Rise Security
Rise People has placed these commitments first and foremost in all of our processes, practices, as well as our tooling selection and implementation.
Hosting
Rise chooses to host all Rise components on the cloud in Amazon Web Services data centers located with-in Canada (ca-central-1), ensuring that redundancy, resilience, and availability is considered from the ground up, in everything we do.
Data Encryption in Transmission and Storage
All data transmitted between Rise users and the Rise platform are encrypted using TLS 1.3, using a 2048-bit key, signed using SHA256 RSA- encrypted certificates, issued and managed by AWS.
Data stored with-in the Rise platform is encrypted at rest using AES-256, keys are generated by, managed, and rotated using AWS’ Key Management Service.
Additional field-level encryption is in place with-in the Rise Platform to protect especially sensitive data such as bank account information and SIN numbers.
User data does not leave Rise’s production environment.
Access Control and Identity Management
Rise provides distinct and discrete environments for different purposes, within AWS. Production services run within their own account, separate from Staging, and Development. Internal tools are hosted in yet a separate account.
Access to specific resources, within specific accounts by Rise staff is managed using AWS IAM controls and AWS IAM Identity Center.
Access is granted using the least privilege principle. Access to Production accounts and resources are granted on a time-limited basis under only extraordinary circumstances and must be directly approved by designated senior engineering leaders. All access to AWS resources is logged.
All Rise People staff are required to have passed a criminal background check.
Network Security
The Rise Platform and Payroll systems are protected using sophisticated firewalls that only allow traffic via HTTPS. Sensitive resources such as databases are inaccessible to the public, and only reachable by the specific applications requiring access.
Network security is monitored using observability tools, with unusual activity triggering alerts to our engineering teams.
Physical Security
Rise chooses to host all Rise components on the cloud in Amazon Web Services data centers located with-in Canada (ca-central-1).
The Rise Platform is hosted in a multi-availability zone configuration which means redundancy is provided for all resources in more than one physical data centre.
AWS provides robust security to their Canadian data centres as outlined here.
Measures to secure AWS data centers begins with secure site selection, presence of physical security guards (24/7), CCTV surveillance and other detection systems, biometric access control systems, and much more.
While Rise doesn’t operate Platform systems on-premise, similar steps are used to protect Rise offices and facilities. Rise facilities are located in a secure telecommunications hub managed by a major Canadian telecommunications carrier which includes physical security guards (24/7), CCTV surveillance and other detection systems, logged access control systems, and much more.
Incident Response and Monitoring
Rise Platform systems are monitored using industry leading observability tools, integrated with AWS Cloudwatch, to provide a 360º view of application performance and security. Specific service level indicators are monitored to ensure that Rise is meeting its service level agreements and other obligations. These tools provide proactive warnings on conditions that could lead to outages. If conditions warrant, alerts are triggered that alert staff according to an escalation ladder that ensures that no alert goes unacknowledged.
If warranted by a predefined set of criteria measuring impact and risk to users, an incident is declared and an incident response plan is activated which defines roles for staff and leads them through the process of communicating issues to staff and customers via https://status.risepeople.com.
Rise’s incident management procedure prioritizes restoration of service and protection of data first, with investigation and analysis following as a required next step.
Backup and Disaster Recovery
Rise performs daily back-ups of all Production data with hourly point-in-time recovery, ensuring that customer data is secure and up-to-date in the unlikely event of catastrophic disruption.
Rise’s Disaster Recovery Plan commits to a recovery time objective of 3 hours and a recovery point objective of 1 hour. This plan is tested every six months.
Audit Logging
Rise logs and audits all employee access to its Production environment to establish and maintain confidence in the security and integrity of Production systems.
Additional logging and auditing occurs with-in the Platform to track changes to Employee Status, Payroll Input sheet compensation (per pay period), Permanent Compensation, ROE history, Classification (permanent, part time, casual), Contracted Hours, Tax configuration, Employment region (on each pay run), Employee Payment method (direct deposit or cheque).
Application Development Processes
Rise employs a structured software development process with distinct planning, design, implementation, testing, deployment, and monitoring phases to promote and ensure the quality of the software and tools built by the Rise team.
New features and enhancements are meticulously planned and vetted to establish requirements.
- Technical and user experience design is conducted and reviewed prior to implementation.
- Rise Engineers employ modern test-driven development practices during development. Automated and manual testing is rigorously conducted prior to release.
- All builds and deployments are conducted through an automated continuous deployment pipeline that runs additional tests and checks prior to deployment.
- Previous versions of all changes are archived, ensuring a simple and quick roll back procedure. All Rise software is observable through industry-leading observability tools where errors can be identified, tracked, and actioned-upon.
Financial Transactions
Rise maintains its own in-house funds-transfer service that collects both service fees from customers, but also collects funds for pay run disbursal from customers to end employees.
Rise works with the Royal Bank of Canada for all transfers and adheres to all of their rigorous security standards, processes, and procedures. These included communication over encrypted channels with requests verified by public key.
Sensitive information such as bank account information is encrypted at the field-level, in addition to being stored on encrypted volumes while at rest. All encryption keys are managed by AWS Key Management Service and are rotated regularly.
Partners
Like all modern SaaS products, Rise makes use of a number of partner tools and platforms to deliver the best service possible for our customers.
All vendors must pass Rise’s rigorous evaluation process which includes a security assessment, review of relevant security certifications, review of relevant privacy policies, reviews of relevant service level objectives and agreements, and a risk definition and management assessment.
Rise’s largest and most important partnership is with Amazon Web Services which holds SOC 1, SOC2, and ISO 27001 certifications. A full list of the 1000+ certifications and attestions can be found at https://aws.amazon.com/compliance/programs/.