Security & Privacy

We take the security of our systems and customer data seriously. Our security program is designed to protect data confidentiality, integrity, and availability through industry best practices, technical controls, and ongoing risk management.

roofDRP’s Security and Privacy teams define and maintain security policies and controls, monitor adherence to those controls, and demonstrate our security and compliance posture to independent third-party auditors.

Our policies are based on the following foundational principles:

Security controls are implemented in multiple layers in accordance with the principle of defense in depth.

Security controls are applied consistently across all areas of the enterprise.

Security controls are implemented iteratively and continuously mature to improve effectiveness, enhance auditability, and reduce operational friction.

Access is granted only to individuals with a legitimate business need and is restricted in accordance with the principle of least privilege.

Data protection

All data transmitted between clients, applications, and AWS services is encrypted using industry-standard Transport Layer Security (TLS) protocols. We enforce TLS 1.2 and TLS 1.3 to protect data from interception, tampering, or unauthorized access while in transit.
Data stored in Amazon S3 is encrypted at rest using server-side encryption via SSE-S3. This encryption is applied using AES-256, with encryption keys securely managed, protected, and continuously rotated.
Encryption keys are managed using AWS Key Management Service (KMS). Key material is stored in hardware security modules (HSMs), which prevent direct access by any individuals, including cloud provider personnel. Encryption and decryption operations are performed through KMS APIs.