Here at Range we care deeply about the security of your data. From early in our company’s life, we have invested in technological and organizational controls to ensure your data is protected.
We also know that different organizations have different requirements and priorities. We want to work with you to learn about your IT and security needs, so that you can feel comfortable and secure using Range.
We are committed to ensuring that Customer Data is not seen by anyone who should not have access to it. We have controls and policies that govern our employees’ access to production systems. Range employees are bound by these policies and we treat these issues as matters of the highest importance.
The operation of Range services requires that some employees have access to the systems which store and process Customer Data. These employees are prohibited from using these permissions to view Customer Data unless it is necessary to do so. We have technical controls and audited policies in place to ensure that any access to Customer Data is logged.
Range has undergone a SOC2 Type II audit based on the criteria relevant to security, availability, and confidentiality in the AICPA 2017 Trust Services Criteria. A copy of the latest report is available for enterprise customers upon request under mutual NDA.
Range services are hosted on AWS which maintains multiple certifications for its data centers. For more information about their certification and compliance, please visit the AWS Security website and AWS Compliance website.
We are committed to running a high-availability service. Our services are actively monitored and engineers are on-call 24/7 to respond to any unexpected events. Customer Data is backed up in multiple locations and stored for 30 days.
Incident reports will be shared with customers within 30 days, or as specified in the service agreement. To subscribe to incidents or see the current status of our services, please visit range.statuspage.io.
All Customer Data is encrypted both at rest and in transit.
Range services are reachable exclusively via HTTPS with TLS 1.2 or higher. Public traffic is terminated at a load balancer (an Amazon ALB) and forwarded to Range servers, also using HTTPS. Internal traffic is encrypted and transmitted via HTTP/2. We are careful to make sure no resources are loaded from plain HTTP sites. We have HSTS configured to one year. ALB certs are issued by AWS, backend certs are issued by COMODO.
Range servers and databases are hosted in an AWS VPC and are not publicly accessible. All servers are configured with two-factor authentication and all unnecessary ports are blocked by AWS Security Groups.
Access to the production VPC is restricted through a "Transit VPC" which in turn requires access via a VPN, a bastion host, and multi-factor authentication.
Our vulnerability management program includes automated scans of our production hosts. Patches for high-priority issues are fixed the same day that they are discovered. All company laptops are actively managed and can be remote wiped; screen lockouts, full-disk encryption, and firewall are required.
One of the goals of deploying Range at your organization is to provide increased visibility across the myriad of tools and software systems in use at your company. We integrate with project management tools, cloud file storage, ticket systems, source control systems, and calendars. Many of these systems inherently contain sensitive information.
Primarily, integrations are used to generate “suggestions” for users to add to their daily check-ins. These suggestions make it easier to share what work you are doing; information such as the meetings you attended, the documents you edited, or commits you pushed. We refer to these generically as “attachments”.
Our philosophy with respect to integrations is to request as minimal permissions as possible, and to only store the data necessary to provide the functionality expected by our users.
Attachments are never automatically shared with other people. A user must first add the suggestion to their check-in, then they must publish their check-in. The act of publishing may expose attachments’ titles or descriptions, but will never implicitly affect the underlying access controls.
For detailed information on how each integration functions and the data we collect, please see the following addendums:
If you want more control over how suggestions are sent to Range, we maintain an incoming suggestions API. This API can be used by self-hosted agents to forward select information to Range. We can work with you on building and deploying these agents.
Other common questions
What third party services do you use? And do you have DPAs with each of them?
We have DPAs with all of them. You can find an up to date list of sub-processors here: policy.range.co/subprocessors.html
What frameworks does Range use?
Range servers are predominantly written using Go (https://golang.org/), currently we have one microservice written in Python. We use gRPC to specify client-server and server-server interfaces. The Range web application is served statically and written using React and Redux.
Is this a multi-tenant environment? How do you segregate different customers' data?
Range is a multi-tenant service. We have logical controls to prevent cross-account access to customer data.
Do you have a way for external researches to report security vulnerabilities?
We use Sentry for error reporting. Google Analytics to track usage. Intercom (https://intercom.com/) for customer support. Google Fonts to make pretty typography. User uploaded images are served via Imgix.
How are passwords stored?
We encourage use of Google sign-in, but for accounts that do have passwords we use bcrypt.
We feel that our incentives are aligned. We want to work with you on securing your data and making you feel confident in your teams’ use of Range. If there's something you're concerned about, or you think there are additional measures we should deploy, or you’d just like to chat about our security and privacy practices, please email firstname.lastname@example.org.