Regpack Security Protocols

Summary of the security protocols in place to protect information held within Regpack’s digital architecture.

Our servers sit behind a physical firewall that is managed by a dedicated external security team. It is configured on an “is allowed” basis meaning access is denied unless specifically approved.

Regpack uses a split database mechanism in which key and values are separate from one another. This mechanism creates a low-level internal encryption of the data and masks the type of data being pushed across servers.

Our servers are encrypted at the disk level.

All sensitive values in the databases are encrypted with a unique key per user. This prevents the view and use of information unless the key algorithm connected to the specific project, user, server, and time of encryption are all present. The application automatically determines, according to a set of variables, which units are considered sensitive values.

Regpack has the best in class WAF (Web Application Firewall) that filters all possible database attacks at the transmission level. This prevents the ability to access the database through the application. In addition, the system limits the amount of data that is transferred with every request and per IP to prevent the ability to access mass amounts of information.

Regpack has regular code audits to make sure all code is written with security as a primary objective. All of our code is performed by an internal team. Our code review protocols prevent any release into production unless it passes all of our security guidelines.

Regpack uses the services of Rackspace Managed Security to perform hourly scans to all code, databases, and servers. In addition to the automated scans, our servers are manually reviewed to confirm the integrity of all server elements on a daily basis. Penetration testing is performed on a weekly basis.

Regpack is PCI compliant Level 2 and since 2010 has passed all audits on the first scan. Our entire system is scanned on a weekly basis through a PCI checking mechanism. In addition, there is a monthly scan done by the PCI compliance approval entity.