RPM Platform Frequently Asked Questions
Description
The RPM Telco, Cube Data Management System, Lighthouse HSE, and Quartz QMS solutions are all built on the RPM Platform (RPM), which is the proprietary software developed by RPM Software, a ScanSource company. RPM is web-based, delivered via a private cloud, and utilizes individual databases for each subscriber.
Where is RPM hosted?
RPM is hosted with Amazon AWS.
Compliance information: https://aws.amazon.com/compliance/programs/
Data center information: https://aws.amazon.com/compliance/data-center/
RPM Telco data and files are physically located only in the United States, AWS Oregon region.
Cube DMS, Lighthouse HSE, and Quartz QMS data and files are physically located only in Canada, AWS Canada Central (Montreal) region.
What is the RPM platform technology stack?
RPM uses a combination of Microsoft and open-source technology. The major components are:
Microsoft ASP.NET
Microsoft .NET Framework
Microsoft SQL Server
Microsoft Windows Server
Redis
RPM uses the C# and JavaScript programming languages.
What does the RPM environment look like?
We have multiple servers. Some are web servers that host the RPM application and some are database servers. The number of servers is adjusted based on our operational load.
Traffic is distributed among the web servers based on load and availability.
The database servers are in a private network accessible only by the web servers and through VPN.
File and email attachments are stored using an object storage service.
For security reasons, we do not share hardware details about our servers or the exact number of machines.
Users only interact with the web servers, never the database or file servers directly. For file attachment download we provide temporary pre-signed URLs to access specific files directly from the file storage.
What is your backup?
Each of our multiple database servers keeps continual backups.
The backups are kept on each server for 7 days and copied to a separate storage service hourly where they are kept for 60 days.
A full database backup is done daily and kept in a separate storage service for 60 days.
The full backups and log backups are used together to restore a database.
That means:
An unexpected total loss of a database server would result in at most 1 hour lost during most of the day or up to 2 hours if during the 3 am to 5 am full backup.
We can restore a database to any minute in the last 8 weeks.
Do you use encryption?
All communication between users and RPM is encrypted in transit using TLS.
Database backups are encrypted at rest and in transit using AES 256.
Databases at rest are encrypted using AES 256.
What are some example software security practices?
We perform manual and automated regression and manual testing on every version of RPM we develop. We perform security testing on our live servers using OWASP ZAP.
RPM does not allow obsolete SSLv3 connections (requires TLS).
RPM does not store plain-text passwords.
RPM does not require the client to have Java or Flash.
RPM Software employees with access to the production network is tightly controlled, can only do so over individual VPN connections, and require two-factor authentication.
Do you have policies for security notification, data access, etc?
We have internal policies and processes for all aspects of operating RPM including such things as data access, change management, disaster recovery, account security, and security breach notification.
Do you have 3rd party audits?
SOC 1 Type 2 Report
A yearly security assessment including penetration testing.
Can we export our data?
Your live data is available as Excel downloads by users and through the API for automated backup or synchronization.
If ending a subscription or a large project, for an additional fee we can create a handoff data dump that includes process fields and file attachments. The process fields in the dump are in a SQL database format.
Transactional Emails
RPM uses SendGrid to send all notifications and other transactional emails like password resets. To ensure deliverability of email we have enabled both SPF and DKIM. We also have two static ip addresses that can be added to the safe sender list of a subscriber’s mail server to further ensure notifications are received.
Static ip addresses:
168.245.105.135
168.245.104.25