Our easy-to-use interfaces are backed by infrastructure working behind the scenes to ensure fast, reliable uploads, downloads, sync, and sharing. To make this happen, we’re continually evolving our product and architecture to speed data transfer, improve reliability, and adjust to changes in the environment. In this section, we’ll explain how data is transferred, stored, and processed securely.
Redbooth is designed with multiple layers of protection, covering data transfer, encryption, network configuration, and application-level controls, all distributed across a scalable, secure infrastructure.
Redbooth users can access files and folders at any time from the desktop, web, and mobile clients, or through third-party applications connected to Redbooth. All of these clients connect to secure servers for access to files, allow file sharing with others, and update linked devices when files are added, changed, or deleted.
Redbooth’s secure cloud collaboration platform is hosted by Amazon Web Services in a highly secure, fully-redundant data center which has achieved PCI DSS Level 1, ISO 27001 certification and has successfully completed multiple SAS70 Type II audits. Data at rest is stored in Amazon S3 and AWS RDS mysql database is inside a Virtual Private Cloud, which has very tightly controlled access via a gateway machine.
Redbooth servers and data are monitored 24x7 for up-time, availability and intrusion detection. Redbooth’s provider stands behind a 99.99% SLA. The AWS network provides significant protection against traditional network security issues: packet sniffing by other tenants, Denial of Service (DDoS) attacks, Man-In-the Middle (MITM) attacks and use of Web Application Firewalls (WAF).
Passwords are hashed using SHA2 and salted several times to defend against dictionary attacks.
Physical access to our servers is strictly controlled and all precautions are taken including: power redundancy, temperature control and fire detection.
Amazon data centers are surrounded by three physical layers of security. The outermost, or “perimeter one” is a fence which is either crash-rated to prevent a vehicle from penetrating it or backed by the state of the art aka Jersey Barriers.
Access to “perimeter two,” an area which houses chillers, switchboards and generators, is blocked by another wall. Entrance requires both a badge swipe and a personal pin. The only authorized entrants are the engineers required to service this sort of gear.
Each door is under video surveillance with the feed monitored both locally and remotely. The space between perimeters is studded with internal trip-lights that are also monitored and managed around the clock. The innermost perimeter comprises the data halls with servers and networking gear. These doors are monitored by video cameras and require another badge swipe and pin number for entry. They are also equipped with metal detectors.
Redbooth data always travels over a secure connection. It is encrypted for transfer using SSL and it is only accessible via https (never via http).
Passwords are stored with one-way encryption on our servers meaning that our own internal team can never access a password. Connections are encrypted with SHA2 2048-bit (TLS 1.2) encryption, the very same high-security standard used in online banking.
Redbooth is designed from the ground up to provide a private and secure environment for each user.
Each user builds a private workspace which may only be accessed by explicitly invited users. Redbooth tightly segregates the data for each group of users so it is not available to non-members of the group.
Users can be invited on two different levels:
Organizations and Workspaces, and can be easily removed anytime.
Typically, an Organization is used for a company. As shown in the example below: “Redbooth” is the organization.
Workspaces are used to create a discrete area for collaboration and can only be accessed by members of the specific workspace.
Redbooth’s role-based permission offers 2 different access levels, Administrator, which has the ability to add/remove users or User, which has access, but cannot add or remove users.
We put a lot of effort to protect Redbooth from common XSS vulnerabilities by activating the following directives:
Your data is private and only visible to your team
We collect and store the text, information, tasks and files you upload or access with the Redbooth Service. When you access Redbooth, we may automatically record information from your device, its software, and your activity using the service. This may include your device’s IP address, browser type, the web page visited before you came to our website, location, locale preferences, date and time stamps and other metadata concerning your interactions with the service.
We use “cookies” to collect information and improve our services. A cookie is a small data file that we transfer to your device. We may use “persistent cookies” to save your registration ID and login password for future logins to the service. You can configure your browser by changing its options to stop accepting cookies or to prompt you before accepting a cookie from the websites you visit. If you do not accept cookies, however, you may not be able to easily access all aspects of the Redbooth service and may need to manually enter user and password information.
In the course of using the Service, we may collect personal information that can be used to contact or identify you (“Personal Information”). Personal Information is or may be used: (i) to provide and improve our Service, (ii) to administer your use of the Service, (iii) to better understand your needs and interests, (iv) to personalize and improve your experience, and (v) to provide or offer software updates and product announcements. If you no longer wish to receive communications from us, please follow the “unsubscribe” instructions provided in any of those communications.
Some browsers allow applications to access real-time location-based information (for example, GPS). Our mobile apps do not collect such information as of the date this policy went into effect, but may do so in the future with your consent to improve our Services.
Redbooth will not be able to decrypt any files that you encrypted prior to storing them on Redbooth.
We also collect some information (using third party services) using logging and cookies. We use this information for the above purposes and to monitor and analyze use of the Service, to increase our functionality and user-friendliness. As of the date this policy went into effect, we use Google Analytics and KISSMetrics.
If you are a registered user, you may review, update, correct or delete the Personal Information provided in your registration or account profile by changing your “account settings.” If your personally identifiable information changes, or if you no longer desire our service, you may update or delete it by making the change on your account settings.
Redbooth will retain your information for as long as your account is active or as needed to provide you services. If you wish to cancel your account or request that we no longer use your information to provide you services, you may delete your account. We will try to delete your information quickly upon request. Please note, however, that there might be latency in deleting information from our servers and backed-up.
We go to great effort to make our Redbooth products as secure as possible, however if you have discovered a security vulnerability in Redbooth we would appreciate your help to disclose this to us in a responsible manner.
In order to do so please send an email to email@example.com explaining the issue and provide detailed steps on how to reproduce the vulnerability.
Redbooth Data Backup enables you to back up your data whenever you want. A couple of clicks and you can download a compressed folder with all your tasks, task lists and projects.
This feature is only available for Business customers. If you’re interested in this plan, contact our sales team.
If you’re already a Business customer, follow these steps to back up your data:
This website, like many others, uses small files called cookies to help optimize your experience.
‘Cookies’ are small text files that are stored by the browser (for example, Google Chrome or Safari) on your computer or mobile phone. They allow websites to store things like user preferences. You can think of cookies as providing a ‘memory’ for the website, so that it can recognize you when you come back and respond appropriately.
A visit to a page on Redbooth may generate the following types of cookies:
When you use Redbooth, we may send one or more cookies to your computer to uniquely identify your browser and let Redbooth help you log in faster and enhance navigation through the site. A cookie may convey anonymous information to us about how you browse the Service. A persistent cookie remains on your hard drive after you close your browser, so that it can be used by your browser on subsequent visits to the Service. A session cookie is temporary and disappears after you close your browser.
Every time someone visits our website, software provided by another organization generates an ‘anonymous analytics cookie’. These cookies can tell us whether or not you have visited the site before. Your browser will tell us if you have these cookies and, if you don’t, we generate new ones. This allows us to track how many individual users we have, and how often they visit the site.
Unless you are signed in to Redbooth, we cannot use these cookies to identify you or any other individuals. We use them to gather statistics, for example, the number of visits to a page. If you are logged in, we will also know the details you gave to us for this, such as your username and email address.
On some pages of our website, other organizations may also set their own anonymous cookies. They do this to track the success of their application, or to customize the application for you. Because of how cookies work, our website cannot access these cookies, nor can the other organization access the data in cookies we use on our website.
For example, when you like Redbooth using the Facebook like button on redbooth.com, the social network that has created the button will record that you have done this.
It is usually possible to stop your browser accepting cookies, or to stop it accepting cookies from a particular website. However, some features of our service may not function properly if you disable accepting cookies.
All modern browsers allow you to change your cookie settings. You can usually find these settings in the ‘options’ or ‘preferences’ menu of your browser. To understand these settings, you can use the ‘Help’ option in your browser for more details.
Aside from our own testing, we rely on industry experts to help maintain security through:
Automated and manual Black box and white box testing and ethical hacking:
WhiteHat also conducts manual and mobile testing an an ongoing basis.
Blueliv is the Cloud-based Cyber Threat Intelligence technology that protects organizations from a range of threats including credit card fraud, data and credentials theft, phishing, botnets, malicious mobile application, APTs and the latest malware trends. Blueliv automates the continuous monitoring, analysis and validation of Cyber Threats from beyond your Network providing real time actionable data security and improving organizations’ Cyber Threat visibility. False positives are dramatically reduced through the use of powerful data mining Machine Learning, anomaly detection techniques and Big Data technologies, so accurate and timely results can be delivered to organizations via effective and intuitive dashboards.
Blueliv utilizes Static AST (SAST) technology to analyze an application’s source, bytecode or binary code for security vulnerabilities typically at the programming and/or testing software life cycle.
The results of tests are assessed by Redbooth’s Security personnel, and priorities are assigned to items as assessed by the Security team. As a necessary component of our findings and recommendations which result from all of these assessment activities are reported to Executive management, evaluated, and appropriate action is taken, as determined to be necessary. High-severity items are documented, tracked, and resolved by assigned personnel.
There are many different compliance standards and regulations that may apply to your organization. Our approach is to combine the most accepted standards — like ISO 27001 and SOC 2 — with compliance measures geared to the specific needs of our customers’ businesses or industries. Our data centers, and our managed service provider undergo regular third-party audits.
ISO 27001 – Our datacenter is ISO 27001 certified (published certificate) under the International Organization for Standardization (ISO) 27001 standard. ISO 27001 is a widely-adopted global security standard that outlines the requirements for information security management systems. It provides a systematic approach to managing company and customer information that’s based on periodic risk assessments. In order to achieve the certification, a company must show it has a systematic and ongoing approach to managing information security risks that affect the confidentiality, integrity, and availability of company and customer information.
Our datacenter is under a formal program to maintain the certification. This certification reinforces our commitment to providing transparency into our security controls and practices.
Redbooth Private Cloud is designed to for installation in a virtualized environment on your local network. All data is stored on machines that you control, and access is integrated with your organization’s authentication system (LDAP / Active Directory, oAuth).
With our Private Cloud appliance you can:
Redbooth Private Cloud is based on standard, VMware virtual machine technology (But compatible with most other offerings). Internally, an industry standard reliable and secure OS (Ubuntu 12.04 LTS) and open source trusted components which provide our complete Redbooth solution in a single node (We have a separate document outlining our hardening guidelines, which is updated regularly and is available upon request.) You can choose between allowing your data to reside securely within the VM or in your own corporate DB systems (mysql-based). Hypervisor HA technology and incremental backups of assets and data ensure your data is safe and secure behind your firewall.
Redbooth Private Cloud is designed to be installed in a virtualized environment within your local network.
All data is stored on machines that you control, and access is integrated with your organization’s authentication system (LDAP / Active Directory, oAuth).
With our Private Cloud appliance you can:
Redbooth Private Cloud can be configured such that data always travels over a secure connection. If activated, all traffic will be encrypted for transfer using SSL and it is only accessible via https.
Redbooth is designed from the ground up to provide a private and secure environment for each user.
Each user builds a private social network creating different groups of users. Redbooth segregates the data for each different group of users so it is not available to non-members of the group.
Users can be invited on two different levels: Organizations and Projects, and can be easily removed anytime. Our role-based permission offers 4 different access levels.
As the appliance is running behind the customers firewall, access to the data, is strictly controlled by the customer.
Your data is private and local to your network.
Redbooth Private Cloud can function completely offline during regular use. However, patch releases or major upgrades will require outbound internet access for OS updates/patches and package updates but only during the short upgrade process.
Redbooth Private Cloud does not send your data, metrics or any other kind information in outbound traffic.
Redbooth web access supports simple user/password authentication, some OAuth SSO services (Google, Twitter) and LDAP/ Active Directory authentication. We strongly recommend web access to enable HTTPS for maximum security.
The virtual machine running Redbooth can only be accessed by Redbooth Private Cloud engineers upon client consent using SSH protocol if support is needed.
There is no other way to access the Redbooth environment.
Web access levels of access can be administered by users with admin role:
Organizations and Projects have admins, who can control access permissions for users to the organization/project.
Changing the users’ role, new admins can be created.
Security inside the Redbooth application can be administered using a browser from anywhere if the Redbooth instance is reachable.
Users can only be created when a Project admin invite them to the project by email. Users can’t register themselves without an invitation.
Redbooth’s user rights are administered on two levels:
Organization: Three types of user roles: admins, participants and externals:
Admins can invite new users to the project, manage users' roles, archive and delete the project, as well as delete comments from tasks, and move these to other projects.
Participants cannot invite new users or manage their roles, but they can use all the other project features.
Roles, at the organization level, are managed using the Redbooth admin panel.
Redbooth Private Cloud stores all the data in the same machine and can only be accessed with the right credentials. There are no custom security policies by business unit.
Users have access only if the organization/project admin invites them, and they only have access to the projects defined by the admin (unless they are made admins too, in which case they also have access to all the data).
Normally partners, clients, and providers are given the role of external to the organization. This is defined in the invite process.
Web access is governed by standard username/password challenges, encrypted using AES_256_CBC, with SHA1 for message authentication and ECDHE_RSA as the key exchange mechanism.
The application also supports federated login with oAuth to Google, and LDAP / Active Directory (See below).
No allowances are made to protect individual fields. Full tasks, conversations and notes can be made private, but not the individual fields inside of them.
The application undergoes regular penetration testing internally as part of our release process and externally via our security provider Whitehat Security.
Redbooth Private Cloud supports external LDAP authentication, but does not currently support LDAP SSO.
We started supporting additional SAML providers in our cloud offering and are open to more SSO integrations.
On every release, every component in the system is reviewed for the latest security patches and these are applied.
Admin accounts to access the VM are secured by strong passwords. Root access is disabled.
Redbooth Private Cloud is designed to take advantage of Hypervisor Snapshotting and HA capabilities. Production-ready hypervisors can maintain two synchronized VM’s (master/slave), where each node can be monitored and quickly and easily promote the secondary node as the new master.
Similar to the HA feature, the hypervisor can additionally provide continuous availability by creating a live shadow instance of a virtual machine that is always up-to-date with the primary virtual machine.
Over and above the high availability fault tolerancey options afforded by the hypervisor, customers are strongly recommended to take frequent snapshots (especially before system updates are applied) of the VM.
In addition, Redbooth Private Cloud contains a simple API that enables offline storage of customer data and assets. These backups can also be used to enable restoring of data/assets.
No. Redbooth Private Cloud does not send any data to any 3rd party service. There is however a configurable feature that allows customers to enable native mobile push notifications in which case some traffic (containing ids and short chat message summaries) will travel to Apple and Google push servers but this feature has to be explicitly enabled.
Website security by: