About

Data Security is Our
Number One Priority

We start with continuous SOC II compliance from an independent third party, Sword and Shield Enterprise Security. We then enlist the help of security expert, Qualys, to continuously monitor our security and compliance landscape across our entire platform.

Our website is Hyper Text Transfer Protocol Secure (HTTPS) which is the secure version of HTTP, the protocol over which data is sent between your browser and the website that you are connected to. The ‘S’ at the end of HTTPS stands for ‘Secure’. It means all communications between your browser and the website are encrypted.

Users are required to change their password every 90 days per the credit bureau regulation.

Multi-Factor Authentication via text and email are used to verify identity before gaining access to our platform.

Continuous Monitoring

Our system infrastructure is constantly scanned, and access is audited and recorded 24 hours a day, 365 days a year.

Constant Feature Updates

It’s impossible to keep up with evolving technology, feature requests, and bug reports without a full-blown IT department — which is why we’re happy to become your new in-house IT team, for a fraction of the cost. We announce improvements and additions daily — not to mention everything we’re doing behind the curtains.

Manageable Permissions

You can customize each user’s permission levels at a granular level to make sure access to sensitive data is only available to trusted users.

System Redundancy

In accordance with screening industry best practices, every application server and data server is separate and independently protected, making it the most security-sensitive platform available. Our system also has fail-safe redundancies via multiple independent servers that ensure your data is always protected and available, regardless of outages or interruptions.

Data Encryption

Every transaction and communication is automatically encrypted and performed in a secure environment that safeguards against any potential threat.

Multi-Factor Authentication

Our software requires every user, client, and applicant to prove their identity beyond that of just a password and username, providing an extra layer of protection.

Certifications and Assessments

What security certifications do you have?

Our platform undergoes PCI-DSS, EI3PA, and SOC II compliance certifications and assessments.

Our SOC 2 report is available under NDA for restricted distribution. Recipients wishing to obtain a copy of the SOC 2 report should email a request to [email protected] identifying who they are and their purpose for requesting the report.

For additional compliance and certification information for our cloud services partner Amazon Web Services (AWS), https://aws.amazon.com/compliance/

What system penetration and vulnerability assessments are performed?

A third-party PCI SSC Approved Scanning Vendor (ASV) conducts external and internal network vulnerability scans at least quarterly and after significant changes to our networking environments. Penetration testing is also conducted at least annually and after significant changes.

Security Policies and Procedures

Information security is the protection of information assets and its objective is to protect the confidentiality, integrity, and availability of the information technology resources and information assets in the organization’s possession. Our Platform’s Information Security Policy applies to all information technology resources used for the storage, processing and/or transmission of sensitive data and to all sensitive data within the organization.

Information security is a responsibility shared between all parties with access to our Platform systems, including end-users, and service providers.

What is your business continuity and disaster recovery (BCDR) policy?

Our Platform maintains a Business Continuity and Disaster Recovery Plan which details the policies and procedures in the event of a disruption to critical system services or damage to IT equipment or data. These processes will ensure that those assets are recoverable to the right level and within the right time frame to deliver a return to normal operations, with minimal impact on the business. We have a responsibility to maintain business operations in the face of natural disaster, catastrophe, or security breaches. Emergency preparedness training and strategy are to be refined, discussed, and practiced in an annual Incident Response Meeting.

What is your database backup strategy?

Our Platform utilizes real-time database mirroring across multiple geographically isolated availability zones in the US-West-2 (Oregon) and US-East-1 (Virginia) AWS Regions to ensure the availability and durability of system data. In the event of a catastrophic primary database failure, the system can automatically promote a reader instance to primary in a matter of minutes. Additionally, nightly database snapshots are kept for fourteen days allowing point-in-time recovery.

Recovery Point Objective (RPO)

Our Platform database is replicated twelve times across six separate, geographically isolated data centers in real-time. We expect virtually no data loss in the event of a catastrophic primary database failure for a recovery point objective on the order of tens of milliseconds.

Recovery Time Objective (RTO)

The recovery time objective for our system is 24 hours. In practice, in the event of a catastrophic primary database failure, we expect failover to happen within minutes.

What is your data encryption policy?

Our Platform encrypts sensitive data using industry-standard protocols and ciphers. Sensitive data in motion or transit (e.g. data transmitted across a network) is encrypted using HTTPS and TLS 1.2. Sensitive data at rest (e.g. data stored in a database) is encrypted using AES-256.

Our Platform manages encryption keys using a fully managed Key Management Service (KMS). Our Platform does not provide access to, accept from, or manage encryption keys on behalf of end-users. Designated Key Custodians must sign a form stating that they understand and accept their custodial responsibilities.

What are your software development policies and procedures?

Our Platform maintains a Software Development Policy to ensure that security best practices (e.g. OWASP, SANS CWE, CERT Secure Coding, etc.) are followed throughout the software development lifecycle. A standard, consistent, repeatable process helps prevent the inadvertent or malicious introduction of vulnerabilities into our Platforms environment with code changes.

Software Development Methodology

Our Platform follows the Agile Kanban methodology of software development. Features, issues, and initiatives go through needs analysis, security impact analysis, design, review/planning, active development, and testing phases. Changes are documented in Atlassian JIRA and follow a well-defined approval and development workflow. The Product team reviews and approves issues and then assigns them to the Software Engineering team for development. Once completed, all code changes must pass both manual and automated quality review gates before the Operations team can merge and deploy them into the production environment. These gates include units tests; static code analysis for common programming and security flaws; peer code reviews; and functionality, security, and regression testing by the Quality Assurance team. Release candidates are created frequently, usually 2-4 times a week, to help minimize the footprint of the change set and facilitate rapid release of new code.

Software Development Environment

Our Platform’s Development and Quality Assurance environments are located across several availability zones in the US-West-1 (California) AWS Region and are physically and logically segregated from the production environments. Production data is not used for development or testing purposes and is not introduced into the Development or Quality Assurance environments.

How are TenantReportX personnel vetted and trained?

All employees must pass a thorough, pre-employment background screening prior to beginning employment. Additional screening may be conducted as necessary for promotion, transfer, or reassignment. Employees undergo job function and security awareness training as part of the on-boarding process and at regular intervals throughout their tenure. Training for the Software Engineering team includes secure coding practices (e.g. OWASP) training. Employees are assigned access rights and roles with least privileges and only as necessary to fulfill their specific job responsibilities.

System Capabilities

Describe TenantReportX System technology stack?

Our Platform is a web-based, software as a service, background screening platform. The services and components comprising the system are primarily written in Java based on the Spring enterprise application framework. The technology stack includes React JavaScript, Java, Java Cryptography Extension (JCE), Apache Tomcat, CentOS, Spring Data JPA, and AWS Aurora MySQL compatible database.

Users securely access TazWorks’ System over the Internet using HTTPS and a current version of Chrome, Firefox, Safari, Internet Explorer, or Microsoft Edge Internet browser.

What is TenantReportX System uptime?

Our Platform is designed to be highly available with minimal downtime. System failover is highly automated to ensure quick, efficient recovery in the event of system failures. Planned downtime is announced in advance through our Software News section.

How does TenantReportX System handle increased demand?

TazWorks’ System can scale both horizontally (i.e. increasing the number of computing resources) and vertically (i.e. increasing the performance of individual computing resources) to meet growth demands. Additional application and database servers can be added within minutes.

How does TenantReportX Platform manage user security?

Each user should be assigned a unique user account for system access. Users authenticate with a username, password, and multi-factor authentication (MFA) token. Passwords must meet minimum complexity requirements and are protected in the database using BCrypt hashing with a cost factor of eleven. MFA tokens can be delivered via SMS enabled device, Google Authenticator, or email (discouraged). User access can be restricted further by IP address whitelisting. User access to our Platform is logged by user identifier and timestamp.

Does TenantReportX System support Single Sign On (SSO)?

Yes. Our system supports service provider initiated single sign on using SAML 2.0.

How does TenantReportX monitor for performance and security?

Our Platforms operational health is monitored through a combination of AWS CloudTrail events and alarms, AWS Elastic Cloud Computing (EC2) health checks, AWS Relational Database Service (RDS) alarms, NewRelic analytic tools, and other third-party monitoring solutions. The Operations teams reviews utilization, performance, and availability through console monitoring and active alerts and notifications through multiple channels, including email, SMS text, and telephone.

Our Platform provides a public-facing status page at https://status.tazworks.com with real-time health information and support for notification subscriptions.

Monitoring and intrusion/threat detection and prevention (IDS/IPS) is achieved through a combination of Amazon Web Services (AWS) CloudTrail, AWS GuardDuty, AWS Web Application Firewall, RSYSLOG, and OSSEC. Events and alerts are logged, reviewed, evaluated, and handled as appropriate by the Operations team.