Government Data Systems

Many Recidiviz systems use case-level data provided by direct integration with government data stores. These systems are generally cloud-based, and operate around the central mechanism of receiving data uploads from a variety of sources—some publicly available and others directly transferred—and producing models, analyses, and representations of this data which can be used to power Recidiviz services.

Systems using direct integrations with government data include three primary components:

  • ‘Ingest’ processes receive raw information from criminal justice data sources and transform it into a common, standardized data layer.
  • ‘Calculate’ processes operate atop this common data layer, tracking the key performance indicators and baseline metrics of the criminal justice system. Deeper analytics build on these calculations to produce tailored measurements and evaluations.
  • ‘Reporting’ applications provide these analyses and evaluations to particular stakeholders with specific design and delivery choices geared towards that actor.

Government data thus takes a variety of forms as it passes through these portions of the system. At each stage, the information is fully encrypted-in-transit (including both internal and external transit) and encrypted-at-rest, and is only stored in Recidiviz data stores that require strict authentication and authorization.

Diagrams describing the application and networking architecture are publicly available on Github, in the recidiviz/pulse-data repository, alongside other technical documentation. More detailed documentation and resources are available on request to security@recidiviz.org

Security

We take great care to protect all data that we work with, as well as to protect the privacy of those who provide the data and whose information may be included in the data.

As such, we’re committed to implementing the best available security and privacy protections into all Recidiviz services. This includes, but is not limited to:

  • Ensuring that data and web content are always encrypted-in-transit, both within internal systems and to or from external systems. This encryption will be performed using AES-128, AES-256, or better as recognized by the broader security community.
  • Ensuring that all state and user information is always encrypted-at-rest. This includes at least file-level encryption or full disk-level encryption, and usually both simultaneously (using AES-128, AES-256, or better).
  • Ensuring that automatically generated systems data, including application logs, audit logs, operational metrics, and similar, are also always encrypted-in-transit and encrypted-at-rest, using the same standards described above.
  • Ensuring that HTTPS will be enabled and required for all web-based Services, using TLS 1.1 or higher.
  • Ensuring that all data access points and interfaces require both authentication and authorization, which limits access to only those parties who have a legitimate need for the provision of our Services. Where possible, this will additionally require multi-factor authentication.
  • Ensuring that all data deletion from Recidiviz-owned or -controlled machines is in accordance with either DoD 5220.22-M(E) (3 or 4 pass) or DoD 5220.22-M(ECE) (7 pass) deletion protocols.
  • Ensuring that Recidiviz maintains and continually re-certifies compliance with major applicable compliance standards for the nature of our work and business, including but not limited to SOC-2 Type II. Recidiviz further commits to expanding the suite of compliance certifications we maintain as our set of data classifications and partner organizations expands.
  • Ensuring that Recidiviz works exclusively with infrastructure providers and trusted third party cloud vendors that maintain compliance with major applicable compliance standards, including but not limited to SOC-2 Type II, ISO 27001, ISO 27018, and others as applicable to the nature of a particular data classification or partner organization.
  • Ensuring that all changes made to the source code underlying our Services are reviewed by internal staff for potential flaws in logic, security, or otherwise, and that all changes are automatically scanned for known security vulnerabilities.
  • Ensuring that all system events, including but not limited to automatic systems operations, data access, and administrative actions, are automatically gathered into audit logs which are archived and regularly reviewed.
  • Ensuring that our engineering and security staff stay current on the latest tools and techniques available to us for enhancing our security and privacy practices, and adopting them where reasonable in a timely fashion.
  • Ensuring that all Recidiviz staff receive thorough background checks, at the county, state, and federal levels, as part of the onboarding process which is required prior to receiving access to sensitive data.

Contact

Our security infrastructure will change over time in response to changing circumstances, new requirements, and technical development. You can reach us at security@recidiviz.org for any questions or comments pertaining to our security and privacy practices, including but not limited to:

  • Questions about our terms of service, privacy policy, or how we protect and work with sensitive data
  • Informational requests related to our application and network architecture, security mechanisms, and tech stack
  • Responsible disclosure of vulnerabilities found in our technical or organizational systems, or dependencies thereof
  • Reports of bugs in our technical systems, directly security-related or otherwise

We will do our best to respond to all inquiries as quickly as possible—typically within no more than two business days—specifically prioritizing inquiries related to potential vulnerabilities or technical issues.

Copyright © 2017, Recidiviz. All Rights Reserved.