FAQ Sections

How can I be sure my data is safe with PostRFP?

Posted in Getting Started with SupplierSelect, last updated on Dec. 10, 2020

PostRFP has an ongoing commitment to ensuring the security and privacy of your data.

Physical Security & Access Control

PostRFP servers are only hosted in datacenters with ISO 27001 certfication and via service providers complying US/EU Safe Harbor Privacy certification.

Perimeter Defence

The network perimeter is protected by a firewall and is monitored by intrusion detection systems.

Data Encryption

For transport encryption, PostRFP's primary servers operate under TLS 1.2 with 256 bit AES_256_GCM encryption, SHA1 for message authentication and ECDHE_RSA with P-256 for key exchange.

User Authentication

  • Users access Supplierselect only with a valid username and password combination, which is encrypted via TLS while in transmission
  • Passwords are PBKDF2 encrypted with random salts to prevent rainbow table attacks in the event of data compromise
  • Passwords are never stored unencrypted (not even in database transactions logs)
  • Password complexity rules are enforced
  • Password resets are via time-bound random token email links - passwords are not sent in plain text emails
  • Password expiry rules can be set on an organization by organization basis
  • Multiple failed login attempts result in a time-bound account lockout

Application Security

Our robust application security model prevents one PostRFP customer from accessing another's data. This security model is reapplied with every request and is enforced for the entire duration of a user session.

Operating System Security

PostRFP enforces tight operating system-level security by using a minimal number of access points to all production servers. Our servers permit only key-based authentication, are firewalled, and run intrusion detection software. Operating systems hardened by disabling and/or removing any unnecessary users, protocols, and processes. Real time intrusion detection software scans for attacks.

Database Security

Whenever possible, database access is controlled at the operating system and database connection level for additional security. Access to production databases is firewall restricted to specific IP addresses for replication.

Reliability and Backup

All customer data is stored on carrier-class disk storage using RAID disks and multiple data paths. All customer data, to the last committed transaction, is replicated to geographically distinct location. Snapshots are taken every 12 hours, and binary logs are preserved on replication slaves in addition to the master.

Disaster Recovery

PostRFP uses a geographically remote disaster recovery facilities along with the required hardware, software, and Internet connectivity to ensure continuity in the event that our production facilities were to be rendered unavailable.

Related Articles