leading on cybersecurity.

Our commitment to safeguarding your private data and maintaining security best practices is unwavering. To ensure that our customers and participants receive exemplary services, we have achieved SOC 2 Type II compliance, the highest standard available.

compliance.

The RiseSmart platform is SOC 2® Type II certified. SOC 2 is a widely used framework for building trust between vendors and customers. It serves as an evaluation of operational effectiveness as defined by the American Institute of Chartered Public Accountants (AICPA) Trust Service principles, which are security, availability, processing integrity, confidentiality and privacy. RiseSmart is currently certified for the confidentiality, availability and security trust principles. Type 2 attestation shows we can demonstrate both the adequacy of design of controls and operational effectiveness of the controls, and verifies that we have third-party oversight into our processes and procedures to ensure we adhere to these commitments.

GDPR

RiseSmart has implemented policies to fully comply with data protection and privacy requirements set forth for all citizens of the European Union and the European Economic Area. The EU General Data Protection Regulation (GDPR) assures that the proper framework is in place to keep personally identifiable information secure and is designed to harmonize data privacy laws across Europe to protect and empower the data privacy of all EU citizens.

CCPA

RiseSmart has implemented policies to comply with data protection requirements set forth in the California Consumer Privacy Act (CCPA), which enhances privacy rights and consumer protections for California residents by providing them with the right to control how their personal information is collected and shared.

TRUSTe verified privacy

TRUSTe Privacy seal verification.

Privacy Shield attestation.

EU-US and Swiss-US privacy shield

The EU-US and Swiss-US Privacy Shield frameworks provide a mechanism to comply with data protection requirements when transferring personal data from the EU and Switzerland to the United States. RiseSmart is certified under the EU-US Privacy Shield and the Swiss-US Privacy Shield and we employ standard contractual clauses. While a 2020 European court ruling declared the EU-US Privacy Shield Framework invalid, the US Federal Trade Commission continues to support the Privacy Shield framework and expects companies to comply with their ongoing obligations with respect to transfers made under the Privacy Shield Framework.

security.

Our security controls protect confidential data against unauthorized access and unauthorized disclosure of information. Our procedures prevent damage to systems that could compromise the availability, integrity, confidentiality and privacy of information or systems.

vulnerability assessment

To ensure that customer data is secure from cybersecurity breaches, RiseSmart tests for potential vulnerabilities on a recurring basis. We run static code analysis and application and infrastructure vulnerability scans. We also do the ethical disclosure of the vulnerability scan reports to inform our customers of potential risks.

penetration testing

RiseSmart leverages third-party penetration testing resources to test the RiseSmart service application and internal networks. This authorized, simulated cyberattack allows us to evaluate system security and implement necessary remediation actions.

bug bounty program

To ensure that our platform remains secure, we invite select researchers into our bug bounty program to find and report any security issues, which are then fixed immediately.

encryption

We encode customer data using the AES-256 encryption standard at RDS level for data at-rest and in-transit based on the NIST framework. TLS 1.2 (based on IETF standards) is used for protecting the transmission of all sensitive information.

data access control

Our system has role-based access control mechanisms. Data is accessible only to authorized users who have the appropriate level of access on a need-to-know basis. We implement role-based access management using AWS IAM user, group and role policies.

physical security

To ensure the security of customer data stored on location, RiseSmart products are hosted with cloud infrastructure providers with SOC 2 Type II and ISO 27001 certifications, among others. The certified protections include dedicated security staff, strictly managed physical access control, data access controls and video surveillance.

backup

We use database replication and periodic snapshots to avoid data loss. Backups are tested as part of business continuity and disaster recovery plan testing.

secure development life cycle

Strict security checkpoints govern every step of our development life cycle from design to coding, testing and deployment. Our internal security team works with independent, external security researchers to validate our software security.

vendor due diligence

RiseSmart conducts an initial risk assessment of service providers to ensure their security practices are industry-standard. For vendors with whom we exchange sensitive data elements, the standard Data Processing Agreement is signed.

privacy.

To ensure that personal information is kept private, RiseSmart provides regular training to staff, limits access to such data, maintains strict rules around how this information is shared and maintained, and provides customers and participants with the ability to manage and restrict their personal data.

training

RiseSmart provides information security and privacy training as part of our new employee onboarding. We hold an Information Security Week annually to recertify employees on our privacy training and to raise awareness of our security policies and work guidelines.

privacy process

Our legal and privacy processes and controls address requirements such as roles and responsibilities, policies and procedures, data inventory and life cycle, data protection and security, risk assessment, consent, and managing data subject requests, third-party management and incident response.

data subject access rights

RiseSmart has a DSAR request form that users may complete to opt out, delete or update their data, or file a complaint. The form can be found here.

cookie policy

RiseSmart respects the right to privacy. Users can choose to restrict certain types of cookies from the Privacy Preference Center. Our cookie policy can be found here.

risemart privacy policy

We respect your privacy rights and value your trust. This privacy notice describes how we collect, receive, use, store, share, transfer and process your personal information, as well as your rights in determining what we do with the information that we collect or hold about you. Our privacy policy can be found here.