Rightworks Policies > Security Policy

Rightworks Cloud security is designed to meet the strict security and privacy standards that the accounting industry must adhere to – for today and beyond. With the ever-changing security risks that are present when transacting business online, it’s understandable if you have concerns about keeping your data safe. Because your firm has chosen Rightworks products and services to serve your technology hosting needs, you can be assured that your software and data are in one of the most secure locations available—the Quality Technology Services SOC audited Data Center.

Comprised of facilities totaling more than 376,000 square feet, it is one of the most advanced and secure data centers in the world. Every precaution is taken to guarantee the safety of your data. Equipment and facilities are protected against fire, natural disasters, power failures, and other unexpected scenarios. Quality Technology Services currently operates 11 data centers across the United States.

Data Security

  • Data moving over the Internet is encrypted using technology that complies with the Federal Information Process Standard 140-2, Security Requirements for Cryptographic Modules.
  • Load-balancing devices and the security infrastructure provide address anonymity with built-in safeguards to prevent “Denial of Service” (DoS) attacks and ID spoofing.
  • Systems access logged and tracked for auditing purposes
  • Documented change-management procedures.

Infrastructure

  • Redundant electric power feeds are used from separate utility substations.
  • Diesel generators with more than 25 megawatts of power supply backup for the entire complex.
  • Internet access is obtained multiple providers using multiple secure entrances into building and fiber access to primary carriers.
  • Datacenter footprint 376,000 sq. ft. total enclosed space with 168,000 square feet of 48” raised floors that accommodate cable management and uniform cooling distribution.
  • Advanced fire control systems enable the detection of heat and smoke. Fire suppression using current and approved fire suppression systems operate both above and below the raised flooring.
  • Multiple layers of dedicated firewall and VPN services to block unauthorized system access.
  • Very Early Smoke Detection Apparatus provides the earliest possible warning of a potential fire event by detecting smoke particles at the incipient (first) stage of fire.

Security

  • 24/7/365 internal security monitoring is maintained by onsite personnel via camera surveillance at all entry points.
  • Card-key and biometric entry systems admitting only authorized personnel is continuously logged and monitored.
  • Multi-zoned, multi-level keycard access controls and monitors all access into the data center and internal areas.
  • Picture ID is required for entrance into all buildings.

Data Privacy

  • All data is treated as strictly confidential.
  • Access to your information is limited to those employees with a business requirement for accessing such information.
  • Secure media handling and destruction procedures for all customer data.
In addition, your customer information will never be discussed with third parties without your permission.
As technology continues to advance, you can be sure that the Rightworks data center has in place the most up-to-date safeguards possible to keep your personal and business financial information confidential and secure. We value your trust in our commitment to keep your data safe. You can be confident that the SOC Rightworks Data Center will deliver.

Complementary Client Entity Controls

Rightworks’ information technology control system was designed with the assumption that certain controls will be implemented by user entities. In certain situations, the application of specific controls at user entities is necessary to achieve certain control objectives. This section describes additional controls that should be in operation at user entities to complement the controls within Rightworks’ description of its information technology general control system. Each user entity must evaluate its own internal control structure to determine if the identified complementary user entity controls are relevant and/or have been placed in operation. This list of user entity controls should not be regarded as a comprehensive list of all controls which should be employed by user entities. There may be additional controls not identified in this report that would be appropriate for the processing of user transactions. Complementary user entity controls that should be considered by user entities and their independent auditors include those listed below:

  • Controls should be established to provide reasonable assurance that business process and application controls are designed and operating effectively to ensure that the user organization's transactions are complete, accurate, valid and access is appropriately restricted.
  • The user entity should read, acknowledge, and be familiar with all contracts and their respective terms and conditions, and the services offered to users.
  • The user entity should report material changes to their overall control environment that may adversely affect services being performed by Rightworks, in a timely manner. The entity must notify Rightworks immediately if a user with Rightworks Cloud administrative rights is leaving the firm.
  • The user entity should implement, monitor and maintain controls to protect the confidentiality, privacy, integrity, availability, and security of its data in alignment with the user entity’s risk tolerance.
  • The user entity should implement, monitor and maintain controls to protect the security and exercise of its users Rightworks Cloud access accounts and passwords. The entity users are required to answer security questions when requesting that a Rightworks consultant reset a password or provide access to a locked account.
  • The user entity should implement, monitor and maintain controls to protect the security and exercise of its Rightworks Cloud administrative access provided to the entity by Rightworks. Administrative access to entity Rightworks Cloud accounts must be explicitly requested by an entity principal for those users requiring such access.
  • The user entity is responsible for appropriate Internet connectivity for accessing the Rightworks Cloud network resources. Handling connectivity service problems or insufficient bandwidth are the responsibility of the entity.

Unacceptable Use

The following activities constitute unacceptable use of the Rightworks Cloud network and are prohibited.

  • Attempting to tamper with or evade the access control in order to gain greater access than assigned.
  • Attempting to hack, capture, or otherwise obtain passwords, encryption keys, or any other access control mechanism that could permit unauthorized access to any Rightworks Cloud Resource.
  • Intentionally damaging, degrading the performance of any Rightworks Cloud Resource, depriving authorized Rightworks personnel of access to a Rightworks Cloud resource, obtaining extra resources beyond those allocated or circumventing Rightworks security measures.
  • Attempting to compromise, bypass, or test any Rightworks Cloud security mechanism.
  • Scanning the Rightworks Cloud network for vulnerabilities.