Security from the inside out

Application level security

• Account passwords are hashed so no employees can view them. This means the only way to fix a lost password is to reset it – please contact support if this is the case for you.

Encryption and data integrity

• We have a full suite of ISO27001 Cyber Security policies, ensuring we’re committed to security from the top.
• Your data is protected through multiple independent layers of security – or ‘defense in depth’ – ensuring you’re protected even if one layer fails. We use defense in depth throughout our network, system and access controls.
• Our data is encrypted at rest with AES-256 and encrypted in-flight with 2096bit RSA encryption (TLS 1.2 or Higher).

Infrastructure and platform security

• Our platform and data is hosted on Amazon’s AWS Global Infrastructure. AWS infrastructure is independently audited and certified for SOC 1, 2 and 3. 
• We use AWS’ multi-AZ architecture to ensure we are resistant to failure, and data is protected across geographies.
• We employ secure coding techniques based on the OWASP Top Ten, an independent standard for developers and web application security.
• Our development, testing and production environments are separated. All platform updates are peer reviewed and logged for performance, audit and forensic purposes, before being pushed into production. 
• Our software is written with security principles in mind to prevent Broken Access, XRF, CSRF, SQL injection and other common attacks.

Internal processes and education

• We follow the principle of least privilege, so no one has access to your data who doesn’t need to.
• We provide regular cyber security training for all our employees, including training for developers to prevent XRF, CSRF, SQL injection and other common attacks. 
• We also encourage all employees to actively continuously improve the security of Realtair, no matter where they sit in the organisation.
• Our staff have confidentiality agreements and ISO 27001-2 policy and procedures that are part of employees’ contracts.

Monitoring and testing

• We constantly monitor security, performance and platform availability 24/7. We get reports in real time so we can react immediately as an issue arises.
• All actions taken on production consoles are logged. 
• We conduct regular cyber security and penetration testing through Vertex Cyber Security, an independent CREST certified cyber security expert company. We aim to do this at least annually.

Responding to incidents

• We take all security incidents very seriously and will investigate any potential security threats and issues, resolving them quickly.
• During a security incident, we follow a cyber security response procedure that includes following industry best practices for disclosure and notification.