Secure & Available

User passwords are encrypted in the database and never sent over email in plaintext. In the event of a lost password, a password reset link will be sent to the email address that is associated with the login name. By default, all passwords must be at least 6 characters long. However, you can customize this and force much stricter passwords.

Each successful login is saved to the database, and the IP address is traced to its point of origin (i.e. the location of the ISP). Each user can view their login history and see where and when they logged in from. A similar report is available to the site administrator.

To prevent brute force attacks, if a user has unsuccessfully tried to login ten times, their account is temporarily banned for two hours, and they will be unable to login even if they enter the correct password.

Files uploaded to your VendorRisk site are first uploaded to the server and then moved to Amazon S3. Once at Amazon, the files are marked private and cannot be accessed by their URL. In order to download the files, the user must first login to their VendorRisk account.

Hosting is handled by Rails Machine, with the server located in an Atlanta, Georgia datacenter. Only Rails Machine employees and their authorized agents have physical access to the servers. The person must wear a unique security badge to gain entrance to the front door of the datacenter, and is then verified by an attendant. To get into the server room, the agent must scan their hand and input a numeric code of arbitrary length chosen when they are given access. The agent then has to get into the server cage itself, which is secured by a pad lock.

We utilize Pingdom to continuously monitor the server's uptime. In the event of any downtime, we are emailed within minutes. We also use Scout to monitor the site itself for speed and responsiveness, and receive email notifications of any events that require our attention.

A Trust Guard vulnerability scan is run each day on the VendorRisk server. You can click the Trust Guard image in the bottom-right of this page to see the latest results. According to Trust Guard:

"In order for vendorrisk.com to qualify for the the Security Scanned seal, they must pass a thorough daily scan of more than 30,000 known vulnerabilities, in accordance with PCI Security Standards. By successfully passing Trust Guard's daily PCI Scans, vendorrisk.com is able to significantly improve the safety and protection of your information."