Security Program

Our customers ask us about Referral Rock’s security program on a regular basis. As a general rule, we don’t want to expose detailed information about our security program because we don’t want to provide intelligence to bad actors. However, we realize information security is imperative and our customers need to know that we are employing a security program to protect their information. To this end, we have outlined at a high level the measures we take to protect our customer’s data.

Certification

Referral Rock is ISO/IEC 27001 and SOC II Type 2 Certified through our third-party systems including:

Microsoft Azure – hosting including servers, databases, and network infrastructure. SOC 1/SSAE16, SOC 2/AT Section 101, ISAE 3402, and ISO/IEC 27001 Certified – https://microsoft.com/en-us/TrustCenter/Compliance/ISO-IEC-27001 https://www.microsoft.com/en-us/trustcenter/compliance/soc
Sparkpost – primary email provider (only has access to email addresses that we send through the service). SSAE-16 SOC II Type 2 Certified – https://www.sparkpost.com/policies/security/
Send Grid – backup email provider (only has access to email addresses that we send through the service). SOC2 Type 2 certification – https://sendgrid.com/policies/security/

Data Center Security

We leverage Microsoft Azure (Azure) to provide infrastructure services to host our environment.
By using Azure, Referral Rock is able to take advantage of their sophisticated security environment, logging, identity and intrusion protection systems and focus on our software and your data.
Azure has a robust DDOS team constantly monitoring their data centers.
Referral Rock has multiple geo-located environments and backups ready to go live in the event of a disaster.
All databases are encrypted at rest and over transmission

Application Level Security

Referral Rock routinely scans its applications for vulnerabilities and security issues and we promptly remediate any issues we find.
Referral Rock utilizes an exercised Assessment and Response Policy to monitor and respond to any risks or incidents.
Referral encrypts all data and traffic.

Culture of Security

Our CEO and Tech Lead have over 30 years combined experience in enterprise-level information security including development for Walmart, Aflac, and the US Government.
We have a security policy for securing the integrity, confidentiality, and availability of customer data and protecting customer data against any unauthorized or unlawful acquisition, access, use, disclosure, or destruction.
All of our employees with access to confidential information or customer data are required to read and acknowledge our security and acceptable use policy.
We conduct annual security awareness training and quarterly threat briefings to ensure our team is aware of the latest attack trends.
We limit access to the production database and servers to a few, select senior staff
Our security team is involved throughout our development and operations processes and cycles to ensure we incorporate security best practices into the product and environment.

Abuse

We want to ensure we’re protecting your customer data. If we see accounts with signs of suspicious activity, we take immediate action. If you have any questions, please email us at security@referralrock.com.

Investing in Your Privacy

Our CEO and Tech Lead work with our developers to make sure our services comply with applicable privacy laws.
Referral Rock is GDPR-ready and Privacy Shield Certified.
We never sell your customer/member data. See our Privacy Policy and Data Processing Agreement for more detail on how we protect your data.

Insurance

Referral Rock has established a comprehensive liability insurance program that works in conjunction with our security program. This program has been designed to provide coverage for a wide variety of business, technology and security issues. Referral Rock only works with highly reputable and highly rated insurance carriers.

v1.0 August 27, 2018