We follow a rigorous information security program, vendor risk assessment program and an incident response plan. r2c is founded on the principle of bringing the power and security of SDLC to the rest of the developer community. Every single member of the team is trained and fully committed to SDLC policy. We have a dedicated security team with 4 engineers and a security and compliance officer.
Core tenets of our security program include:
-Security awareness training -Defined security requirements -Defined metrics for acceptable risk -Threat modeling -Use of modern crypto libraries -Securing 3rd party dependencies -CI/CD pipeline with code review from a peer for every PR -Static analysis on every PR -Unit/integration tests
Trust Center Updates
r2c completes SOC 2 Type 2 auditComplianceCopy link
r2c is proud to announce that we've completed our first SOC 2 Type 2 audit. Achieving SOC 2 Type II compliance is one of the primary ways we demonstrate our company's privacy and security practices. Maintaining SOC 2 compliance underpins our continued commitment to protecting our customer's data.
What is SOC 2 Type 2?
The Service Organization Control (SOC) 2 Type 2 audit is the best-known information security certification in the industry and a common request from our customers. A SOC 2 Type 2 certification includes third-party security and control testing against standards set by the American Institute of CPAs (AICPA). 'Type 2' audits signify that we both had appropriate procedures and controls in place; and that they were followed and achieved their goals across the audit period.
What does this mean for our customers?
SOC 2 compliance is independent confirmation that we are following the security, privacy, and reliability practices you'd expected of a modern software company. Moreover, it's a standard our enterprise customers hold themselves to and typically expect of their vendors in return.
However, SOC 2 is only one of a basket of practices and processes we follow to ensure our products and services are secure. We continue to build upon proactive and detective security practices, including a program of secure software design and active security assessments.
Achieving SOC 2 Type 2 compliance is not a one-time event but a baseline of security and privacy practices that must be maintained and audited annually. We look forward to using SOC 2 to demonstrate and build upon our commitment to privacy and security across our current and future products and features.
r2c's response to the ongoing CircleCI breachIncidentsCopy link
On the evening of January 4, 2023, CircleCI notified customers of a breach and recommended teams rotate "all secrets stored in CircleCI" and review systems for unauthorized access between December 21, 2022, and January 4, 2023.
r2c uses CircleCI for a limited amount of continuous integration workflows that do not involve production infrastructure or user data. Our security and engineering teams have reviewed these workflows and either disabled or rotated all credentials in use.
No unauthorized access to r2c systems or services has been identified. CircleCI’s investigations continue. r2c’s security team continues to monitor updates from the vendor and review access from the affected period.
r2c is not affected by the OpenSSL vulnerabilities CVE-2022-3602 and CVE-2022-3786IncidentsCopy link
Yesterday, November 1, 2022, OpenSSL released version 3.0.7 to patch CVE-2022-3602 and CVE-2022-3786, two HIGH-risk vulnerabilities in the OpenSSL 3.0.x cryptographic library.
R2C is not vulnerable to these issues as our services and products do not rely on the vulnerable version of OpenSSL. Nor do we use the functionality causing these vulnerabilities.
If you want supply chain risk analysis that goes beyond simple version tracking, check out our recently launched Semgrep Supply Chain product. Semgrep Supply Chain allows you to interrogate your use of dependencies and whether you are exposed to specific vulnerabilities or not.
For more information on these vulnerabilities, see the great write-up by Datadog Security Labs.