All data is encrypted in-flight using industry standard encryption with AES-256. Romulus enforces HTTP Strict Transport Security. We automatically redirect all insecure requests before they reach our application servers.
Whenever possible, communications are further protected with Perfect Forward Security. These stronger cipher suites use ephemeral session keys to prevent data from being decoded — even in the event of a secret key breach.
To further protect users, the Romulus root domain has been added to the source of Chrome and Firefox to ensure that these browsers never open connections over non-SSL HTTP.
Public resources are edge-cached, leveraging best-of-breed Content Delivery Networks (CDNs) to mitigate Distributed Denial of Service (DDoS) attacks.
All Romulus services are hosted on FedRAMP-certified infrastructure. Data centers are staffed 24x7 by trained security guards. Access is authorized strictly on a least-privileged basis.
Infrastructure changes are fully audited, including granular reports of any changes as well as the user who made those changes.
Romulus only exposes one public IP address. Additional back-end services reside inside of our Virtual Private Cloud (VPC) on a private subnet.
Databases are regularly backed up, and backups are fully encrypted.
Our baseline policy is to authorize access strictly on a need-to-know and least-privileged basis.
All employee machines are password protected and their hard drives encrypted. Access to internal applications requires multi-factor authentication. Government customers can implement fine-grained access control policies at the organization or individual level.
Login credentials and personally identifiable information (PII) are always SSL encrypted in flight and filtered from applications and server logs.
All generated documents (such as PDFs) require login and appropriate privileges to read.