Data security is key for Redwood’s product development. This Information Security Summary (the “InfoSec Summary”) points out the organizational policies and controls in effect at Redwood that are aimed towards maintaining confidentiality, integrity, and availability of Client Data used with Redwood’s solutions or services (the “Software”). Capitalized terms not otherwise defined herein shall have the meaning set forth in the applicable Master Software Subscription and Services Agreement (hereinafter referred to as the “Agreement”). In the event of a conflict between the Agreement and this InfoSec Summary, the Agreement prevails.
This InfoSec Summary highlights the security measures maintained by Redwood with respect to its internal infrastructure and its Software, that could have an impact on the confidentiality, integrity, and availability of Client Data.
Redwood recognizes the importance of implementing appropriate technical and organizational security measures and adequate security controls to prevent any unauthorized access, disclosure, alteration, or destruction of Client Data. Redwood maintains a comprehensive information security management system and engages independent auditors to provide industry standard certifications and attestations. Redwood has the following list of certifications:
Redwood is constantly working to improve its quality and security standards and is working on an internal roadmap of certifications and standards relevant and adequate for the industry in which Redwood operates.
Redwood shall also comply with the controls in, and maintain, an ISO/IEC 27001 certification, providing that certification and a copy of the corresponding statement of applicability (SOA) to Client upon written request.
Platform & Network Security: Our dedicated security team approaches security holistically based on industry best practices and aligned to a common ISO 27001, SOC1 & SOC2 controls framework. Security threats are prevented using our detections program, secure software development process, and industry-accepted operational practices.
Scalability & Availability: Redwood’s network infrastructure relies on a secure cloud service platform with flexible capacity to ensure reliability for Redwood customers. Customers have access to https://www.redwood.com/trust/ where they can find more security features & compliance status of Redwood’s Reality Platform.
Security & Monitoring: Redwood has established and maintains a formal, documented company-wide Information Security Management Program that provides management direction and support for implementing information security within the Redwood environment. The objective of the program is to maintain the confidentiality, integrity, and availability of data and assets while complying with applicable legislative, regulatory, and contractual requirements.
Identity & Access Management: Ensure that only the right people can access your company’s data in Redwood with features like single sign-on (SSO) and granular data access permissions.
Data Protection: By default, Redwood encrypts data at rest and data in transit for all of our customers.
Incident Management & Responses: Redwood maintains ongoing documentation and verification of its incident response policy and procedures. We apply a 6-step approach that drives consistency and on-going improvements to our responses process: Preparation, Identification, Containment, Eradication, Recovery and Lessons Learned.
Vulnerability & Patch Management: Systems are scanned regularly for common vulnerabilities. Servers are patched automatically on a regular schedule, with critical and high severity patches applied with the highest priority.
DDoS Mitigation: Distributed Denial of Service mitigation is provided via AWS Shield Standard.
Third Party Penetration Testing: Redwood partners with external penetration testing vendors to conduct annual tests. Medium and higher severity findings are remediated, and reports are available upon request and under NDA.
Role Bases Access Control (RBAC) Mechanism: Redwood administrators can set user roles according to the principle of least privilege. Users only see what they need in order to perform their job.
Certifications: Redwood undergoes annual audits with external vendors to ensure its products and processes follow the strictest norms.
Information Security Policies & Procedures: Redwood uses the SOC1, SOC2 & ISO 27001 frameworks as the foundation for its policies and procedures. All Employees acknowledge their responsibilities in protecting customer data as a condition of employment.