1.Where is your business located/ registered?
Regpack Headquarters is located in San Diego, California. Our office hours are Monday – Friday, 9 a.m. to 6 p.m. Pacific Standard Time.
2. Do you outsource your information security responsibilities or any other information provided to you by participants?
– The Service Provider is PCI-2 compliant and undergoes daily scans to confirm integrity, daily backups to protect the information, and an independent audit to confirm the PCI compliance level. The payment information is saved on a PCI-1 compliant server that is employed with several safeguards including, but not limited to: encrypted API, available to limited IP addresses, rotating passwords and usernames, and protection algorithms created on the fly to create secure “handshakes”. The payment data can only be accessed within the Service Provider’s network and the network of our processing partners. .
-Any action done by the client that violates PCI compliance regulations will result in immediate suspension of the client’s account. All account information will be purged immediately. This includes but is not limited to:
-Gathering credit card or bank information directly on forms not designed for it
-Capturing payment information from end-users outside of Service Providers approved integrated payments forms
-Sharing login credentials including passwords with anyone other than themselves
-Any other action violating PCI regulations.
3. Who has access to my data? Who manages the application or information on the back end?
You and your admin team manage information on the back end. This is where the managing, creating, and editing of your Regpack system will take place. In the back end, you’ll see your Regpack Tools: Users, Payments, Settings, and Help. From here, you can adjust the products/discounts, report and email templates, forms/fields, scheduler units, auto-billing options, admin levels and permissions, your bill, and your project settings. Everything is built out in the back end; your registrants will not see this side of Regpack.
Regpack staff is also able to view data on the back end, however, we only access your project when there are questions for the support team that require us to do so, and all staff has signed a Nondisclosure Agreement that includes client data.
4. How are user accounts managed in the software?
Users manage their own accounts, and admins can disable them on the back end if needed. All project and user management are up to your team. We provide the software and are available to advise as needed. You can always email us with your questions!
5. What is your technology stack? Do you use an application firewall?
Regpack has the best-in-class WAF (Web Application Firewall) that filters all possible database attacks at the transmission level. This prevents the ability to access the database through the application. In addition, the system limits the amount of data that is transferred with every request and per IP to prevent the ability to access mass amounts of information.
6. Are data transmissions to/from the application encrypted? Do you encrypt our data? Which data is encrypted?
All sensitive values in the databases are encrypted with a unique key per user. This prevents the view and use of the information unless the key algorithm connected to the specific project, user, server, and time of encryption are all present. The application automatically determines, according to a set of variables, which units are considered sensitive values.
7. Are your data centers physically secure?
Our servers sit behind a physical firewall that is managed by a dedicated external security team. It is configured on an “is allowed” basis meaning access is denied unless specifically approved.
8. Do you use IPS/IDS?
Do you monitor failed logins?
Yes, we notify all admin of attempts to log in to their admin account after the 2nd failed attempt.
Do you use two-factor Authentication?
Yes. It’s required on all admin accounts.
9. How can you prove you have no back doors hidden in your code? How do we know your code is safe? Do you test your web applications for the OWASP Top 10?
Regpack has regular code audits to make sure all code is written with security as a primary objective. All of our code is performed by an internal team. Our code review protocols prevent any release into production unless it passes all of our security guidelines.
Regpack is PCI compliant Level 2 and since 2010 has passed all audits on the first scan. Our entire system is scanned on a weekly basis through a PCI checking mechanism. In addition, there is a monthly scan done by the PCI compliance approval entity.
10. How do you keep viruses out of our data? How will you ensure my CHD & PII are safe? In the event of a breach, how soon will I be informed?
Regpack has regular code audits to make sure all code is written with security as a primary objective. All of our code is performed by an internal team. Our code review protocols prevent any release into production unless it passes all of our security guidelines. In the case of a breach, clients are informed within 72 hours.
11. What is the backup and recovery plan? Do you have a backup and recovery SLA? Are your backups encrypted and securely stored/transmitted?
Data Backup and Restoration Plan:
-All user information is saved hourly on the delta meaning any changes to the information are saved hourly.
-All user information is saved daily regardless of delta
-All user information, OS, and infrastructure are saved weekly.
-Any deleted data can be restored within 24-48 hours by our Information Security Team.
-Any requests to restore data must be the result of significant data loss and can only be approved by the Chief Executive Officer. Yes, we have an SLA and backups encrypted plus securely stored.
12. Does your company have a dedicated security team? Is your management committed to info sec?
Yes. We’re extremely committed to information security, as our business relies on it. This is management’s highest priority.
Our servers sit behind a physical firewall that is managed by a dedicated external security team.
13. How do you ensure you keep up with constantly changing information security best practices?
Data Security is of the highest priority at Regpack. We have third-party audits to ensure compliance and security integrity.
14. Who is responsible for the protection of my data? Which aspects of security are the responsibility of the provider, and what remains the responsibility of the customer?
Regpack uses the services of Rackspace Managed Security to perform hourly scans to all code, databases, and servers.
In addition to the automated scans, our servers are manually reviewed to confirm the integrity of all server elements on a daily basis.
Penetration testing is performed on a weekly basis.
15. Where will my data physically reside? Do you control the physical infrastructure or is the data hosted by a third-party cloud provider? Can I specify the geographical location where the data are to be stored?
Regpack uses a split database mechanism in which key and values are separate from one another.
This mechanism creates a low-level internal encryption of the data and masks the type of data being pushed across servers.
16. Who owns the data? Who owns metadata generated in the course of using the software?
17. Which jurisdiction(s) govern the service and our agreement, and how do you comply with regulations in those jurisdictions?
The State of California governs the service and agreement.
18. What is the process of terminating our contract?
Canceling the renewal of a 12 month (or longer) license subscription requires at least 30 days notice via written correspondence to email@example.com.
If you have not given notice prior to 30 days of the renewal date, the license will be renewed for an additional term of at least 12 months.
19. What happens to my data when it’s no longer needed? Are your data and equipment destruction processes secure?
If you suspend your account, your data will be held by Service Provider for up to 6 months. At this point, your account will be renewed or you can request cancellation.
If your account is canceled, ALL data will be purged from the system immediately. Only data that is required by law to be retained will be exempt from the purge.