Security

Last updated February 7, 2024

Overview

Retriever is committed to maintaining the highest standards of security to protect the confidentiality, integrity, and availability of our clients' data and systems. As part of this commitment, we have undergone a rigorous assessment and obtained SOC II Type 2 certification.

The SOC II Type 2 certification validates that our security controls and processes meet the stringent criteria set forth by the American Institute of Certified Public Accountants (AICPA). This certification demonstrates our dedication to maintaining a secure environment for our clients' sensitive information.

To request a copy of our SOC II Type 2 Report, send an email to [email protected].

Customer data & management

Safeguarding customer data is Retriever’s top priority. Retriever does not sell, trade, rent, or otherwise exchange any customer data in its possession, except with select vendors solely for the purpose of providing its services (e.g. fulfilling device return orders). Retriever closely follows data minimization and data limitation principles, collecting only the customer data needed to provide its services (and no more) and using that data for the express purpose of providing its services.

Retriever limits access to customer data through the following mechanisms:

  • Ensures that only authorized personnel who need to access customer data to perform specific tasks have access to such data;

  • Implements data processing pipelines such that a minimal number of personnel have access to customer data to perform their duties and such that the scope of customer data available to personnel is limited to the subset of data necessary to perform specific tasks;

  • Requires strong, random passwords and two-factor authentication for all personnel accounts; and

  • Restricts access to the production environment based on business need.

Vendor management

Retriever ensures that its software and cloud vendors are compliant with and/or certified to ISO 27001 and SOC II Type 2 or Type 3 (where relevant). Retriever also ensures that its vendors support (and, where relevant, allow mandating) two-factor authentication. Finally, Retriever ensures that its vendors have a history of protecting the privacy and security of their accounts and data.

Security & environmental controls

Retriever prevents unauthorized access to customer data through the following measures:

  • Requires full disk encryption and auto-lock on all company devices where customer data may be accessed;

  • Implements and maintains protocols to evaluate and apply security patches to any systems or applications where customer data may be processed or stored;

  • Assesses and addresses security vulnerabilities in a timely fashion;

  • Monitors privileged access to systems and applications where customer data may be processed or stored, and maintains audit trails and logs for those systems; and

  • Operates on Heroku and Amazon Web Services (“AWS”), leveraging their industry-leading security and environmental controls. Customer data stored within Heroku or AWS is always encrypted, and they do not have access to unencrypted data.

Encryption

Retriever uses industry-standard encryption to store and protect customer data. Data is always encrypted in transit and at rest using strong encryption measures (including 256-bit AES). Retriever does not allow any copies of customer data to leave its cloud production database or associated encrypted backups.

Incident response

In the event that Retriever becomes aware of unauthorized access to customer data, Retriever will act promptly and reasonably to mitigate the effects of the breach and to prevent further unauthorized access.

Within 48 hours of discovering a breach, Retriever will notify affected customers via email and share the following information:

  • A description of the breach, including a relevant timeline (with the date of the breach, if known, and the date of discovery);

  • The scope of the breach, including the extent to which customer data is believed to have been accessed or used during the breach; and

  • A description of Retriever’s response and mitigation measures.

Responsible disclosure

If you believe that you have discovered a vulnerability in Retriever services or systems, please contact us at [email protected] at your earliest convenience. We will acknowledge your inquiry as soon as practicable, typically within 72 hours of receipt. Please provide us a reasonable amount of time to investigate, mitigate, and resolve the issue before disclosing it publicly. Note that we aim to resolve critical issues within 30 days of disclosure.

We kindly ask that you make a good faith effort to avoid interrupting, degrading, or otherwise diminishing Retriever services and systems. Please use only the accounts that you are authorized to access.

We appreciate your help keeping Retriever and its users safe!

Business continuity management

Retriever maintains reasonable and appropriate business continuity and disaster recovery plans, and implements safeguards to ensure failover redundancy for its systems and data.

Privacy Notice

The Retriever Privacy Notice can be found here.

Contact

Please contact Retriever at [email protected] if you have any questions about this information.