Frequently Asked Questions About Security at Recorded Future

We highly recommend using CyberGRX's self-service option for all information requests and security questionnaires to manage security risks better. CyberGRX is a trusted security risk management platform with a cloud-based questionnaire tool that enables organizations to assess and mitigate risks with vendors and third-party suppliers.

Recorded Future uses a combination of encryption, highly trained staff, and technical safeguards to protect data entrusted to us. Recorded Future’s information security program includes measures such as:

• Encrypted and hashed passwords
• Active DDoS mitigation
• Automated account lockouts
• Extensive facility access controls
• Multi-factor authentication
• Comprehensive threat intelligence program
• Automated security scans of our systems
• Active penetration testing
• Extensive internal security awareness program and training for employees
• Recorded Future Vulnerability Reporting Program

Resource: Information Security Management System – ISO/IEC 27001:2013 Expires: Certificate Number: 2019 - 082101 Expires: 20 July 2025

Recorded Future partners with experts and legal counsel in over twenty different countries and is annually audited against ISO 27701 to ensure we understand our compliance obligations and stay abreast of the latest regulations.

Recorded Future publishes and strictly adheres to a privacy policy aimed at protecting all parties that interact with our service. Our Privacy Policy explicitly details the information we may collect and how Recorded Future will use that information.

While no measures can ever guarantee absolute security, Recorded Future takes commercially reasonable and appropriate security measures to protect against unauthorized access to or unauthorized alteration, disclosure, or destruction of data.

These include internal reviews of our data collection, storage, and processing practices, and security measures, as well as physical security measures to guard against unauthorized access.

Recorded Future fully recognizes the sensitive nature of the data that we handle, and that is why we’re committed to safeguarding all information we store from any unauthorized access.

Customer Data stored by Recorded Future is primarily located in data centers secured by AWS, which offers unparalleled physical and information security. These servers are housed separately from Recorded Future’s corporate offices and are distributed globally.

Recorded Future operates a ‘least privileged access’ approach to all infrastructure and data across our operations. This is determined by our internal access policies and associated provisioning processes, which is audited no less than annually. These processes are SOC 2 Type 2, ISO 27001, and 27701 certified and are strictly tied to the needs of the job role.

Our robust infrastructure security systems are supplemented by extensive logging and auditing protocols to prevent any instance of improper access by either internal or external parties. These policies and systems ensure that only those employees with a valid business purpose and specific permission have the ability to access sensitive data. Not only are all employees subject to mandatory screening, but these actions are also extensively logged and audited to ensure policy compliance.

For access to our production infrastructure, we have role-based access enforced by hardware token-based authentication and limited administrative access that is regularly reviewed.

Recorded Future uses a variety of security measures to protect Customer Data, including encryption.

• Data at rest: Recorded Future encrypts Customer Data at rest using Advanced Encryption Standard (AES) 256-bit encryption.
• Data in transit: Recorded Future encrypts data in transit using Transport Layer Security (TLS) 1.2.
• Access controls: Recorded Future uses access controls to restrict who can access Customer Data. Only authorized personnel have access to Customer Data for specific purposes.
• Key Management Infrastructure: The encryption method and Key Management Infrastructure are under the control of Recorded Future. Customer Data is encrypted before being inserted into the database, and the databases are stored on encrypted Elastic Block Store (EBS) volumes.

Recorded Future software development life cycle is ISO 27001, 9001, and NIST 800-200 certified. We make extensive use of the Recorded Future Platform to track and prioritize vulnerabilities that may impact our technical infrastructure (via our Vulnerability Intelligence Module); identify threat actors and their TTPs (via our SecOps and Threat Intelligence Module); identify potential compromises (Brand and Identity Intelligence Modules); and monitor both our attack-surface (Attack Surface Intelligence) and the security of our third parties (Third-Party Intelligence Module).

Recorded Future runs a number of scans on its environment to identify potential issues, including static and dynamic application security testing (SAST and DAST) and external vulnerability scanning.

A Configuration Management System is used, which allows our teams to comprehensively patch vulnerabilities across our entire cloud infrastructure promptly and comprehensively. Plus, Recorded Future utilizes a web application firewall service to look for and block traffic that would appear to be exploiting vulnerabilities. This service includes active denial-of-service mitigation measures.

Recorded Future uses exclusively top-tier third-party hosting providers to ensure availability and regularly backs-up data at these geographically distributed facilities to ensure minimum disruption.

Recorded Future has a robust Bug Bounty Program externally managed by HackerOne to leverage its massive community. This is supplemented by an extensive penetration testing program whereby external experts (no less than annually) identify potential vulnerabilities for remediation.

Our robust infrastructure security systems are supplemented by extensive logging and auditing protocols to prevent any instance of improper access by either internal or external parties. These policies and systems ensure that only those employees with a valid business purpose and specific permission have the ability to access sensitive or customer-provided data. Not only are all employees subject to mandatory screening, but these actions are also extensively logged and audited to ensure policy compliance.

Resources: Recorded Future has obtained several certifications, including SOC 2 Type 2, ISO 27001, ISO 27701, and ISO 9001 compliance. You can access - Recorded Future's SOC 3 Report is available here.

Yes. Recorded Future is GDPR compliant and ISO 27701 certified.

Beyond financial information related to billing purposes which is securely kept, and user credentials to allow access to the Platform, Recorded Future stores the following Customer Data:

• Sandbox Submissions
• Saved Queries and Alerts
• User-Generated Analyst Notes
• Observed Correlations and Notes
• Reports
• Lists, including Watch Lists
• Information Collected via our free browser extension (Recorded Future Express)

Stored Customer Data is either deleted or rendered unattributable after a subscription is terminated.

As detailed in the Recorded Future Privacy Policy, Recorded Future does not share Customer Data with any other unaffiliated company, organization, or individuals except as required in the following situations:

• Satisfy a valid law enforcement request or as required by law
• Enforce applicable Terms of Service, Terms of Use, or other contractual obligations
• Investigate a security and/or safety incident
• In case of emergency, to protect the property, safety, security, and rights of Recorded Future, its users, or the general public

Plus, any request that is received is extensively reviewed to ensure compliance with all applicable laws, and it is Recorded Future’s policy to respond as narrowly as possible to best protect our customers’ privacy.

Recorded Future supports SSO integration with standards-compliant OpenID Connect, SAML v2.0, and OAuth (via Google) Identity Provider technologies. The following Identity Provider technologies have been validated and can generally be provisioned within the same working day:

• Okta - OpenID (OIDC)/SAML 2.0
• Duo - OpenID (OIDC)/SAML 2.0
• Google GSuite - Google OAuth
• RSA Cloud Security - SAML 2.0
• Microsoft Azure - OpenID (OIDC)/SAML 2.0
• Microsoft ADSF - SAML 2.0
• Ping Identity - OpenID (OIDC)/SAML 2.0

For other standards-compliant Identity Provider technologies, provisioning may take longer and require additional technical clarification with your SSO client point of contact. Please email support@recordedfuture.com for information.

Yes, Recorded Future adheres to secure coding guidelines (including OWASP Secure Coding Practices), and is certified to NIST’s Secure Software Development Framework” (SSDF) (NIST SP 800-218) that address common software development vulnerabilities.

Recorded Future maintains a vulnerability reporting program that can be found here. If you have discovered a vulnerability in our service, please contact us at [email protected] and visit this page for more information.

Resource: Recorded Future maintains a vulnerability reporting program that can be found here.

Generally, Recorded Future uses this data in one of two ways -

i) Recorded Future uses this data to provide our services to your organization, this includes everything from returning the query results to providing the search history feature and sending out Alerts as configured by users in your organization; and

ii) Recorded Future uses unattributed Customer Data to develop & improve our offerings. These improvements may include but are not limited to providing a signal to our teams regarding what type of data to improve, what research to pursue, insight into trends, data enrichment, and potential feature improvements.

Additionally, there may be incidents that require access to this data in the event that there is a valid legal request, investigation of a security, safety, or related issue, or enforcement of the Terms of Use.

Resource: Please view Recorded Future's Privacy Policy for more information.

All Customer Data stored by Recorded Future is primarily located in data centers secured by Amazon Web Services (AWS), which offers unparalleled physical and information security. These servers are housed separately from Recorded Future’s corporate offices and are distributed globally.

AWS has been certified to meet the following standards: SOC 3; PCI DSS Level 1; ITAR; FIPS 140-2; ISO 27001; ISO 27017; ISO 27018; ISO 9001. More information on AWS security processes can be found here. As an additional security measure, AWS servers hosting Recorded Future customer data can only be accessed via a two-factor secured VPN.