Annex 1 - Technical and Organisational Measures
Ravio was designed to offer enterprise-grade security from day one, and information security and data protection are fundamental to what we do and how we operate as a business.
As such we have implemented a variety of technical and organisational measures to help safeguard the confidentiality, integrity and availability of the information and the systems that process, store or transmit information.
These measures are kept under continuous review in line with best practice, and are outlined below:
Access Control
Physical Access Control
The Ravio office is located in a secure, gated development, and access is controlled via keyfob. There is 24 hour CCTV in place focused on the entry/ exit, and external visitors require accompanying at all times.
Ravio also uses underlying Google Cloud Platform infrastructure which has a number of physical access controls in place including secure perimeter fencing, CCTV, security patrols, multiple entry scans, and need only access to the data centre floor.
Logical Access Control
Ravio uses role-based access control based on the principle of least privilege with access only ever granted to those to whom it is necessary as part of their role. We also conduct quarterly reviews of access to systems, and log system access.
Devices and systems are protected via use of secure, complex passwords, and multi-factor authentication is used wherever possible. Users are also automatically logged out of systems periodically and required to re-authenticate and devices are set to auto-lock after 5 minutes of inactivity via our Mobile Device Management system.
Contingency and Incident Management
Ravio has a Disaster Recovery and Business Continuity Plan and an Incident Response Plan in place. The policies outline the response required in the event of a business continuity event or incident, including scenarios for how to respond, and processes for notification of any incidents as required to relevant/impacted parties. Testing of these is conducted on a minimum annual basis.
Devices
All employees use MacBook devices and have a Mobile Device Management platform installed which ensures that all devices:
Can be remotely wiped
Have anti-virus software installed
Are encrypted
Have screen lock enabled
Employees
Ravio's employees are all subject to our standard employment contract which includes a confidentiality agreement and agreement to adhere at all times to the relevant policies and procedures. We also have an employee Code of Conduct in place, which requires staff to adhere to the highest principles in respect of confidentiality, ethics, and conduct.
All staff are subject to the relevant background checks.
All Ravio employees are required to undertake Information Security and Data Protection training in their first week. The training consists of a suite of videos and questions on key topics. Information Security and Data Protection training is repeated annually.
Encryption
Ravio uses industry standard mechanisms to ensure that information is kept secure at all times, including through the use of Hyper-Text Transfer Protocol Secure (HTTPS), Transport Layer Security version 1.2 (TLS 1.2) or higher for data in transit, and 256-bit Advanced Encryption Standard (AES-256) for data at rest. All devices used by Ravio staff also have their hard drive encrypted and this is enforced and monitored by our Mobile Device Management platform.
Policies and Procedures
Ravio is committed to protecting information and assets and as such we have implemented a suite of information security and data protection policies and procedures which define the controls and processes in place to keep information safe and secure.
Among others, these policies include: Acceptable Use Policy, Access Control Policy, Business Continuity and Disaster Recovery Plan, Cryptography Policy, Data Protection Policy, Human Resources Security Policy, Incident Response Plan, Operational Security Policy, Physical Security Policy, Secure Software Development Policy, Risk Management Policy, and Third Party Management Policy.
Sub-Processors
Before onboarding sub-processors, Ravio conducts thorough due diligence to ensure that they adhere to an appropriate level of privacy and security.
Ravio uses the following sub-processors to deliver the service:
Google Cloud Platform (GCP) provides Ravio's underlying infrastructure and is ISO 27001, ISO 27017 and ISO 27018 certified. Storage is based in the UK (subject to adequacy).
Merge is an HRIS API provider and is SOC 2 Type II and ISO 27001 certified. Storage is based in Sweden (EU).
Kombo is an HRIS API provider and is ISO 27001 certified. Storage is based in The Netherlands (EU).
Auth0 is our authentication provider and is SOC 2 Type II, ISO 27001 and ISO 27018 certified. Storage is based in Germany.
Vulnerability Scanning
Ravio has a number of vulnerability monitoring tools in place to help us identify and address any potential vulnerabilities.