Security & Compliance

Data Security

Data Encryption

Data in transit: All data transferred between the user’s browser and Rhythmos’s servers is encrypted in transit. Rhythmos uses SSL/TLS v1.3.

Data at rest: Data is encrypted at rest in GCP using AES-256 encryption.

Data center security

Data center provider: Rhythmos uses Google Cloud Platform (GCP) to host its production servers, databases, and supporting services.

Multi-region: Rhythmos uses a multi-region setup for it’s infrastructure. The principal region for running the application is GCP region US-Central 1 (Iowa), with GCP region US- West 1 (Oregon) for its backup.

Data Availability
Backups: Rhythmos’s production systems and data are backed up on a regular basis. We run through a checklist to verify data is recorded and usable. Backups are tested on a periodic basis.

Application Security

Development security

Access controls: Rhythmos’s system access is based on limited controls and is reviewed periodically. Rhythmos enforces the policy of least privilege.

Testing and review: All changes to our application are subject to peer review and are tested prior to being merged.

Separate environments: Rhythmos maintains segregated testing, development and production environments.

Vulnerability management

Penetration testing: Rhythmos’s security team uses third parties to conduct penetration tests to identify deficiencies in the system that may affect critical assets.

Vulnerability scanning: Rhythmos uses third-party security tools to continuously scan our applications, systems, and infrastructure for security risks and vulnerabilities.

Code analysis: Rhythmos’s code repositories are regularly scanned for security issues using static code analysis.

Automatic dependency management: Rhythmos uses automated tooling to actively check for dependency updates for a proactive, rather than reactive, security stance.

Product Security

Authentication

Multi-Factor Authentication: Rhythmos ​​allows you to add an extra layer of security to your account by enabling two-step verification, also called two-factor authentication. This reduces the risk of having your account accessed by anyone else.

Single Sign On: Rhythmos offers integration with customer’s single sign on systems that are compliant with industry standards like LDAP and SAML.

Third Party Identity Provider: Rhythmos applications are secured by a third party identity provider, utilizing JWT based authentication and authorization for all backend APIs.

Manager permissions

People Security

Security awareness

Dedicated Team: Rhythmos has a dedicated team responsible to ensure all security practices and policies are enforced. This team is also responsible in responding to any security incidents efficiently and quickly.

Policies: Rhythmos maintains a robust listing of security policies which are updated regularly and must be reviewed at a minimum of each year by each employee. Policies are communicated to employees and are available for review at any time.

Training: All Rhythmos employees are required to complete security training upon joining the company.

Employee checks

Background checks: Background checks are performed on all Rhythmos candidates prior to hiring.

New-hire reviews: All Rhythmos employees are required to sign Rhythmos’s information security policy and confidentiality agreements upon joining the team.

Information Security

SOC

SOC2 Reports: Rhythmos maintains AICPA System and Organization Controls (SOC) 2 Type II Report. The SOC Report is available to customers after an NDA has been signed. Please reach out to security@rhythmos.io to obtain a copy of Rhythmos’s most recent SOC 2 Type II Report. Click here for more information on AICAP’s SOC2 report.

GDPR: Rhythmos is GDPR security compliant. Specific details about our data storage and the personally identifiable information collected can be found within our privacy policy and terms and conditions.