Customer Data Security
- Rollout does not have access or save end user data – Rollout service does not have access or save end user data, including any end user Personally Identifiable Information (PII), Rollout architecture is built around privacy, targeting specific end users happens on the client slide (mobile app, web app or a backend system) with locally available attributes and is never transmitted back to Rollout.
- Data Transfer – All data transmission from and to the Rollout Agent (SDK), is secured via 128bit SSL encryption using a 2048bit RSA encryption key.
- Data verification and Man-in-the-middle attacks – Rollout solution is the only solution that uses Private/Public keys to verify that the data received by the SDK is indeed the data sent by the Rollout system, securing the platform against Man-in-the-middle
Instance and Network Security
- Authentication – Access to Rollout dashboard is secured using a username, password, and 2FA (if enabled by the user). Passwords are encrypted with an AES-256 hash and random salt.
- Instance and Network Security –AWS VPC, VPN, subnets and security groups: AWS VPC is an isolated private network dedicated for Rollout.io. Running our system in a VPC, VPN, subnets and security groups (firewalls) adds an additional layer of security. Rollout.io VPC uses network access control that limits the access from the internet only to a limited set of resources. Rollout backend services could only be accessed by a secured VPN connection which is available only to a small group of individuals with the applicable internal credentials, 2FA (Two Factor Authentication) and private access keys.
Physical Data Center Security
- Physical Access – Rollout relies on the Amazon cloud’s exceptionally flexible and secure cloud infrastructure to store data logically across multiple AWS cloud regions and availability zones. AWS makes abiding by industry and government requirements simple and ensures the utmost in data security and protection. For example, AWS infrastructure aligns with IT security best practices and follows a number of compliance standards such as: SOC 1/SSAE, 16/ISAE 3402 (formerly SAS 70 Type II), HIPPA, SOC 2, SOC 3, FISM, DIACAP, FedRAMP. All data centers that run Rollout.io’s platform are secured and monitored 24/7, and physical access to AWS facilities is strictly limited to select AWS cloud staff. (For more information about AWS’ secure architecture and compliance certifications, visit: http://aws.amazon.com/security )