IT Security and Compliance

Our Compliance Stack at ResGuard

Our commitment to data privacy and security is embedded in every part of our business.
Use this Trust Center to learn about our security measures and read our security documentation.

Platform and Network Security

The foundation of security at ResGuard is infrastructure security. ResGuard relies on our Virtual Private Cloud (VPC) to logically isolate our internal networks. We maintain configured security groups to control and restrict network access through configured inbound and outbound rules.

Availability

We build highly available products that service various monitoring and observability needs for our customers through scalability inherited from our CSP. We adhere to our service level agreements (SLAs) of 99.7% availability. Additional information about our SLA can be found within our Master Services Agreement.

Personnel Security

At ResGuard, we encourage all employees to participate in helping secure our customer data and company assets. Where applicable by law, ResGuard performs background screenings on personnel prior to joining the organization. All ResGuard personnel undergo regular security and privacy awareness training that weaves security into technical and non-technical roles. Our security training materials are based on individual roles to ensure employees have the tools to handle the specific security-oriented challenges they encounter in their jobs.

Product Security

Product security is of paramount importance at ResGuard. We incorporate security into the design of our products from the beginning stages of our software development lifecycle. We develop products in line with general Agile methodologies and integrate security throughout the Agile release cycle. This allows us to discover vulnerabilities sooner, so we can address them more rapidly than we would if we used longer release cycles. Well-defined change management policies and procedures determine when and how changes occur. This philosophy is central to DevOps security and the development methodologies that have driven ResGuard adoption.

Patch Management

ResGuard releases software patches as part of our continuous integration process. We strive to ensure patches that can impact end users are applied as soon as possible and within our established service level agreements (SLA) by sending end user notifications and scheduling service windows.

Physical Security

As a SaaS provider, ResGuard production infrastructure is hosted in cloud service provider (CSP) environments. These CSPs manage physical and environmental security controls for ResGuard production servers, including buildings, locks, and door keys.

Physical security practices at the ResGuard offices include strict enforcement of badge access to enter the building, as well as to access ResGuard floors and secure work areas. All visitors are required to provide identification to receive a visitor’s badge and are to be escorted by a ResGuard employee at all times.

Access Management

ResGuard grants access to assets and sensitive information on a need-to-know basis based on role. Access is controlled based on the principle of least privilege, meaning users have only the level of access required to perform their job functions. Additionally, we enforce multi-factor authentication, which includes strong passwords and a secondary factor. ResGuard third parties do not have direct access to production systems.

We monitor and log access to all production environments for security purposes. Additionally, access is audited and baselined to meet our security and compliance requirements.

Protection of Customer Data

Data submitted to the ResGuard service by authorized users is considered confidential. This data is protected in transit across public networks and encrypted at rest. Customer data is not authorized to exit the ResGuard production service environment except in limited circumstances such as to support a customer request.

All data transmitted between ResGuard and our users is protected using Transport Layer Security (TLS) and HTTP Strict Transport Security (HSTS). If encrypted communication is interrupted, the ResGuard application is inaccessible.

ResGuard has implemented controls to ensure the integrity and confidentiality of administrative credentials and access mechanisms, and we enforce full-disk encryption and unique credentials for workstations.

Monitoring

ResGuard monitors critical infrastructure for security-related events by using a custom implementation of open source and commercial technologies. Activity data such as API calls and operating system-level calls are logged to a central point, where the information is passed through a series of custom rules designed to identify malicious or unapproved behavior. The results of these rules are fed into an orchestration platform that triggers automated actions, which may include directly alerting the security team or prompting additional authentication requirements.

CSP Hosting

AWS Cloud - ResGuard is not running any on-premise data centers.

Audit Logging

ResGuard has an extensive product logging mechanism including an audit log console accessible for customers. Additionally audit Logging is enabled for all customer support, web end user applications, technical operations applications, and staging and production management infrastructure.

Multi-Factor Authentication

A central identity provider and multi-factor authentication is enabled for all customer support, web end user applications, technical operations applications, staging and production management infrastructure. ResGuard users are required to use multi-factor authentication when accessing the production environment.

Role-Based Access Control

Formal role-based access controls limit access to system and system components are created and these are enforced by the access control system. When formal role-based access controls are not possible, authorized user IDs with two factor authentication are used. ResGuard also adheres to the principle of least priviledge.

Daily Backups

ResGuard shall maintain a contemporaneous backup that can be recovered immediately at any point in time unless during a disaster. Backups take place on a daily basis, with full incremental backups every week. We do not use tapes. We archive data and back it up incrementally, in an attempt to ensure that data is usable and readily available.

Encryption-at-rest

Data at rest is encrypted with AES 256

Encryption-in-transit

All data transmitted between ResGuard and ResGuard users is protected using Transport Layer Security (TLS) and HTTP Strict Transport Security (HSTS). If encrypted communication is interrupted the ResGuard application is inaccessible.

Code Analysis

As part of our secure development lifecycle, there are peer reviews, static analysis and dynamic analysis testing prior to committing code to production.

Vulnerability & Patch Management

ResGuard performs monthly scans of servers and networks, and identified vulnerabilities are tracked and remediated according to ResGuard’s Vulnerability Management procedures. ResGuard also performs monthly application vulnerability scans of critical environments, in addition to static code analysis to ensure the security and integrity of ResGuard’s environments and products. All identified vulnerabilities are assigned to an owner, and remediated according to ResGuard’s Vulnerability Management procedures.

Password Security

Multi-factor authentication is required to access ResGuard's production environment. Where multi-factor authentication is not possible, ResGuard follows the following password standards:

  • A minimum length of 8 characters
  • At least one lowercase letter
  • At least one number
  • At least one non-alphanumeric character
Network Time Protocol

Systems and network devices utilize a common time synchronization service. NTP check is included in the ResGuard agent.

Separate Production Environment

ResGuard maintains a staging environment for testing, separate from its production environment.

Endpoint Security

Disk Encryption: All ResGuard employee laptops use full-disk encryption

Endpoint Detection & Response: Anti-malware controls are in place to protect workstations and servers. The engines supporting these anti-malware tools are updated continuously.

Network Security

Firewall: ResGuard's firewall rules are set to deny all by default

SIEM: All Security relevant log data is ingested in our centralized SIEM system to analyze and detect suspicious activity on all technical layers.

Incident Response

At ResGuard, when an incident is identified, a security incident ticket is created with the details of the event, including date and time the incident occurred, the nature of the incident, and how the incident impacts customers. The creation of that case triggers the notification of appropriate security team members. These team members immediately initiate an investigation to assess the scope and impact of the situation, and to determine the actions necessary for mitigation.

Penetration Testing

Regular penetration testing via a third party is carried out.

Security Operations Center

ResGuard has a dedicated 24x7 incident response function with on-call employees to address critical incidents and service outages. If the incident is determined to be related to security, the appropriate security team members are included in the response procedures.

Qualys SSL Labs
Standard Support

Our standard support covers any upcoming issues, problems or requests regarding our RCM cloud solution:

  • Request: support(at)resguard-solutions.com
  • SLA: First response within 24h
Extended Support

Support with extended SLA definitions can be provided via custom subscription models. Please ask your account manager for more details.

Maintenance Window

Regular patch, update and feature upgrade activities are planned during our scheduled maintenance window every first Sunday of the month between 02:00am CET and 03:00am CET. Customers are informed of planned downtimes via the information table below.

Provider and responsible authority in the sense of the Personal Data Protection Act

ResGuard Pte. Ltd.
4 Battery Road
#25-01 Bank of China Building
Singapore 049908

Data Protection Officer:

Sven Kreiter

Data Protection Requests

[email protected]

Scope

This privacy statement provides users with information on the nature, extent and purpose of the collection and use of their data by the responsible provider.

Gender clause

Insofar as the masculine form is used in the contents of this report, it is assumed that this refers to both genders on equal terms.

Collection of contact information for enquiries

The website provides a contact form to reach out to us to receive more information about our services. To be able to contact the user, we collect the name and e-mail address. The data is only used for communication purposes and is deleted after request completion.

Collection of general information

Every time information about the services offered by RESGUARD is accessed, company information and current contributions to the subject of information security, information (also referred to as server log files) is automatically collected by us or the webspace provider.

Among other information this includes: website name, file, date, data volume, web browser and web browser version, operating system, the domain name of your Internet provider, the referrer URL (the page from which you accessed our offer) and the IP address.

Without this information, it would not be technically possible to deliver and display the website content. In this respect, collecting data is absolutely necessary. Furthermore, we use this information for statistical purposes. They help us to optimise our services and technology. We also reserve the right to check the log files in case of suspected illegal use of our services.

Integrating third-party services and content

Our range includes content, services and services from other suppliers. For example, this might be videos, graphics or images from other websites. In order for this data to be retrieved and displayed in the user’s browser, transmitting the IP address is absolutely necessary. The providers (hereinafter referred to as “third-party providers”) detect the IP address of the respective user.

Even if we try to use only third-party vendors who only need the IP address to deliver content, we have no influence on whether the IP address or other information about you is stored by them. If we know that the IP address is going to be stored, we inform our users of this.

Cookies

This website uses cookies. Cookies are text files that are stored on your computer by the server. They contain information about the browser, the IP address, the operating system and the Internet connection. We will not pass on this data to third parties or link it to personal data without your consent.

Cookies have two main purposes. They help us make it easier for you to navigate through our services and they also enable the website to be displayed correctly. They are not used to spread viruses or to open programs.

Users have the option to browse our site without cookies. To do so, the corresponding browser settings must be updated. Use your browser’s Help menu to find out how to deactivate cookies. However, may we point out that some features of this website may be impaired and the use of services may be restricted. The pages http://www.youronlinechoices.com/uk/your-ad-choices/ (Europa) and http://www.aboutads.info/choices/ (USA) allow you to manage online advertising cookies.

Google AdWords

This website uses the online advertising program “Google AdWords” and its conversion tracking feature. Google AdWords will place a cookie on your computer, provided you came to our website via an Google ad. These cookies lose their validity after 30 days and are not used for personal identification. If the user visits specific pages on our website and the cookie has not yet expired, we and Google are able to recognise that the user clicked on the ad and was forwarded to this page. Every Google AdWords customer receives a different cookie. Therefore cookies cannot be tracked through the websites of AdWords customers.

The information collected using the conversion cookie is used to create conversion statistics for AdWords customers who have opted for conversion tracking. Customers will see the total number of users who have clicked on their ad and have been redirected to a site with a conversion tracking tag. However, they do not receive any information that allows users to be personally identified.

If you do not want to participate in the tracking process, you can simply disable the Google Conversion tracking cookie using your Internet browser in the user settings section. You will then not be included in the conversion tracking statistics. Find out more about Google’s data protection policy here https://www.google.com/policies/privacy/

Google Analytics

This website uses the standard analysis tool “Google Analytics” of Google Inc. (short: “Google”). Google Analytics uses cookies (text files that are stored on the computer). The generated information about the use of the website is transmitted to an American server of Google and stored for further processing. With your privacy in mind, we have extended Google Analytics with the option “anonymizeIP” so that all data is collected anonymously. The default IP address provided by your browser will not be merged with other data provided by Google. In exceptional cases, the full IP address will be transmitted and truncated on a Google (US) server.

The data collected by Google Analytics is evaluated to generate reports on user activity and to optimize your user experience. In order to contradict the storage of the cookies, please make the appropriate setting in your browser. Please note that you can only use other areas of this website to a limited extent.

You can prevent the collection of user-related data and the processing of this data by Google by installing a corresponding browser plug-in. Alternatively, you can prevent the collection by Google Analytics by clicking on this link: Disable data capture. An opt-out cookie will be set which prevents the future collection of your data when you visit this website. The opt-out cookie is only valid in this browser and only for this website and is stored on your device. If you delete the cookies in this browser, you must set the opt-out cookie again.

We also use Google Analytics to analyze data from AdWords for statistical purposes. If you do not want this, you can disable it through the Ads Preferences Manager.

Data economy

We save personal data according to the principles of data avoidance and data economy only as long as it is required or prescribed by law (statutory storage period). If the purpose of the information collected ceases to be relevant or the storage period expires, the data is blocked or deleted.

Your rights

In principle, you have the rights to information, correction, deletion, restriction, data portability, revocation and objection (see PDPA Access & Correction Obligation or European General Data Protection Regulation article 12-23). Exceptions: if the issue relates to the prescribed data storage for business processing or if the data is subject to statutory retention requirements.

For these purposes please contact [email protected]

In order to allow for a data lock at any time, it is necessary to keep the data in a lock file for checking purposes. If there is no legally required archiving obligation, you can also request the deletion of the data. Otherwise, we will lock the data if you so desire.

Applications

If you apply to a company in the RESGUARD group, that company processes your personal data as a controller. Providing your personal data is necessary for an application to proceed. You are entitled to the data subject rights of EU-GDPR and Singapore PDPA, as described later in this document.

Lawfulness

We process your personal data to take steps prior to an employment at your request (Art. 6 (1) (b) EU-GDPR, possibly in connection with Art. 9 (2) (b) EU-GDPR. Any additional processing beyond this application process is based on another, separately declared legal basis.

Application process

Our application process is mostly conducted by email. Your application usually encompasses

  • Letter of motivation
  • Curriculum vitae
  • Description of your qualification and education
  • Attestation of your qualification and education

The extent of your application documents is determined by you. We will only collect data necessary to proceed with the application process.

If we invite you to an interview, we collect further personal data encompassing your personal interests and particulars of your professional aspirations and qualification.

Transfer of application data

We share your application data within our organisation with persons involved in the application process: human resources managers, subject matter experts and potential superiors.

RESGUARD may invoke external processors to assess your expert knowledge. We will let you know about this before we transmit your personal data to these processors so that you may check their detailed data protection policies.

If you enter into an employment contract with us, we keep your application data until the conclusion of that contract’s retention periods.

If we do not close an employment contract, we keep your application data for six months. If you want to receive updates on open positions, you may grant us your separate, written consent to do so.

Building access

If you want to visit our office locations, we require you to sign our terms of access. This form queries the name of yourself, your organisation and the person you visit as well as the security zone and the time of your visit.

The RESGUARD company you visit controls the processing of this data based on our legitimate interest in a secure office operation, which requires protecting our information and infrastructure. Providing you with the most important security rules in a provable way is an important organisational privacy measure (Art. 32 EU-GDPR) for us. We keep the signed forms for two years. Signing the terms of access is necessary to enter our offices. We do not use automated decision-making w.r.t this processing.

We do not transmit your data to third parties. If we share it among RESGUARD companies outside of Singapore, the safety of your data is ensured through standard contractual clauses.

Changes to our data protection policy

In order to ensure that our data protection policy always complies with the current legal requirements, we reserve the right to make changes at any time. This also applies in the event that the data protection policy has to be adapted due to new or revised activities, for example new services. The new data protection policy takes effect on your next visit.

Extended Compliance Services

Our Expertise to Achieve Your Goals

ResGuard Solutions

If you have any questions or comments, you can reach us under following contact details.

ResGuard Solutions Pte. Ltd.
4 Battery Road
25-01 Bank of China Building
Singapore 049908

© 2024 www.resguard-solutions.com
Data Protection Solutions