Frequently Asked Questions About Security at Recorded Future

Review frequently asked questions about GRC here.

How does Recorded Future keep my data secure?

Recorded Future uses a combination of encryption, highly trained staff, and technical safeguards to protect our customers’ data.

Recorded Future’s information security program includes measures such as:

  • Encrypted and hashed passwords
  • Active DDoS mitigation
  • Automated account lockouts
  • Extensive facility access controls
  • Multi-factor authentication
  • Comprehensive threat intelligence program
  • Automated security scans of our systems
  • Active penetration testing
  • Extensive internal security awareness program and training for employees
  • Recorded Future Vulnerability Reporting Program

Lastly, Recorded Future has a dedicated product security team that scours our service for potential vulnerabilities, and helps our engineers ship secure code. Our team uses Recorded Future to automatically collect and analyze data from open, technical, and dark web sources to provide the latest information on direct and emerging threats that may impact our company.

How does Recorded Future ensure my privacy?

Recorded Future publishes and strictly adheres to a privacy policy aimed at protecting all parties that interact with our service. Our Privacy Policy explicitly details the information we may collect about you, and how we will use that information.

Furthermore, Recorded Future strictly adheres to a data minimization policy by which logs are automatically deleted after 14 days (see Recorded Future’s privacy policy for more information).

Does Recorded Future encrypt customer data?

To ensure the security of customer data throughout its lifecycle, Recorded Future encrypts information both at rest and when it is in motion.

Data is stored with Advanced Encryption Standard (AES) 256-bit encryption when at rest.

How does Recorded Future prevent unauthorized access?

Recorded Future fully recognizes the sensitive nature of the data that we handle, and that is why we’re committed to safeguarding all information we store from any unauthorized access.

All customer data stored by Recorded Future is located in data centers secured by Amazon Web Services (AWS), which offers unparalleled physical and information security. These servers are housed separately from Recorded Future’s corporate offices, and are distributed globally.

AWS has been certified to meet the following standards: SOC 3; PCI DSS Level 1; ITAR; FIPS 140-2; ISO 27001; ISO 27017; ISO 27018; and ISO 9001. More information on AWS security processes can be found here. As an additional security measure, AWS servers hosting Recorded Future customer data can only be accessed via two-factor secured VPN.

Recorded Future itself is certified to be SOC 2 Type 1, SOC 2 Type 2, ISO 27001 and ISO 9001 compliant – Recorded Future’s SOC 3 Report is available here.

Our robust infrastructure security systems are supplemented by extensive logging and auditing protocols to prevent any instance of improper access by either internal or external parties. These policies and systems ensure that only those employees with a valid business purpose and specific permission have the ability to access sensitive, or customer-provided, data. Not only are all employees subject to mandatory screening, but these actions are also extensively logged and audited to ensure policy compliance.

Is Recorded Future GDPR compliant?

Yes. Recorded Future is GDPR compliant and a member of EU-U.S. Privacy Shield Framework.

What customer information does Recorded Future store?

Beyond customer financial information that is securely kept for billing purposes, and user passwords to allow access to the service, Recorded Future stores the following customer data:

  • Saved Queries
  • Observed Correlation and User-Generated Analyst Notes
  • Alerts
  • Reports
  • Lists, including Watch Lists
  • Information Collected via our free browser extension (Recorded Future Express)

Recorded Future encrypts and stores this data securely. Recorded Future logs certain user actions. Logs that contain user-provided query data are automatically deleted after 14 days, and all other customer data (including Analyst Notes) is deleted after a subscription is terminated. Moreover, as stated above, Recorded Future has an entire infrastructure in place to ensure that this data cannot be accessed by any unauthorized party.

How does Recorded Future respond to government or law enforcement requests for data?

As detailed in the Recorded Future privacy policy, Recorded Future does not share any personal data or logged information with any other company, organization, or individuals except as required in the following situations:

  • Satisfy a valid law enforcement request, or as required by law
  • Enforce applicable Terms of Service, Terms of Use, or other contractual obligations
  • In case of emergency, to protect the property, safety, security, and rights of Recorded Future, its users, or the general public

Plus, any request that is received is extensively reviewed to ensure compliance with all applicable laws, and it is Recorded Future’s policy to respond as narrowly as possible to best protect our customers’ privacy.

Does Recorded Future support single sign-on?

Yes, Recorded Future provides single sign-on (SSO) support from the following providers, and are in the process of expanding our service to include additional providers in the near future:

  • Google G-Suite

Does Recorded Future adhere to secure coding guidelines?

Yes, Recorded Future adheres to secure coding guidelines (including OWASP Secure Coding Practices) that address common software development vulnerabilities.

How can I report a security vulnerability to Recorded Future?

Recorded Future maintains a vulnerability reporting program that can be found here.

If you have discovered a vulnerability in our service, please contact us at [email protected] and visit this page for more information.