Remote’s end-to-end employee data protection guide

Remote was founded with the understanding that there’s a disparity of opportunities in our world. Talent can be found in every corner, yet opportunities are unevenly distributed. Remote envisions a future where everyone, no matter their location, can achieve wealth and financial freedom through equal access to employment in the global economy. We bring this vision to life by opening doors to global, remote employment for both companies and individuals. Our journey begins with empowering businesses to effortlessly and compliantly hire anyone, anywhere. But it doesn't end there. We cultivate global fluency, trust, and a sense of belonging for teams by providing accessible and affordable ongoing support. This covers payroll, benefits, employment lifecycle, expert advice, and other services for both companies and individuals. Our goal is to be the market leader in the global employment sector.

Information security plays a crucial role in this mission. We've created this guide to offer clear, comprehensive insights into our security efforts, program, and operations, and to demonstrate how we safeguard both our customers' and our organization's data.

Remote’s approach to information security

At Remote, we prioritize information security and are dedicated to making sure that:

• Our customers can securely access our services.

• Our team is equipped with the tools and controls necessary to safeguard the information we handle daily.

• Our suppliers and third parties who access our information follow information security best practices.

• Open and transparent communication about information security exists across all business teams. Our security program is designed using a defense-in-depth approach, which fortifies all layers of protection that secure our organization and the data we manage. We align our security program with ISO 27000 and AICPA Trust Service Principles standards, always keeping our focus on continuous improvement through the latest guidance and industry best practices. Remote's dedicated security team is responsible for implementing and managing our security program.

We’re devoted to constantly monitoring, validating, and enhancing our program, as well as the design, implementation, and operation of our security controls. Both our internal security team and third parties carry out assessments and audits, the results of which are presented to Remote's top management along with a remediation plan. Currently, we hold certifications for ISO27001 and SOC2, and we're happy to share the documentation with our customers upon request.

Protecting our customers’ data

Our customers place their trust in us by allowing us to manage their sensitive data. That's why we make data confidentiality and data security our top priority. Our dedicated security team collaborates closely with other departments to manage our security and risk management programs. By following industry-leading practices and designing and implementing comprehensive security controls, we're committed to keeping your data safe and secure.

Information security risk management

At Remote, we've got a top-notch information security risk management program that is dedicated to protecting your data. Our program covers everything from identifying and assessing risks related to our systems, applications, and data, to managing third-party collaborations. 

We maintain a centralized security risk register where our departments come together to spot new risks and manage them effectively, led by the designated risk owner. This teamwork allows us to make informed, risk-based decisions when it comes to system development, acquisitions, infrastructure, and more. And don't worry, we perform these risk assessments at least once a year to keep everything in check!

Access control

Access provisioning and deprovisioning

Remote makes sure that access to our systems is on a need-to-know basis. We follow the principle of least privilege, which means our employees can only access the info they need to perform their job duties, using role-based access controls. No worries about conflicting duties, we've got that covered too.

When someone leaves our team, we make sure their access is terminated within 24 hours. We also do regular check-ups on access to critical systems, making sure everything's shipshape.

Authentication

Our secure Single Sign-On (SSO) access, complete with Two-Factor Authentication, keeps sensitive information like our SaaS application and customer data extra safe. And, yes, strong credentials are mandatory for that SSO account. We also provide a handy password manager to encourage better password habits and prevent password reuse. Oh, and shared accounts? Those are a no-go by policy.

Network and infrastructure security

Remote relies on Amazon Web Services (AWS), an industry-leading infrastructure provider, for the cloud service infrastructure on which our environment is based. Under the shared responsibility model, we’re responsible for the security and compliance of the software and data residing in the infrastructure, while AWS manages the same for the cloud infrastructure.

Network traffic management

Picture our systems as a private digital fortress, surrounded by high-tech walls and guarded by top-notch security (VPC’s with firewalls in-between them). There's only one way in and one way out, and it's through a secure gate (HTTPS) that's always up to date with the latest version of the TLS protocol and enforces strong cipher suites.

We also have AWS GuardDuty watching our digital space for any threats. Plus, we use AWS Security Groups to keep our network traffic on lockdown.

To top it all off, we're backed by AWS's content delivery network, Web Application Firewall, and built-in DDoS protection. We keep a close eye on everything happening in our digital fortress with AWS CloudTrail and other external monitoring services. We track privileged access, commands, and even all system calls, so we can be on top of any suspicious activity.

Server management

All of our production server fleet is hardened, meaning that unnecessary ports are disabled and default passwords are removed, among other measures. We ensure the quality and consistency of our server installations using AWS-managed operating system images, which are continuously patched.

Segregation of environments

We have our development (local), staging (test), sandbox, and production environments fully segregated. No personal or sensitive customer data is used in non-production environments.

Location of data, physical security

Remote's infrastructure is hosted in Amazon Web Services' (AWS) us-east-1 (Northern Virginia) region data center, which offers industry-leading physical protection for our operating environment, servers, and infrastructure.

We operate worldwide, and in order to optimize operations, we’ve chosen to deploy and run our services in a single region. This region is the most convenient for several business reasons. Right now, our customers don’t have the option to choose where their data is stored. 

Nevertheless, Remote ensures compliance with GDPR international data transfer restrictions for all customers worldwide, regardless of their jurisdiction.

Change management

We’ve established a formal Change Management Policy, along with change management procedures, to ensure that all infrastructure and application changes are authorized before implementation into production. Engineers initiate changes to the infrastructure and the application, which are tracked and stored in our version control system.

Before implementation, production changes must pass through QA testing procedures and manual code review. All changes released into production are logged. Direct access or changes to our production environment are restricted to authorized personnel only.

Vendor management

At Remote, we sometimes team up with expert outside partners who bring their unique skills to the table. But, we know that it's still our job to keep everyone's data safe and sound.

So, we give each potential partner the ultimate security check-up. We dive deep into their data access, integrations, and external validations, and make sure they can pass all the security requirements.  But we go a little further—we repeat these steps whenever we renew contracts with our partners. Plus, we make sure everyone's on the same page by adding extra security commitments to our contracts, where reasonable.

Incident management

When we identify a potential security incident, we follow Remote’s formal Security Incident Response Plan, which is available to and acknowledged by all Remote employees. The plan guides us on how to manage a security incident, including communication channels and escalations, timing, and stakeholder management. Potential incidents are initially picked up by Remote’s internal incident management team, who is responsible for the coordination of incident management up to resolution and post-mortem according to the response process. 

We prioritize transparency and clear communication, so we promptly update our customers if they are affected by an incident, providing information on its nature, our actions to resolve it, and the estimated time required. We test and update the incident response procedure annually.

We’re proud to highlight that Remote has never experienced a material data breach.

Human security

Security awareness

Remote has a security awareness training program in place to promote the understanding of security policies, procedures, the latest trends, and best practices. All personnel are required to undergo training within their first 30 days of employment and annually thereafter. Completion of the training program is logged by Remote.

Summary of the awareness training content:

1. Email threats: Phishing, Malware, Spam

2. Internet Safety: Public Wi-Fi, HTTPS, Web content filtering, Search engine safety

3. Personalized threats: Social engineering, Insider threats

4. Malware: Types of malware, Malware targets, How malware acts

5. Passwords: Personal information in passwords, Password hygiene, Password management, Multi-factor authentication

6. How to stay safe while working remotely

Employee screening and confidentiality

Employment verification is conducted for all internal employees. To ensure that our customers' data is safe with Remote's internal staff, every internal employee is bound by a duty of confidentiality.

Endpoint security

At Remote, we ensure our team has the best tools for success. That's why we provide all our employees with top-notch workstations that are ready with our security standards. We've got everything covered, from hardened configurations to timely updates for all software. 

Logging in? No worries. Our team members are required to use a strong password or even their biometrics for a secure login. Plus, our devices lock up when not in use, keeping everything safe and sound. We've got data encryption, malware monitoring, and an endpoint detection and response (EDR) service working 24/7 to keep our devices secure. And our team members can't disable these security features, so they're always in full swing.

Product security

Access control

Password requirements

We provide each of our applications’ users with a dedicated user account with unique credentials. The initial password is created by the user using a one-time token sent via email. The password must meet the following:

• Be at least 12 characters long

• Contain at least one number

• Contain at least one uppercase letter

Storing passwords

We store a hashed version of users' passwords using the Argon2 hashing algorithm, with additional salt.

Two-factor authentication (2FA)

In order to provide stronger security for Remote users and their data, we’ve implemented 2FA during login. 2FA can be enabled for all users of our application, using an authenticator application on mobile devices.

Single-Sign On (SSO)

Our application supports federated access via SAML protocol. Further information can be found in our Help Center.

Access control structure

Remote’s application provides a role-based access control mechanism to customers. Our customers can designate multiple company admins, viewers, and onboarding managers, but there can be only one company owner. To learn more, please read the support article in our help center.

Our customers can create customized roles and allocate permissions, respectively, if none of the template roles that are available match their needs.

Additional measures

Our application locks out users after a certain number of failed login attempts. Default user sessions have a validity of 30 minutes, which can be extended to a session validity of 30 days using the "Remember me" checkbox.

Logging and monitoring

Our systems are like efficient event diaries, keeping track of all the action that takes place, including user activities. We log application events with a keen eye, sounding the alarm for any errors. And with AWS CloudTrail and external log management systems in place, we've got all our infrastructure access points covered.

Worried about privacy? Don't be. We redact personally identifiable information (PII) and non-essential data from logs to keep things safe and sound.

While our customers don't have direct access to in-application audit logs, all they need to do is email help@remote.com, and we'll be happy to help. We keep recent logs (up to 30 days) at our fingertips, and we can even retrieve logs up to two years old. 

Secure development lifecycle and vulnerability management

Remote uses a Secure Software Development Lifecycle (SDLC). Our developers follow secure coding guidelines and keep a close eye on new code for any potential security snags.

Throughout our SDLC, we carry out security checks at different stages. We gather security requirements for new features, use static analysis, dependency scanning, and code reviews for all fresh code. Plus, we run dynamic analysis scans every week.

We also have annual penetration tests performed by our trusted external partners. We examine the findings, prioritize them, and fix them as needed. We'll even share an executive summary report with our customers if they choose. We also conduct internal penetration tests for crucial features like access control.

And to keep things transparent and responsible, we run both a private bug bounty program. This way, we can catch and fix vulnerabilities spotted by the security community.

Separation of our customers’ data

Our web application operates in a multi-tenant model. Each of our customers' data is hosted on our shared infrastructure and is logically separated from other customers' data through access control measures such as account authentication, logical database field separation, and session management controls.

Encryption

Data at rest

Remote protects data at rest by encrypting with strong cipher suites, such as AES-256. All data stored within our application is encrypted at rest, including files uploaded, databases, and backups. We rotate keys annually.

Data in motion

Remote is a Software-as-a-Service application that is accessible through the internet. To ensure security, all data transmitted to and from our application is encrypted using strong encryption protocols. We enforce the use of recent versions of the TLS protocol (≥1.2) and only enable secure ciphers. Once customer data reaches our applications deployed in a private and segregated network, the information is transmitted to our SQL databases using a recent version of the TLS protocol.

Backups

We perform backups according to the appropriate schedule to ensure that critical systems, records, and configurations can be recovered in the event of a disaster or media failure. Our systems are backed up every hour, and we keep backups for 90 days. We encrypt the backup data remotely and keep it off-site. We perform backup restoration testing every 90 days. Our Recovery Point Objective (RPO) is 1 hour, and our Recovery Time Objective (RTO) is 2 hours.

Data retention and disposal

Customer data is permanently deleted upon deletion by the user. When a user is terminated in our system, all associated data is hard-deleted, unless legislation or contractual requirements demand otherwise. We also honor customer requests for data removal, disposing of customer data within 30 days of a request by a current or former customer, or in accordance with the customer's agreement(s) with Remote. However, Remote may retain and use data necessary for the contract, such as proof of the contract, to comply with legal obligations, resolve disputes, and enforce agreements.

API and integrations

Remote customers can integrate Remote with other systems to consolidate global employee data from Remote and streamline data maintenance for their HR teams. Our customers may access and manage a variety of data and functions within their Remote instance via the Remote API. The Remote API uses a bearer token for authentication and authorization. 

System maintenance and downtime

We continuously deploy new code, without causing downtime. Maintenance that requires downtime is rare and is performed during off-peak hours. We inform our customers about such events in advance.

Rely on Remote for best-in-class information security

In the tech world, information security is the name of the game, and we're here to set the standard of safety. We know our customers trust us with their valuable data, and we're passionate about keeping it safe and sound. We think everyone deserves peace of mind when it comes to their sensitive information.

So how do we make that happen? By tapping into the best of the best industry practices and following rock-solid international standards, all tailored to fit our service and incredible customers. And you can believe we're committed to keeping up this top-notch security today, tomorrow, and beyond.

Have any questions? We're here for you! Reach out to us at help@remote.com, and we'll be more than happy to chat.

Data Security & IP —

2 min

[Webinar Recording] IP protection and data security for distributed teams

If you have questions about IP and data protection abroad, we are here to help. In this in-depth webinar, three of Remote’s top global employment experts come together to share their tips and strategies on how to keep your company protected.