Trust Center

  • Product Security
  • Data Security
  • Privacy
  • Organizational Security
  • Business Continuity
  • Infrastructure
  • Threat Management
  • Product Security

    Last updated Tue, Nov 16, 2021

    Access to Recital is controlled by the same login used to access work email, using single sign on from either Google or Microsoft. When an email account is disabled, they can no longer log in to Recital.

    • Google SSO
    • Office 365 SSO
  • Data Security

    Last updated Tue, Nov 23, 2021

    Recital stores the minimum information needed; extra data is deleted from our systems as soon as it is no longer needed. Information Recital does store is encrypted at all times.

    • Data Encrypted At-Rest

      All servers and databases are encrypted (AES-256) at the storage level. Files and database columns storing sensitive data are additionally encrypted (AES-256) at the application layer.

    • Data Encrypted In-Transit

      HTTPS (minimum TLS 1.2) is used for all data transmission.

  • Privacy

    Last updated Mon, May 2, 2022
    • Privacy Policy
  • Organizational Security

    Last updated Tue, Nov 16, 2021

    All Recital staff are responsible for security. We issue hardware security keys to anyone with access to code, data, or sensitive information. Two-factor authentication is required and/or enforced wherever supported.

    • Confidentiality Agreements

      All Recital staff sign confidentiality agreements.

    • Limited Employee Access (Principle of Least Privilege)

      Access to systems are granted on a need-to-have basis, and access within systems is limited whenever possible. For example, only the operations team has access to production data.

      Recital staff must request permission before looking at a user's data, including for support or debugging purposes.

      Access is revoked as soon as it is no longer necessary. Terminated employees have access removed immediately, and are required to return or delete all confidential information.

  • Business Continuity

    Last updated Tue, Nov 16, 2021
    • Data Backups

      Data is continuously backed up and retained for the last 4 days. Daily backups are retained for 4 weeks.

  • Infrastructure

    Last updated Fri, Mar 18, 2022

    Recital's hosting, storage, and data processing is on Amazon Web Services (using Heroku) in eastern USA.

    • Multi-Tenant Architecture
    • SOC 3 - Data Center

      All data is processed and hosted on Amazon Web Services, which conforms to the highest available standards.

      Read more at https://aws.amazon.com/compliance/soc-faqs/ and https://aws.amazon.com/compliance/data-center/

  • Threat Management

    Last updated Tue, Apr 12, 2022
    • Static Application Security Testing (SAST)

      Every code change and product release is scanned with static analysis using the most restrictive security rules available. On the backend, we additionally use a security vulnerability scanner (brakeman) to verify all code changes.