Data Security at Remix

Cities and mobility providers trust Remix with their transportation-related data. We are serious about keeping data secure. This page details how we protect our platform, the data it stores, and the people that depend upon it.

Platform

We incorporate security principles into every aspect of our technology platform.

People

Everyone at Remix is trained on our security practices and is committed to security excellence.

Process

We have processes in place to ensure security is designed into our software and the way we operate.

Platform

Application and Data Center Security
All of the application infrastructure for Remix is managed by Amazon Web Services (AWS) and Heroku, a subsidiary of Salesforce. All data is stored in certified data centers managed by Amazon, which implement industry-leading physical, technical, and operational security measures and have received ISO 27001 certification and Federal Information Security Management Act (FISMA) Moderate Authorization; Accreditation from the U.S. General Services Administration and is SOC compliant.

More on Amazon Web Services compliance and security.
More on Heroku’s security policy.
Data Isolation
Sensitive data is ingested, processed, and stored in an isolated, secured environment in AWS, referred to as a partner data account. Aggregation is done within the partner data account, and only the aggregated data leaves it. The isolated account requires additional steps for developers to access, including a written approval process and specialized training.
Network Security Monitoring
Our cloud providers and centralized logging and alerting system provides intrusion detection capabilities that alert us of suspicious and malicious behavior. The feeds include information from network events, internal-system events, and vulnerability / threat intelligence feeds.
Secure Data Transfer
Our APIs and web front-ends are all configured to use the latest TLS version with a valid, signed, domain-specific certificate and a strong set of cryptographic protocols. Our encrypted-by-default philosophy also means that we don't support fall-back to unencrypted communications (e.g. https -> http).
Data Classification
We classify data according to type and sensitivity and use that classification to define which systems are authorized to access and store different types of data. The data sensitivity is used in the risk assessment process to determine the appropriate level of security controls. Backup and retention of data is defined as part of this process.
Database Access Controls
Direct access to databases and backups is limited to Remix developers. Access to sensitive data is limited strictly to people who need it to do their jobs. We review access periodically and offboard people who no longer need access. Each developer has unique credentials and 2 factor authentication is enforced. These databases are only accessible through a Remix controlled Virtual Private Cloud (VPC).
Storage Security
Remix uses AWS and Heroku to store customer data and documents. Amazon AWS is controlled through Access Control Lists (ACLs) and query string authentication.

More on Heroku security.

People

Role-Based Access Control
Remix employs role-based access controls to servers containing application data. Authorized employees must use individual account and authentication credentials to gain access. Remix controls access to servers and data stores through authentication handled with key-based SSH sessions. We operate on the Principle of Least Privilege, which means access to a system is only granted if absolutely required to serve a legitimate business need. Our employees only have access to data and systems they need to do their job.

Remix requires security awareness training for all employees. Remix will ensure that only authorized personnel log in and that access is removed in timely fashion.
Code Access
The Remix codebase is stored in GitHub and requires multi-factor authentication and team-based authorization to view or edit. All changes to the codebase are logged with the name of the person making the change, the time, and precisely which lines of code changed. All changes to code running on production servers is peer-reviewed with specific attention paid to security prior to being deployed. An audit trail is kept for all changes to code running in production.
Individual Computers
All individual computers are password protected and the hard drives are encrypted.
User Authentication
Remix users must authenticate with an email and password. Password are only stored as one-way cryptographic hashes, and never in plain text.
Personnel Security
Remix has formalized hiring policies and procedures, performance management, and termination practices. Access to company systems is removed as soon as possible once it is no longer needed. Remix conducts comprehensive pre-hire background checks.

Process

Application Development Security
Our developers review secure coding standards applicable to the environments, languages, and platforms they're working in. These standards include ensuring access control of data, sanitizing input / output values, and logging violations that could indicate an attack or vulnerability.
Data Retention
Data we receive from cities belongs to them, not us, and Remix deletes all customer data when a partnership ends.
Credentials Management
We use AWS Secrets Manager and AWS Parameter Store  for storing and managing all secrets in the partner data account. Secrets are automatically rotated on a regular schedule. All secrets are encrypted-at-rest, using signing keys managed through AWS Key Management Service, and encrypted-in-transit via TLS secured connections. Access to specific secrets is restricted to the services which need access, and the developers who maintain those services.
Vulnerability Assessments
Remix brings in an external team to test our security. Assessments are based on current attack trends and verification of best practices (e.g. OWASP Top 10). Findings are reviewed and remediated by our technical teams.
Auditing
All actions taken by a user or a service (using a role) are logged and reported automatically to AWS CloudTrail.