AngelTrack is SaaS using a Shared Responsibility Model, in which the responsibilities for IT reliability and security are shared between AngelTrack, its datacenter (Rackspace), and the Customer.
This document summarizes the many details given in the AngelTrack Security Guide, so that all parties can know their responsibilities.
Responsibilities of AngelTrack LLC
Backups per our published backup schedule (in the aforementioned security guide)
Backup offsiting
All servers and firewalls deployed high availability [HA]
Prompt patching of all servers, application stacks, and firewalls
Live monitoring and alerting of 35 different measures of application health
Live monitoring and alerting of aggregate (cluster-level) attacks such as denial of service, password-cracking, and exfiltrations
Outbound whitelist on firewalls
Virus-scan of all AngelTrack servers
Virus-scan of files uploaded by users (excluding simple images)
Server-side ransomware detection and recovery
Provision of user password security features e.g. 2FA
Monitoring of CVEs affecting AngelTrack's tech stack
Permanent deletion of data at the end of its defined lifetime
Responsibilities of Rackspace Corporation
Physical access control of server and networking hardware
Networking redundancy and health monitoring
Hardware health monitoring, alerting, and prompt intervention
Power resilience and redundancy
DDOS defense
Responsibilities of the Customer
Outbound whitelist on customer premise firewalls
Endpoint security including anti-virus, whole-disk encryption, and the restriction of Administrator-level accounts
Prompt patching of all operating systems and installed applications (AngelTrack itself does not require patching, but web browsers do)
Power resilience aka UPS devices, and a standby generator for the dispatch office
Network redundancy aka a secondary internet connection, even if it's just tethering
Lockdown of all computers and mobile devices
Remote wipe of lost mobile devices
Physical security of company premises, especially the dispatch and billing offices
Paper document destruction
Endpoint ransomware protection e.g. OneDrive
2FA on all SaaS accounts, especially Microsoft 365 including OneDrive, and any high-access accounts in AngelTrack
Proactive management of employees' AngelTrack accounts with a goal of minimum necessary access
Employee training for internet security and hygiene
Review and deployment of AngelTrack's advanced security features, including 2FA, Fort Knox mode, IP whitelist, and provisional access
HIPAA compliance
Employee training for HIPAA compliance
PCI compliance (if you process credit card payments over the telephone)
Employee training for PCI compliance (if applicable)
Export and archival of data before its defined lifetime is reached
Monitoring of exfiltration alerts sent by AngelTrack
Forensics of any exfiltrations that targeted just one AngelTrack customer e.g. a rogue employee