape with new and dynamic threats. We appreciate your vigilance as well and encourage you to report any security or privacy issues that you think we should be aware of. You can contact us at [email protected]. The Redwood team is committed to investigating potential vulnerabilities and taking swift action if necessary.