Introduction
Regrello is the leading cloud platform for supply chain coordination and management.
Supply chain operations for both the government and large enterprises is, to a large degree, stuck in email. This results in lack of visibility, a lot of manual processes, and a lack of standardization around these processes. One of the more common impediments to moving towards a modern cloud-based solution are perceived risks around data loss or security failures not under your direct control. For this reason, Regrello was built around a philosophy of “security first,” with your data security being a top priority.
At Regrello, we believe that security is a core differentiator of our product.
Data Security
Regrello stores all customer data within Google data-centers, which are protected with state-of-the-art practices and safeguards, including data replication, off-site backups, and 24/7 monitoring. Google data-centers are some of the safest physical locations in the world.
Among other certifications, Google data-centers comply with FedRAMP, ISE Audit, HIPAA, NIST 800-53, and FIPS 140-2:
FedRAMP | ISE Audit | HIPAA | NIST 800-53 | FIPS 140-2 |
For more information about Google data-center security, please see their Data Security page.
Infrastructure Security
Network Security Infrastructure
Regrello uses industry standard network protection mechanisms, including network segregation using separate Virtual Private Cloud instances within Google’s networking infrastructure, as well as centralized logging and alerting mechanisms. Attack surface is greatly reduced by limiting public-facing ingress routes to only our web-servers on expected ports. Any administrative network access is protected behind strict ingress controls, and secure channels, and multi-factor authentication for authorized operations personnel.
Automated Patch Management and System Integrity
All Regrello systems are built through Infrastructure As Code, ensuring that configurations remain stable and secure. Fresh instances of all systems, including web-servers, databases, load balancers, etc. are deployed frequently, ensuring that no Regrello system is ever more than two weeks old. This ensures that all Regrello systems benefit from the latest patches and security fixes, and ensures that no configuration drift can persist without going through proper review procedures to be incorporated into our official infrastructure definitions.
Secure Base Images
All Regrello systems are built upon up-to-date and minimal operating system images. This greatly reduces the system attack surface, by ensuring that out-of-date software, and software not directly related to providing the Regrello service, does not exist on our systems. Our operating system images do not include any unnecessary services, libraries, or applications.
Application Security
Security in the Software Development Lifecycle
Before a feature is written at Regrello, it is exhaustively described in both functionality and architecture. These are carefully reviewed and threat-modeled prior to development. During development, all code (including application code and infrastructure-as-code) is peer-reviewed before it can be merged into our codebase. This review process covers code correctness and maintainability, and when appropriate, a security review. Security reviews are performed by individuals specially trained for this purpose.
Safe Languages and Pipelines
All Regrello systems are written in Golang and Typescript, which are both memory-safe languages that enforce strong data-type guarantees. This obviates entire classes of vulnerabilities, including any language-based memory corruption attacks such as buffer overflows. Furthermore, all Regrello code undergoes both static analysis (SAST) and dynamic analysis (DAST) prior to release, allowing vulnerabilities to be caught before they are ever deployed.
Vulnerability Prevention Principles
An ounce of prevention is worth a pound of cure. At Regrello, we practice defense in depth, employing several application development principles which mitigate or obviate whole classes of vulnerabilities.
Regrello operates with a strict Content Security Policy (CSP), which protects from client-side vulnerabilities such as Cross-Site Scripting (XSS) attacks and dangling markup injection attacks. Regrello also employs strict database access control policies, which protect from database injection attacks such as SQL injection.
In addition to these technical safeguards, the Regrello application is architected with a strict front-end / back-end API separation, with an API-first development process. This guards against potential flaws in our data model or application logic, which may otherwise be difficult to detect from the primary user interface.
Customer Segregation
Regrello operates a multi-tenant system with strict tenant separation. Each tenant operates with its own storage bucket, its own cache, and its own dedicated database. This effectively safeguards against any potential cross-tenant access vulnerabilities. For example, a request being processed by one tenant is incapable of accessing data from another tenant because it does not have a database connection to where this data is stored. Similarly, cache poisoning attacks cannot cross a tenant boundary due to the tenants’ use of entirely separate caches.
Data Encryption
Encryption At Rest
All customer data is encrypted at the storage layer using the Advanced Encryption Standard (AES) algorithm, AES-256, in Galois Counter Mode (GCM) using Google-managed keys that are rotated periodically. The encryption and decryption is performed using BoringCrypto, a FIPS 140-2 validated module, in Google’s cloud storage. For more information about how Google encrypts data stored in Google Cloud, please see their Encryption At Rest page.
Encryption In Transit
All network traffic, both over the Internet and within our internal networks, is encrypted and authenticated using TLS 1.2 or greater.
Strong Pentesting Practices
At Regrello, we believe that penetration testing is a vital component to providing a secure platform. We regularly perform internal penetration tests of all of our components. In addition, we contract out 3rd party pentests on an annual basis. Our most recent pentest reports are available on request.
All such security testing occurs on a fully separate instance operating within a fully separate VPC, sharing no resources with our production application. As such, pentests and other security testing will never impact your data.
Security Training
Senior engineers at Regrello have strong security backgrounds, and come from Palantir, Meta, Google, Linkedin, and Demandbase. Regrello provides in-depth security training to all engineers, with a focus on the OWASP Top 10. This training includes practical exercises in attack, defense, and vulnerability remediation.
Operational Security
Endpoint Security
All Regrello employees use company-provided workstations, which are centrally managed by IT staff. All Regrello devices are encrypted, kept up to date with the latest software and security patches, and operate up-to-date antivirus software.
Internal System Access
Access to internal systems is provided as needed only, following the Principle of Least Privilege. Any internal systems which provide access to our infrastructure, communications, email, or other sensitive mechanisms are configured to require multi-factor authentication (MFA).
Email Security
Our email is provided by Google Workspaces. Email data is stored in Google Cloud storage, which is encrypted to the same standard (see Data Security section). Multi-factor authentication (MFA) is required for access to Regrello email.
In addition, we protect our customers by publishing a strict DMARC policy, ensuring that email from the Regrello domain cannot be spoofed. As such, if you receive an email from a Regrello domain, you can be assured that it is legitimate.
Security Awareness
All Regrello employees and contractors undergo annual security awareness training. This training covers topics including software and data hygiene, privacy, email safety, safe password use, phishing and social engineering, and other security best practices.
Compliance
Regrello is proud to announce that we are SOC 2 compliant, validating our commitment to robust security practices, and highlighting our unwavering dedication to safeguarding our customers' sensitive data and business processes. With SOC 2 compliance, Regrello establishes itself as a trusted partner in supply chain coordination and management, providing peace of mind to organizations seeking innovative solutions with uncompromising security measures. To receive a copy of our SOC 2 Type 2 report please contact compliance@regrello.com