Frequently Asked Questions

General

What is RADAR?

RADAR is a secure SaaS application that helps companies with regulated data perform an automated risk assessment to determine which privacy and security incidents are notifiable under state and federal breach laws.

Is RADAR an out of the box solution?

Yes, RADAR is a SaaS application with no implementation requirement for its core functionality. Any integration requirements within a client's existing infrastructure can be addressed using our REST APIs.

How do you broadcast new releases or updates?

Major updates are announced via quarterly newsletter. In addition, all updates are posted in the application's announcements feature. Dedicated emails may be sent for some updates as deemed appropriate. Users are offered no-cost support and training for major feature rollout.

What are the system requirements for users of the platform?

RADAR is a SaaS solution delivered over the Internet via a web browser. There is no software installed on the user's machine. We require Internet Explorer 10 or 11, or the latest version of Chrome, Safari, or Firefox.

What design methodology is used to create RADAR?

RADAR is developed in short, iterative cycles that allow rapid development in close collaboration with internal personnel and customers. All changes to RADAR are reviewed by multiple staff members and undergo thorough testing before being integrated into a release. RADAR is built with an eye towards security; we pay close attention to common vulnerabilities and exposures (CVEs), and adhere to industry best practices to ensure data security. Additionally, we follow the 12-Factor Application methodology that facilitates horizontal scaling by using declarative formats for setup automation, enforcing clean contracts between systems to maximize portability, and minimizing the divergence between development and production environments.

How are software revisions and upgrades handled?

We use a continuous integration model. Application releases are defined as such in the issue tracking software. As part of the deployment process, all issues that were addressed in a particular release are associated with the version of the software in which they were fixed. Additionally, we associate the affected version of the software with a particular release.  Releases are prioritized based on the severity and impact of the release. All releases are conducted during a scheduled maintenance window.

Defining Event vs. Security Incident vs. Data Breach

Given today’s threat-filled environment, chances are high that your organization will be—or already has been—the target of an attack, putting sensitive data at risk. How do you define this? Is it an event? A security incident? A data breach?  Does it even matter what it’s called?

In a word, yes. How you classify an occurrence will dictate your response—and thus how well you can minimize the monetary, regulatory, and reputational risks to you, your company, and the customers you serve.

Security

Is RADAR certified with the EU/US Privacy Shield, and expected to comply with upcoming GDPR breach notification laws once they are enforceable (May 2018)?

RADAR has been certified under the EU/US Privacy Shield framework. RADAR’s resource library offers regulatory overviews of data protection laws in each EU member state as well as the GDPR. Development efforts are underway to incorporate GDPR into RADAR’s patented breach guidance engine for automated incident risk assessment. Planned availability of GDPR risk assessment is well in advance of GDPR’s enforcement date of May 25, 2018.

How is the data center physically secured?

Our data centers are managed by a third-party that provides secure infrastructure and services — from the host operating system and virtualization layer to the physical security of the facilities in which the services operate. These parts of the system can be validated through certifications and reports (e.g. SOC reports, ISO 27001 certification, PCI assessments, etc.) and are available upon request.

What is your basic scalability philosophy? Do you generally scale horizontally or vertically?

RADAR is designed to scale based on usage and to prevent system outages based on any single point of failure. We can scale both horizontally and vertically depending on the layer in which the demand is exceeding supply, and the consistency of that demand.

What monitoring processes are used to track system deterioration, system usage and unauthorized access?

RADAR is monitored by several systems for health and usage, including a third-party service for uptime and availability, server performance and health monitoring, and internal application logging and alerting.

Do you conduct penetration testing of RADAR?

Yes, an independent qualified third-party vendor conducts periodic penetration tests to further ensure security of the RADAR application and infrastructure against known and emerging vulnerabilities.

Describe data integrity safeguards written into the software.

The integrity of data is guarded by a combination of specific business rules (constraints during the writing, transformation, and reading of data) at various levels (attribute, tuple, entity and inter-entity). These rules ensure data quality and consistency during transactional operations.

How is client data segregated?

We separate client data by designating unique client account and registration identifiers and associated access control mechanisms. Attachments and documents are encrypted and stored in segregated document stores.

How is data encrypted, both at rest and in transit?

The database is encrypted at rest using industry standard 256-bit Advanced Encryption Standard (AES) encryption. Data transfers are encrypted using 128-bit or 256-bit Transport Layer Security (TLS) technology.

Please describe your disaster recovery procedures.

RADAR is a SaaS application that runs on multiple dedicated servers. The infrastructure configuration is designed to eliminate any single point of failure. This includes replicated databases running in separate availability zones with hourly and daily backups.