RADAR® Frequently Asked Questions
RADAR is an award-winning and patented Incident Response Management Platform specifically designed to automate compliance with federal, states and contractual obligation stemming from security and privacy incidents involving sensitive customer data. We understand how critical it is to keep sensitive information secure. Our clients, including many Fortune companies, use RADAR to effectively manage incidents involving Personally Identifiable Information (PII) and Protected Health Information (PHI). We follow best practices and industry standards for application, network, and infrastructure security.
Q: Is RADAR an out of the box solution?
A: Yes, RADAR is a SaaS application with no implementation requirement for its core functionality. Any integration requirements within a client's existing infrastructure can be addressed using our REST APIs.
Q: How does RADAR secure my organization's data?
A: RADAR was built with security and privacy as the primary focus. We employ a mature software development lifecycle which ensures all product changes are considered from both a privacy and a security perspective.
Q: Is RADAR HIPAA compliant?
A: Yes, RADAR is built upon and deployed using dedicated infrastructure that is HIPAA compliant. In addition, we routinely sign Business Associate Agreements (BAAs) with our Healthcare clients.
Q: How do you broadcast new releases or updates?
A: Major updates are announced via quarterly newsletter. In addition, all updates are posted in the application's announcements feature. Dedicated emails may be sent for some updates as deemed appropriate. Users are offered no-cost support and training for major feature rollout.
Q: How is the data center physically secured?
A: Our data centers are managed by a third-party that provides secure infrastructure and services — from the host operating system and virtualization layer to the physical security of the facilities in which the services operate. These parts of the system can be validated through certifications and reports (e.g. SOC reports, ISO 27001 certification, PCI assessments, etc.) and are available upon request.
Q: What is your basic scalability philosophy? Do you generally scale horizontally or vertically?
A: RADAR is designed to scale based on usage and to prevent system outages based on any single point of failure. We can scale both horizontally and vertically depending on the layer in which the demand is exceeding supply, and the consistency of that demand.
Q: What monitoring processes are used to track system deterioration, system usage and unauthorized access?
A: RADAR is monitored by several systems for health and usage, including a third-party service for uptime and availability, server performance and health monitoring, and internal application logging and alerting.
Q: What are the system requirements for users of the platform?
A: RADAR is a SaaS solution delivered over the Internet via a web browser. There is no software installed on the user's machine. We require Internet Explorer 9, 10, or 11, or the latest version of Chrome, Safari, or Firefox. Support for Internet Explorer 9 will end in January 2016.
Q: What design methodology is used to create RADAR?
A: RADAR is developed in short, iterative cycles that allow rapid development in close collaboration with internal personnel and customers. All changes to RADAR are reviewed by multiple staff members and undergo thorough testing before being integrated into a release. RADAR is built with an eye towards security; we pay close attention to common vulnerabilities and exposures (CVEs), and adhere to industry best practices to ensure data security. Additionally, we follow the 12-Factor Application methodology that facilitates horizontal scaling by using declarative formats for setup automation, enforcing clean contracts between systems to maximize portability, and minimizing the divergence between development and production environments.
Q: How are software revisions and upgrades handled?
A: We use a continuous integration model. Application releases are defined as such in the issue tracking software. As part of the deployment process, all issues that were addressed in a particular release are associated with the version of the software in which they were fixed. Additionally, we associate the affected version of the software with a particular release. Releases are prioritized based on the severity and impact of the release. All releases are conducted during a scheduled maintenance window.
Q: Please describe the software’s transaction logging capabilities.
A: Critical transactions are logged in the application’s error log and can be retrieved by authorized personnel for analysis or investigation into application usage.
Q: Do you conduct penetration testing of RADAR?
A: Yes, an independent qualified third-party vendor conducts periodic penetration tests to further ensure security of the RADAR application and infrastructure against known and emerging vulnerabilities.
Q: Describe data integrity safeguards written into the software.
A: The integrity of data is guarded by a combination of specific business rules (constraints during the writing, transformation, and reading of data) at various levels (attribute, tuple, entity and inter-entity). These rules ensure data quality and consistency during transactional operations.
Q: How is client data segregated?
A: We separate client data by designating unique client account and registration identifiers and associated access control mechanisms. Attachments and documents are encrypted and stored in segregated document stores.
Q: How is data encrypted, both at rest and in transit?
A: The database is encrypted at rest using industry standard 256-bit Advanced Encryption Standard (AES) encryption. Data transfers are encrypted using 128-bit or 256-bit Transport Layer Security (TLS) technology.
Q: How often are backups created?
A: We perform a full backup every day, differential backups hourly, and transaction log backups every 10 minutes. Backups are encrypted and written to an encrypted backup volume then uploaded periodically to a secure online file storage service where they eventually expire based on a lifecycle management configuration.
Q: Please describe your disaster recovery procedures.
A: RADAR is a SaaS application that runs on multiple dedicated servers. The infrastructure configuration is designed to eliminate any single point of failure. This includes replicated databases running in separate availability zones with hourly and daily backups.