Security Policy

Remy.Co Security Statement

Thinkwise Technology, Inc. is committed to providing secure products to our customers. We value the confidentiality, integrity and availability of all protected health and personally identifiable information (e.g. PHI, PII) in accordance with all applicable federal and state privacy and security laws, including the Health Insurance Portability and Accountability Act. Thinkwise has implemented administrative, technical and physical safeguards, to reasonably protect against security incidents or privacy breaches involving a Thinkwise product.

Thinkwise Technologies is committed to building products that are secure by design, in use, and through partnership. Across Thinkwise we continuously strive to improve security and privacy through the product lifecycle using the following practices where appropriate:

  • Privacy and Security by Design
  • Product and Supplier Risk Assessment
  • Vulnerability and Patch Management
  • Secure Coding Practices and Analysis
  • Vulnerability Scanning and Third-Party Testing
  • Access Control to Customer Data
  • Incident Response
  1. Network and server security

    • Network infrastructure is segregated into levels of information classification with strict routing, firewalling, and access control links that separate each privilege level.
    • Network infrastructure undergoes regular internal penetration testing audits that are augmented by semi-regular third-party audits.
    • Our information security team performs regular software updates throughout the Thinkwise infrastructure to remain up-to-date on software security patches.
    • Card numbers, mag-stripe data, and security codes are handled in accordance with PCI DSS requirements.
  2. Software and web application security

    • Web APIs and web pages are secured with High Assurance SSL certificates that support encryption algorithms with key lengths up to 256 bits and prohibit any key lengths shorter than 128 bits.
    • Thinkwise cloud infrastructure employs Multi-Factor Authentication for management operations.
    • Industry-standard (symmetric and asymmetric) encryption algorithms with appropriately sized keys are used to protect sensitive customer information
    • Thinkwise applications undergo regular internal source code audits. Internal audits are augmented by semi-regular third-party audits.
    • Standards and leading practices identified by independent security organizations (e.g., OWASP) are integrated into all Thinkwise code creation processes.
  3. Data retention & Disaster recovery

    • Data is aggressively archived and Thinkwise performs regular offsite backups to ensure redundancy.
    • Thinkwise services are designed to tolerate failures in supporting infrastructure while maintaining continuity of operations; we place a high priority on redundancy and ensuring maximum availability of our services.
    • Thinkwise follows industry standard incident response procedures with a dedicated incident response team.
  4. Organizational security

    • Prospective employees undergo security screenings during the hiring process.
    • Thinkwise employees undergo security operations training.
    • Thinkwise employees use encrypted storage, encrypted chat (and voice), encrypted tunnels (VPN and SSH), and encrypted email for sensitive internal communications and operations.
    • Thinkwise maintains detailed application-level and system-level logs.
  5. Security research and disclosure process

    Thinkwise understands the devotion and effort that security work requires. As such, we encourage (and reward) the responsible disclosure of any vulnerabilities to us. Responsible disclosure means:

    • Openly share the full details of any vulnerabilities with us.
    • Do not announce or share the details of any vulnerabilities in any way with the public or other parties.
    • Do not exploit the vulnerability except for purposes of demonstrating it to Thinkwise personnel. Please contact security@remy.co if you are unsure of exploitability and we will work with you to verify it safely.
    • Do not use the vulnerability to access, modify, harm, or otherwise alter any Thinkwise (or its customers') data.

    Vulnerabilities that are "responsibly disclosed" according to the above process are welcomed. Thinkwise will not seek to bring legal action against any person who adheres to this process of responsible disclosure. Additionally, severe vulnerabilities are eligible for a vulnerability reward.

    You may also contact us with any security concerns, or security suggestions at security@remy.co.