Redfish Labs, Inc. dba Torch Leadership Labs
Redfish Labs, Inc. dba Everwise
Information Security
Last Updated on May 13, 2024
Security Statement
At Torch, we value our customers’ privacy and security and pledge to continuously improve our posture and effectiveness in this regard. Our approach to security is designed to protect both our customers and their end-users from malicious attacks and unauthorized access to data. We are committed to providing a highly secure and reliable cloud environment. Our information security program is based around industry-recognized standards such as SOC2, CIS, PrivacyShield, GDPR, OWASP, and 12Factor.
Private Cloud
Torch provides a highly resilient cloud infrastructure using AWS as a cloud provider. Our infrastructure is deployed in multiple availability zones to ensure 99.5% uptime. We have daily automatic backups that are configured for cross-region replication. Our customers can rest assured that in the event of any disaster, their data will be available.
Security of AWS infrastructure is an inherited control from the shared responsibility model between Torch and AWS. AWS infrastructure in the US East and US West regions implement strict standards that meet NIST 800-53 / FedRAMP standards.
AWS Shared Responsibility Model
AWS NIST 800-53
Encryption Standards
Torch employs encryption at all levels of our technology stack:
-
All web access to our system uses modern, up-to-date SSL and TLS encryption methods.
-
All intra-system messaging uses SSH and SCP encryption methods.
-
All archives and backups are protected using 256-bit encryption.
-
Access and encryption keys are managed under strict access controls and are refreshed on a scheduled basis.
-
All data in transit and at rest are encrypted using up-to-date encryption methods.
Infrastructure Security
Torch defines production infrastructure as the network, cloud computing instances, containers, and databases, including other smaller services that support, run, or secure our platform. We have implemented controls to design every layer of our infrastructure; to summarize:
-
DDoS Protection
-
Intelligent threat detection and protection
-
Web traffic filtering
-
Centralized management of all cloud infrastructure accounts and resources
-
Automated, continuous, security checks against best practices
-
Daily encrypted database backups, configured for cross-regional replication
-
Automated vulnerability scans
-
Comprehensive and centralized logging across all AWS accounts and resources
Application Security
Torch employs best practices for SaaS development. Our platform is designed with the 12Factors of Saas Development in conjunction with OWASP Top 10. Our CI/CD pipeline includes automated and continuous static code analysis, dynamic code analysis, peer review, and change control process.
Continuous Improvement
Torch will continue to improve our processes, procedures, and policies to maintain our customers’ privacy and security. To support these efforts we conduct third-party penetration tests and third-party audits from industry leaders.
SOC2: Available on request, requires NDA or signed MSA
SOC3: Torch – 2023 – SOC 3 – Report_FINAL
ISO 27001: Available on request, requires NDA or signed MSA
ISO 27701: Available on request, requires NDA or signed MSA
3rd Party Penetration Test: Available on request, requires NDA or signed MSA
Questions?
Contact security@torch.io