Secure by Design

The Epiphany Intelligence Platform's software, the platform it runs on, and the environment it runs within, is built with security as its core tenant. To help eliminate possible gaps in security, we have implemented redundant security controls within our environment and throughout our software. However, while we strive to catch all vulnerabilities in the due course of business, we realize that sometimes mistakes happen. We encourage our customers, industry experts, and partners to submit any bugs or security concerns to our security email at security@reveald.com.

Data Ingestion, Storage, and Privacy

To protect our customers and their users from data compromise, the Epiphany Intelligence Platform takes every effort to ensure any personal identifying information (PIl) collected is stored anonymized, obfuscated, hashed and/or encrypted. The Epiphany Intelligence Platform only collects data from systems our customers have either uploaded or where our customer has enabled data ingestion to the Epiphany Intelligence Platform via the use of an API.

Data at rest in the Epiphany Intelligence Platform's production network is encrypted using FIPS 140-2 compliant encryption standards, which applies to all types of data at rest within the Epiphany Intelligence Platform’s relational databases, file stores, database backups, etc. All encryption keys are stored in a key management system with very limited access.

The Epiphany Intelligence Platform has implemented appropriate safeguards to protect the creation, storage, retrieval, and destruction of secrets such as encryption keys and service account credentials. Each Epiphany Intelligence Platform customer's data is either hosted in our environment and is logically separated from any other customers' data or hosted in your own environment with a unique Epiphany Intelligence Platform instance. We use a combination of storage technologies to ensure customer data is protected from hardware failures and returns quickly when requested.

The Epiphany Intelligence Platform service is hosted in data centers maintained by industry-leading service providers, offering state-of-the-art physical protection for the servers and infrastructure that comprise the Epiphany Intelligence Platform operating environment. Supplemental information on data usage within the Epiphany Intelligence Platform can be found in the Epiphany Intelligence Platform Data Usage Guide.

Network Security and Server Handling

The Epiphany Intelligence Platform divides its systems into separate networks to better protect sensitive data. Systems supporting testing and development activities are hosted in a separate network from systems supporting the Epiphany Intelligence Platform's production infrastructure.

All servers within our production fleet are hardened (e.g., disabling unnecessary ports, removing default passwords, etc.) and have a base configuration image applied to ensure consistency across the environment. Network access to the Epiphany Intelligence Platform's production environment from open, public networks (the Internet) is restricted, with only a small number of production servers accessible from the Internet.

Only those network protocols essential for delivery of the Epiphany Intelligence Platform’s service to its users are open at our perimeter and there are mitigations against distributed denial of service (DDoS) attacks deployed at the network perimeter. Additionally, for host-based intrusion detection and prevention activities, the Epiphany Intelligence Platform logs, monitors, and audits all system calls and has alerting in place for system calls that indicate a potential intrusion.

Endpoint Security

All workstations used by Reveald personnel are configured by the Epiphany Intelligence Platform to comply with our standards for security. These standards require all workstations to be properly configured, updated, tracked, and monitored. The Epiphany Intelligence Platform requires workstations to encrypt data at rest, use a modern endpoint protection, have strong passwords, and lock when idle.

Access Control Provisioning

To minimize the risk of data exposure, the Epiphany Intelligence Platform adheres to the principles of least privilege and role-based permissions when provisioning access. Workers are only authorized to access data that they reasonably must handle in order to fulfill their current job responsibilities. All production access is reviewed at least quarterly by our security team.

Authentication

To further reduce the risk of unauthorized access to data, the Epiphany Intelligence Platform employs multi-factor authentication for all access to systems with highly sensitive data, including our production environment, which houses our customer data. Where possible and appropriate, the Epiphany Intelligence Platform uses private keys for authentication, in addition to the previously mentioned multi-factor authentication on a separate device.

Password Management

The Epiphany Intelligence Platform leverages a password management system, where possible, to ensure enhanced credential management and monitor passwords for uniqueness, complexity, reuse, dark web compromise, and other password-related risks. In cases where this is not possible, the Epiphany Intelligence Platform ensures those systems have proper controls in place and are monitored.

System Monitoring, Logging, and Alerting

The Epiphany Intelligence Platform monitors servers, workstations, and mobile devices to retain and analyze a comprehensive view of the security state of its corporate and production infrastructure. Administrative access, use of privileged commands, and system calls on all servers in the Epiphany Intelligence Platform's production network are logged and retained for at least two years. Analysis of logs is automated to the extent practical to detect potential issues and alert responsible personnel. All production logs are stored in a separate network that is restricted to only the relevant security personnel.

Data Retention and Disposal

We will store your usage data until such time when you withdraw your consent for us to do so. All other data as specified above will be retained for as long as is necessary for the purposes for which we originally collected it. We may also retain information as required by law. Customer data is removed immediately upon deletion by the end user or upon expiration of message retention as configured by the administrator.

Upon termination of your production subscription the Epiphany Intelligence Platform will encrypt a current state backup of your information and retain it for 15 days should you wish to re-activate your subscription. If you wish this not be done, please notify us at security@reveald.com.

The Epiphany Intelligence Platform hard deletes all information from currently running production systems and backups are destroyed the day after the temporary retention period. The Epiphany Intelligence Platform's hosting providers, including customers that host the Epiphany Intelligence Platform or Epiphany Intelligence Platform images on premises, are responsible for ensuring removal of data from disks is performed in a responsible manner before they are re-purposed.

Disaster Recovery and Business Continuity Plan

The Epiphany Intelligence Platform utilizes services deployed by its hosting provider to distribute production operations across multiple AWS regions within the continental United States. These AWS regions are within separate geographic regions and protect the Epiphany Intelligence Platform's service from loss of connectivity, power infrastructure, and other common location-specific failures.

Production transactions are replicated among these discrete operating environments to protect the availability of the Epiphany Intelligence Platform's service in the event of a location-specific catastrophic event. The Epiphany Intelligence Platform also retains a full back-up copy of production data in a remote location significantly distant from the location of the primary operating environment. Full backups are saved to this remote location at least once per day and transactions are saved continuously. The Epiphany Intelligence Platform tests backups at least quarterly to ensure they can be successfully restored.

Responding to Security Incidents

The Epiphany Intelligence Platform has established policies and procedures for responding to potential security incidents. All security incidents are managed by the Epiphany Intelligence Platform's dedicated Detection and Response Team (DART). We have defined the types of events that must be managed via the incident response process and classify them based on severity. In the event of an incident, affected customers will be informed via email from our customer experience team. Incident response procedures are tested and updated at least annually. To initiate an investigation for a security-related concern, you can reach out to your customer service representative with the details or email security@reveald.com.

Vendor Management

To run efficiently, the Epiphany Intelligence Platform relies on a select number of trusted external service providers. These service providers are carefully selected and meet high data protection and security standards. We only share information with them that is required for the services offered and we contractually bind them to keep any information we share with them as confidential and to process personal data only according to our instructions. Where those service providers may impact the security of the Epiphany Intelligence Platform's production environment, we take appropriate steps to ensure our security posture is maintained by establishing agreements that require service organizations to adhere to confidentiality commitments we have made to users. The Epiphany Intelligence Platform monitors the effective operation of the organization's safeguards by conducting reviews of all service organizations' controls before use and at least annually.

External Validation

• Security Compliance Audits. The Epiphany Intelligence Platform is continuously monitoring, auditing, and improving the design and operating effectiveness of our security controls. These activities are regularly performed by both third-party credentialed assessors and the Epiphany Intelligence Platform's internal risk and compliance team. Audit results are shared with senior management and all findings are tracked to resolution in a timely manner.

• Penetration Testing. In addition to our compliance audits, the Epiphany Intelligence Platform engages independent entities to conduct application-level and infrastructure-level penetration tests at least annually. Results of these tests are shared with senior management and are triaged, prioritized, and remediated in a timely manner. Customers may receive executive summaries of these activities by requesting them from their account executive.

• Customer Driven Audits and Penetration Tests. Our customers are welcome to perform either security controls assessments or penetration testing on the Epiphany Intelligence Platform's environment during our annual Epiphany "Bright Idea" hack-a-thon. Please contact your account executive to express your desire to participate in these types of activities.