How We Keep Your Data Secure

Rewind is built from the ground up with security in mind. As experts in data backups, security isn’t just a feature. It’s at the core of what we do.

People 👩‍💻

  • We require two-factor authentication (2FA) for all users for all systems that support 2FA (code repositories, build systems, cloud providers).
  • Our internal systems are only accessible over a VPN.
  • We apply the “least privilege” model meaning we assign access to employees based on the absolute least access someone needs to be able to perform their duties.

Applications 💻

  • We use the latest version of Ruby on Rails for most of our application development which provides many “out of the box” security benefits (encrypted cookies, sanitized DB queries via ActiveRecord, strong parameters).
  • Running in Amazon Web Services (AWS), we use IAM roles to define very specific access policies for what resources an application is allowed to access. These policies are used to enforce separation concerns (ie. systems supporting Shopify backups cannot access data related to BigCommerce).
  • The access policies themselves are defined as part of an “infrastructure as code” model and held under version control which requires several levels of review for any changes made.
  • Where applications need to communicate with external services using credentials, the credentials are stored encrypted in a vault out-of-band from the service itself and any build or deploy systems we use.
  • For sensitive data like platform access tokens, we encrypt these with a second key within the database. This means that even applications and humans that can query the database must be able to decrypt the access keys in order to communicate with a platform. The key itself is stored encrypted and only accessible by applications that require it.
  • At the network level, we use AWS security groups with rules allowing least privilege access to required services. For example, only services that need access to a database can access that database.

Physical Security 🗄️

  • We host Rewind on Amazon Web Services (AWS), the most secure infrastructure provider on the planet. AWS provides many layers of security.
  • Data is stored in one of 3 regional centers (US, Europe, and Canada) for compliance with requirements like GDPR.
  • If you have a requirement to have backup data stored in a different geographic location, you can contact our team and we can work with you to store your data where needed. (Enterprise plans only)
  • All data at rest in our databases, cache services, or other data stores is encrypted using standard AWS encryption mechanisms – typically AES 256.
  • For data in transit across the network, all communication takes place using HTTPS (encrypted) connections. We use a certificate with a 2048 bit key size on all of our Rewind endpoints and certificates are rotated yearly.

How do we monitor for security events? 🔍

  • Our applications undergo an external audit by a 3rd party to identify any security concerns.
  • AWS has a fantastic range of tools and services to monitor security. We use Guard Duty, AWS CloudTrail, and VPC Flow Logs to monitor all network activity.
  • AWS Security Hub gives us a comprehensive view of our high-priority security alerts and compliance status across our AWS services.
  • We regularly run our application through other 3rd party tests (SSL Labs testing, external scanning using tools like Tinfoil Security) to identify any security concerns.

 

Get peace of mind with Rewind

Install in just a few minutes. Free 7-day trial. Cancel anytime. 

Get peace of mind with Rewind

Try Rewind for free for 7 days. Cancel anytime.