Group (5)

Rhythm Security Q&A

General Q&A


  1. What development platform does the software use?

    1. Frontend: Angular
    2. Backend: Java
    3. Database: MySql, DynamoDB, Redis
  2. What security requirements are considered in the design of your software?

    1. End to end encryption
    2. SQL injection prevention
    3. Principle of least privilege
    4. Cross site scripting XSS prevention
    5. No hard coded security credentials
  3. What standards or design principles apply?

    1. We have our own internal standards that all developers code to, along with reviews and check in policies. 
  4. What database do you use?

    1. MySQL
    2. DynamoDB
    3. Redis
  5. How is data segregated between different clients?

    1. Horizontally segmented data repository
    2. Granular session management prevents cross client data access
  6. How are software versions managed?

    1. GIT repository
    2. Point release versioning
  7. Who is the hosting provider?

    1. Amazon Web Services (AWS)
  8. How do you manage information security risks?

    1. Cycling of credentials
    2. Role based security for humans and software employing principle of least privilege and principle of separation of duties
    3. Virtual Private Cloud (VPC)
  9. What security tasks does the provider do?

    1. Typical AWS security
  10. What type of security incidents are mitigated by the provider?

    1. See AWS documentation
  11. How does the provider handle disasters that affect data centers or connections?

    1. AWS Terms of Service
  12. Is my data backed up?

    1. Nightly, Full, Encrypted, Replicated to multiple locations
  13. Who is responsible for making backups and where?

    1. Automated backups
    2. AWS Data Center replicated to multiple regions.
  14. In what format is the backup generated?

    1. Encrypted SQL Export
  15. Can the backed-up data be accessed without the app?

    1. Only by designated privileged Rhythm Systems administrators
  16. In what format?

    1. SQL Import
  17. Who manages the users in the software?

    1. We have a handful of specially trained employees that act as System Administrators, and can perform user management for any client using the System Admin application.
    2. Each client identifies one or more Company Administrators that are trained to manage users for their company using the Company Admin application.
  18. Are there roles and permissions that need to be managed?

    1. Company Administrators set roles and permissions for users according to the organization’s preferences. The available options are laid out in this article
  19. What security certifications does the software meet?

    1. We are currently internally discussing the various certifications and which to pursue. 
  20. Are changes to information in the software audited/Auditing of changes?

    1. Yes
  21. Is it a collaborative tool?

    1. Yes
  22. Can it be integrated with other tools (SAP, Office...)?

    1. Public API exists for integration to external systems
  23. If the service ends, in what format is the information returned?

    1. Users can download data in reports (formats include PDF, Excel, Word, and CSV). Additional information on downloading reports is available in this article.
    2. Customers also have the option to purchase a data maintenance plan in which they are able to retain access to the software and all data for one user at a low monthly cost.
  24. At the end of the service, how long is the information available before deleting everything?

    1. If customers choose the data maintenance option (see above), their information is available for the duration of that agreement.
    2. If customers do not choose the data maintenance option, the information remains available either until the customer requests its deletion or our software no longer supports the ability to display the information in the current version.