All Collections
Privacy & Security
Security Frequently Asked Questions
Security Frequently Asked Questions

Here are the answers to some frequently asked questions about the security of Rezoomo, data, its servers and technology

Support Team avatar
Written by Support Team
Updated over a week ago

Q: Is there a documented procedure/frequency for applying OS updates and security patches?

A: Yes, Security patching is applied once per month, outside of Zero-day exploits. Patches are firstly applied to a Snapshot of the Main Server and tested.


Q: Is there a VPN configured for company purposes? How is this used? How is access managed/retired?

A: Yes, Only Developers working on the Project are allowed access to the Server.
Access is revoked once a Developer is no longer working on the Project or leaves the Company.


Q: How is source code managed?

A: Through SVN (Our Developers may need to elaborate more on this)


Q: Are there credentials committed to source code repository? If not, how are credentials (e.g. db connection strings, API access etc.) managed/stored/retrieved?

A: No Credentials are committed to the Source code repository. Access to the Database is provided through Data Source connectivity - Unlike WordPress, no DB credentials stored anywhere in the source code.


Q: What encryption is used in transit (website) and at rest (database, flat files)?

A: AES 256, The entire application sits on ours own Virtual Private Cloud, made up of two subnets - One public subnet for the Web/Application, with only ports 80 and 443 open to the world.

One Private Subnet, only accessible from the Public Subnet, it is not possible to get to the Private Subnet from the Internet - Not even for us.


Q: Has Penetration testing been carried out on the application?

A: Penetration testing has been carried out on the Content management system, but Colleges, hospitals, etc, but not on Rezoomo itself.


Q: Does user information ever get output to log files?

A: No User data is outputted to log files.


Q: What's the retention policy on log files?

A: 1 Year.


Q: How often is the CMS updated/security patched? Is there a documented process?

A: Once per month.


Q: Is there a procedure in place to monitor ColdFusion for patch/security updates that need to be rolled out? What is that procedure?

A: The second ColdFusion patches are released by Adobe, our Sysadmin team is alerted by Email.


We have procedures in place for Rolling out these patches, what needs to be updated changes depending on the Patch that needs to be rolled out.

Sometimes patches are straightforward, other times WebServer connector between the IIS (Web) and ColdFusion (Application Server) also needs to be upgraded.

Q: In what state are user passwords stored in the database?

A: Currently User passwords are stored in MD5, but we are in the process of moving this to SHA256 with Salted hash. This is to strengthen Encryption.

We have a procedure for constructing the encryption keys that does not require them to be saved anywhere.


Q: How is client data segmented - (e.g. does each employer get their own database instance or are all employers' data managed in the same db)?

A: Currently all Client data is stored in one Database Instance.


Q: Flat file storage e.g. CV’s. How are they stored (e.g. S3)?

A: Currently CV's are stored on the Server, but long-term goal is to move these to Amazon S3.

Did this answer your question?