Ragic has implemented various measures to ensure data security. The following will explain from multiple perspectives: certification, compliance, physical security, data storage security, network and system security, application architecture security, personnel security, backup and disaster prevention, and on-premise servers.
ISO 27001 Information Security
ISO/IEC 27001 is a global standard for managing information security, introduced by ISO and IEC in 2005 and updated in 2013. It provides guidelines for creating and continually improving an Information Security Management System (ISMS) to enhance the security of organizational information assets.
Ragic has been certified with the ISO/IEC 27001 ：2013 standard. We implement information security protection and prevention measures following relevant governance methods. You may refer to this page for relevant information and click here to download the certificate.
The EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework (“Privacy Shield”) provide a mechanism for companies in Europe and America to comply with data protection requirements.
Ragic has certified to the Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal data transferred from the EEA, the United Kingdom, and Switzerland to the United States. You may refer to this page for relevant information.
Ragic complies with the General Data Protection Regulation (GDPR) with procedures for data erasure, personal info protection, and data transfers.
We have European servers located in Belgium and Ireland. Users from other regions can also inquire about moving their databases to European servers.
Ragic complies with the Health Insurance Portability and Accountability Act (HIPAA), safeguarding the process of handling, storing, and transmitting Protected Health Information (PHI).
Our hosting service providers, AWS and GCP, also adhere to these standards and can sign a Business Associate Agreement (BAA) when required.
Physical Server Security
Our servers are provided by well-known public clouds (Google, AWS), with features including:
1. Annual audits for the following standards: ISO 27001, SOC1, SSAE16 / ISAE 3402 Type II: SOC 2, SOC 3, PCI DSS v3.0
2. Information Security Team consisting of more than 500 top experts.
3. Custom-designed electronic access cards, alarms, vehicle access barriers, perimeter fencing, metal detectors, and biometrics
Network and System Security
SSL Encryption: All data transmission support bank level HTTPS/SSL encryption.SSL encryption are always enforced when sending sensitive information.
Intrusion Detection: Packets sent to servers will go through a series of strict firewall rules and application level intrusion detection and blocking program to stop malicious requests and IP at real time.
Complete Audit Logs: All requests, system events, application events, database events are logged and ready for expert analysis. Periodic review of all logs to make adjustments for new defense policies.
Disk Encryption: All data written to disk is encrypted on the fly and then transmitted and stored in encrypted form. Conforming to ISO 27001, SSAE-16, SOC 1, SOC 2, and SOC 3 certifications.
RAID storage: All data are mirror to multiple RAID hard disks, ensuring your data is safe from hard disk failures.
Server Backup: All servers are backed up daily to a different set of persistent storage.
Database Backup: All customer databases are backed up to a different location for disaster recovery.
Database security: Ragic's database has an unique design that does not support SQL or any other query language. There is zero chance of SQL or script injection. Different tenant's database are store on separate physical files, ensuring zero chance of application level sharing exploits from other accounts.
Periodic Security Scan: We work with major service providers to do periodic security scan on all possible weaknesses to ensure your data safety.
Regular Security Updates: Our system administrator monitor security updates very closely and apply patches to deflect zero day attacks.
Data Access Control: Nobody, including system administrators at Ragic, can access your data without your permission. When providing technical support, we can only see your database design, but not your data by default.
No Database Management Interface: Unlike most other databases, there is no interface to manage databases or play around with your data. Without such feature, your data is safe from any unauthorized access to your data via database consoles or any management interfaces.
Complete Access Log: All data access are logged and special events are reviewed regularly.
System Wide Backups: All Ragic servers are fully backed up on a daily basis to ensure service can be quickly recovered in case of any problem.
Account Database Backups: For professional plans and above, accounts have their own individual full daily, weekly, and bi-weekly database backups to a different location on a service by a different provider to ensure that you can restore your data in any situation. We also allow you to manually backup, take snapshots, or restore your account database with a backup yourself.
Manual Backups: Ragic also allow users to manually backup and download your data to manage your backups yourself.
You can host Ragic on your own servers if necessary, provided that your organization have the ability to maintain your own servers. For more information please click here.
With Ragic's backup and restore feature, you can move your hosted account to your on-premise server any time, or move your on-premise account to hosted accounts.
We strongly recommend companies to only use on-premise servers if they have an experienced IT crew who understands how to maintain and keep a server safe and secure.