Security & Compliance
Data Security
Data Encryption
Data in transit: All data transferred between the user’s browser and Rhythmos’s servers is encrypted in transit. Rhythmos uses SSL/TLS v1.3.
Data at rest: Data is encrypted at rest in GCP using AES-256 encryption.
Data center security
Data center provider: Rhythmos uses Google Cloud Platform (GCP) to host its production servers, databases, and supporting services.
Multi-region: Rhythmos uses a multi-region setup for it’s infrastructure. The principal region for running the application is GCP region US-Central 1 (Iowa), with GCP region US- West 1 (Oregon) for its backup.
Data Availability
Backups: Rhythmos’s production systems and data are backed up on a regular basis. We run through a checklist to verify data is recorded and usable. Backups are tested on a periodic basis.
Application Security
Development security
Access controls: Rhythmos’s system access is based on limited controls and is reviewed periodically. Rhythmos enforces the policy of least privilege.
Testing and review: All changes to our application are subject to peer review and are tested prior to being merged.
Separate environments: Rhythmos maintains segregated testing, development and production environments.
Vulnerability management
Penetration testing: Rhythmos’s security team uses third parties to conduct penetration tests to identify deficiencies in the system that may affect critical assets.
Vulnerability scanning: Rhythmos uses third-party security tools to continuously scan our applications, systems, and infrastructure for security risks and vulnerabilities.
Code analysis: Rhythmos’s code repositories are regularly scanned for security issues using static code analysis.
Automatic dependency management: Rhythmos uses automated tooling to actively check for dependency updates for a proactive, rather than reactive, security stance.
Product Security
Authentication
Multi-Factor Authentication: Rhythmos allows you to add an extra layer of security to your account by enabling two-step verification, also called two-factor authentication. This reduces the risk of having your account accessed by anyone else.
Single Sign On: Rhythmos offers integration with customer’s single sign on systems that are compliant with industry standards like LDAP and SAML.
Third Party Identity Provider: Rhythmos applications are secured by a third party identity provider, utilizing JWT based authentication and authorization for all backend APIs.
Manager permissions
People Security
Security awareness
Dedicated Team: Rhythmos has a dedicated team responsible to ensure all security practices and policies are enforced. This team is also responsible in responding to any security incidents efficiently and quickly.
Policies: Rhythmos maintains a robust listing of security policies which are updated regularly and must be reviewed at a minimum of each year by each employee. Policies are communicated to employees and are available for review at any time.
Training: All Rhythmos employees are required to complete security training upon joining the company.
Employee checks
Background checks: Background checks are performed on all Rhythmos candidates prior to hiring.
New-hire reviews: All Rhythmos employees are required to sign Rhythmos’s information security policy and confidentiality agreements upon joining the team.
Information Security
SOC
SOC2 Reports: Rhythmos maintains AICPA System and Organization Controls (SOC) 2 Type II Report. The SOC Report is available to customers after an NDA has been signed. Please reach out to security@rhythmos.io to obtain a copy of Rhythmos’s most recent SOC 2 Type II Report. Click here for more information on AICAP’s SOC2 report.
GDPR: Rhythmos is GDPR security compliant. Specific details about our data storage and the personally identifiable information collected can be found within our privacy policy and terms and conditions.
