Effective Date: 16 October 2020
Reltio takes the protection of customer data very seriously. Reltio customers leverage the Reltio Connected Customer 360 (‘Reltio Cloud’) Platform to bring together their data from customer’s internal, external and third-party sources to create a single customer view. As a customer’s data may contain Personally Identifiable Information (PII), Sensitive PII (SPII) or Protected Healthcare Information (PHI), Reltio has implemented security measures to manage such data with the applicable level of care. The Reltio Cloud Platform is cloud native and leverages security regimes from world leading public cloud providers (i.e. Amazon Web Services and Google Cloud Platform), as well as Reltio’s own internal data security practices, to deliver Reltio services to our customers.
Reltio hosts its Platform and associated customer data with Amazon Web Services (AWS) and Google Cloud Platform (GCP). Reltio Cloud Platform infrastructure is hosted in data centers located in the following regions:
- AWS US East (Virginia)
- AWS EU (Ireland)
- AWS Asia Pac (Singapore)
- GCP US Central (Iowa)
- GCP EU (Belgium)
- GCP Canada
Reltio Cloud Platform servers, network infrastructure and software are located in these AWS and GCP data centers. Reltio’s primary Cloud Platform is located within AWS US East (Virginia) and GCP Central (Iowa) data centers.. The Platform distributes its application and database nodes across multiple AWS and GCP zones enabling application resilience and scalability. Reltio benefits from AWS and GCP experience operating and securing physical data centers and securing the hosting vendor Cloud.
AWS and GCP both maintain physical security measures designed to provide physical data security and formal physical access procedures.
- Nondescript data center facilities
- Physical access is controlled
- Video surveillance at perimeter and ingress points
- Professional security staff
- Intrusion detection systems
- Multi-factor authentication required to access data center floors
- All visitors monitored
- Logged data center access
AWS and GCP both adhere to the principle of least privilege. Access is granted for legitimate business needs and limited to the minimum level of access required to complete the task. Access is revoked when staff leave or change positions.
AWS and GCP maintain physical controls to safeguard the assets within their respective data center facilities including:
- Fire Detection and Suppression equipment
- 24 hour support for power generation. UPS backups for temporary, isolated power outages and generators for longer power outages affecting the local power grid.
- Climate control
AWS and GCP monitor electrical, mechanical, and life support systems and equipment so that any issues can be immediately identified. AWS and GCP both conduct preventative maintenance on their respective data centers to maintain the continued operability of data center equipment.
For more information on AWS physical security see AWS’s website.
For more information on GCP physical security see GCP’s website.
Reltio staff play a critical role in designing, developing, implementing and securing the Platform. Reltio Information Security in cooperation with Reltio Human Resources instruct staff on their responsibilities related to security, privacy and protection of customer data. Reltio requires all Reltio staff to sign non-disclosure agreements. All Reltio staff must complete security awareness and ethics training within 30 days of joining Reltio and recertify annually. Ethics training requires staff to consent to Reltio Acceptable Use, Information Security Policies and Privacy Policies.
Reltio staff must submit to a background check as a condition of working for Reltio. Background checks include a check on identity, criminal history, education history and employment history.
Staff who terminate from Reltio have their access to Reltio systems revoked within one (1) business day of leaving Reltio. Reltio automates termination for most systems and has a detailed checklist for each department to remove access from any systems not integrated with the Reltio identity management system. In addition, Reltio performs quarterly access reviews for privileged and administrator access of critical systems.
The Platform encrypts data transmitted over the public Internet using TLS 1.2. The Platform incorporates industry best practices to protect sessions and to secure communications. The Platform is a RESTful architecture and utilizes secure electronic means to exchange data with customers using HTTPS.
Reltio uses strong ciphers and enforces perfect forward secrecy.
Reltio offers customers the option to whitelist customer IP addresses to the Platform.
Reltio leverages AWS and GCP respective data security safeguards as well as Reltio’s own tools for protecting the Reltio network. AWS and GCP both provide firewall rules and security groups which enable Reltio to secure its web, application and database servers. Reltio maintains separate subnets for different layers of the architecture and each subnet is connected via a NAT Gateway. Only the public facing load balanced web servers are in the public subnet and exposed to the Internet Gateway. Therefore, Reltio maintains a virtual DMZ to protect the application and data layers of the architecture.
Reltio uses intrusion detection systems to further monitor server activity and to alert Reltio security staff to anomalous activity. Reltio maintains anti-virus software on critical servers and a next generation WAF provides additional protection from external attacks and common OWASP vulnerabilities.
Reltio Information Security and a managed security service provider (MSSP) monitor intrusion detection alerts and investigate anomalous activity. Investigations may result in bugfix or enhancements to the Platform to address identified vulnerabilities.
Reltio routinely patches operating systems and software included in the Platform. Reltio’s intrusion detection system includes vulnerability scanning for the operating systems and installed applications. Reltio Information Security automates patching where possible at the OS level. Reltio tests all operating system and application patches prior to production deployment.
The Platform encrypts customer data at rest. Data is encrypted to AES-256 bit encryption using LUKS keys or hosting vendor encryption capabilities. Customer data may only be accessed via the Platform through proper authentication through the user Interface or through proper authentication through the Reltio API. Administrative tasks can be completed by authorized Reltio staff provided access through role based access control (RBAC) and enforcing the principle of Least Privilege.
The Platform encrypts customer data at the node level. Customers may also register for Reltio Shield which allows customers to generate their own encryption key and to encrypt customer data at the database file level. Reltio Shield customers will have control over the encryption key generation and rotation policy via an API.
Reltio does not combine or co-mingle customer data across different data partners or customers. Partners and customers must authenticate against a specific customer tenant. Each tenant has its own database keyspace. Customer data is separated from other customers and such separation aligns with legal discovery requirements.
The Platform maintains an activity log of all system activity including login, create, read, update and delete activity. Customer users can see their own activity logs and customer administrators may view activity logs for the entire system via activity log API call. Customers may export this data to a SIEM or other reporting tool via the Reltio API. Activity logs are maintained for a minimum of one year and the Platform will retain logs longer depending on the customer industry requirements.
Reltio maintains system logs for its servers, network, hypervisor, and intrusion detection logs in its SIEM. Logs are maintained for one (1) year. Logging includes common server events including but not limited to logins and failed login attempts, privilege escalation, suspect commands, installation of unapproved applications, external access attempts, etc. Reltio has developed alerts for its SIEM and IDS that Reltio Information Security staff or MSSP staff review on a regular cadence.
Business Continuity and Disaster Recovery
Reltio uses ISO 22301 to structure its Business Continuity Plan (BCP) and Disaster Recovery Plan (DR). The BCP and DR include processes required to address a number of different disaster scenarios including application and database outages, natural disasters, fires, pandemics, and data breach. Contact data and processes are included in the documentation as well as alternate communication mechanisms if there is an outage of the primary communication channel. Reltio Information Security, in collaboration with other Reltio departments, tests its Business Continuity and Disaster Recovery Plans annually.
In order to build application resilience, Reltio distributes Platform database nodes across a minimum of three AWS and GCP zones, as well as having multiple servers within a zone. Data is replicated, load balanced and runs active-active across all zones enabling application and data resilience as well as improved scalability.
The Platform creates encrypted backups of customer data in the rare case of data corruption. The default retention period is seven (7) calendar days and is maintained on a rolling seven (7) day basis. Customers may arrange for longer retention periods and may also elect to use the Reltio Backup Service for an additional cost.
Third Party Penetration Testing
Reltio engages a reputable penetration testing third-party firm to review the Platform for vulnerabilities. Testing includes both network and application vulnerability scans and human penetration testing. Testing occurs on production and non-production tenants and network subnets. Reltio takes a risk-based approach to remediating penetration testing findings and prioritizes all critical and high findings.
Reltio Security Operating Procedures
Reltio maintains approved security policies and procedures aligned to the HITRUST CSF standard. Reltio Information Security enforces these policies and procedures throughout the Reltio organization. Reltio Security Operating Procedures cover:
- Acceptable Use
- System Access
- Asset Management
- Physical Security
- Password Control
- Anti-Virus and Anti-Malware
- Remote and Wireless Access
- Data Security
- Security Incident Management
- On-Boarding and Termination
- Information Security
- Penetration Testing
- Security Risk Assessment
- Vendor Security Standard
- Disciplinary Process
- Security Configuration Management
- Application Development Standards
Reltio updates these operating procedures annually and at need.
Reltio develops code to the OWASP Top Ten standard. Reltio engineering staff are trained on the OWASP standard and must re-train every two (2) years. Reltio application software may not be released without quality assurance testing that includes OWASP Top Ten test cases for regression testing as part of a major release. Reltio includes peer review as part of the code development process. Reltio follows separation of duties as part of the system development life cycle separating developers, quality assurance and release management roles. Developers, support and quality assurance will not have the ability to update code in a production environment.
Quality assurance processes will align with requirements of 21 CFR Part 11. Reltio maintains change controls, testing validation and other deliverables to support 21 CFR Part 11 documentation requirements.
Reltio Cloud System Access
The Platform supports Single Sign On (SSO) access for customers with both SAML 2 and OAuth 2 protocols. The Platform provides role-based access controls (RBAC) for customers to maintain access rights to its tenants. Customers are responsible for user, group and role management within customer’s deployment and for administering RBAC access through the Reltio Console or Reltio API’s.
The Reltio Cloud Platform authenticates all access requiring a SAML assertion or a tenant id, user id and complex password. Authorization is denied by default and only customers who have explicitly granted access to a Reltio resource may perform functions in the Reltio Cloud Platform.
Reltio support and administrative access to customer production systems is restricted. Customers must have authorized Reltio access in writing. Customers typically provide this authorization via a support ticket. A Reltio manager must approve the access in an internal ticket and the staff member must have a valid business need such as bugfix or an approved administrative activity.
The Platform maintains a virtual private network (VPN) in front of its hosting vendor network. Access to the VPN requires authenticated access with multi factor authentication. In addition, network access is further restricted behind the VPN with bastions. Reltio maintains RBAC controls over user and group access to servers on each subnet. Reltio Information Security maintains control over the access to these resources.
Hypervisor access to the hosting vendor consoles requires multi factor authentication to access resources. Authorization is further restricted by RBAC controls inside the hypervisor. Reltio Information Security maintains control over the access to these resources.
Reltio Information Security restricts access to the customer production network through RBAC controls with the principle of Least Privilege. A Reltio manager must approve the access in an internal ticket and the staff member must have a valid business need for such access. Information Security has the right to restrict or rescind access.
Reltio provides customers added assurance it follows its own procedures by auditing its security controls annually with a PCAOB registered third party. Audits demonstrate Reltio has implemented controls to secure customer data and strives to enhance its existing security practices with valuable third party input on industry best practices.
HITRUST Common Security Framework
Reltio is certified for HITRUST Common Security Framework (CSF). HITRUST CSF unifies recognized standards and regulatory requirements from NIST, HIPAA/HITECH, ISO 27001, PCI DSS, FTC, and COBIT. Customers subject to a NDA with Reltio may obtain a copy of this report upon written request.
Service Organization Control Reports
Reltio is certified for SOC 1 type II and SOC 2 type II compliance for the Reltio Cloud Platform. SOC 1 focuses on financial reporting controls as they relate to security of a system. The SOC 2 report focuses on a business's non-financial reporting controls as they relate to security of a system. Customers subject to an NDA with Reltio may obtain a copy of these reports upon written request.
Reltio maintains an environment on the Platform configured to help customers meet HIPAA requirements. The HIPAA environment uses HIPAA compliant services from its hosting vendors as well as complies with HIPAA requirements. Reltio maintains a Business Associate Agreement (BAA) with its hosting vendors. The Platform encrypts customer data at rest and in-transit on the public Internet as well as logs all access to the applications and supporting servers and network. Reltio maintains log data in its SIEM for one (1) year.
Third Party Security and Privacy Assessment
Reltio conducts an assessment of third-party vendors prior utilizing vendor services as part of the Reltio Cloud Platform or used for internal Reltio use. As part of the assessment, Reltio reviews the vendor’s SOC 2 type II reports or the vendor’s responses to a Reltio security assessment questionnaire. Reltio includes security and privacy obligations in its contractual agreements with such third-party vendors that are aligned with contractual obligations of Reltio’s customers as well as Reltio’s own security standards. Reltio conducts a reassessment of third-party vendors annually.
Reltio maintains cyber insurance coverage.