This information describes the security infrastructure and architecture for the Intrepid Networks® platform, including human resource components. This information is for cloud-based services and does not reflect security differences for on premises solutions.

1. TRANSMISSION SECURITY
All data transmitted to and from the Intrepid Network’s Response environment undergoes stringent encryption measures. Bi-directional communication from mobile and web clients is safeguarded through HTTPS, ensuring robust encryption both ways. Moreover, outbound communication channels, including email, SMS messages, and app push notifications, are channeled through AWS FIPS endpoints, bolstering the security of data transmission.

 

2. SUPPORTED CRYPTOGRAPHIC PROTOCOLS AND CIPHERS
Our commitment to security extends to the selection of cryptographic protocols and ciphers, adhering strictly to FIPS 140-2 compliant standards. To fortify our defenses, all non-compliant protocols and ciphers remain deactivated, ensuring only the most secure options are utilized.

SSL Protocols:

TLS v1.3

TLS v1.2

 

SSL Ciphers:

TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519)

TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519)

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519)

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519)

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519)

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519)

 

These measures ensure that data transmissions within the network environment maintain the highest standards of security, safeguarding sensitive information from potential threats.
 

3. INFRASTRUCTURE SECURITY
Our production environment resides within a single VPC (Virtual Private Cloud), ensuring complete isolation from other AWS resources. Security Groups meticulously manage communication between resources, allowing only essential ports and protocols. Inbound internet access is governed by an Elastic Load Balancer (ELB), listening on port 443 for HTTPS and port 80 for HTTP redirection. SSL termination at the ELB encrypts all communication between users and Intrepid Networks. We enforce a robust security policy, ELBSecurityPolicy-TLS13-1-2-2021-06, aligning with FIPS 140-2 compliant standards to uphold the highest security standards.

Furthermore, we leverage AWS WAF (Web Application Firewall) web ACLs to fortify our defense against attacks. These ACLs monitor and filter web requests, enabling us to protect resources from various threats and vulnerabilities, bolstering our overall security posture.

 

4. USER SECURITY
Intrepid Mobile iOS and Intrepid Mobile Android utilize OAuth 2.0. OAuth 2.0 allows the user to grant this access without exposing their login credentials to the requesting application. OAuth 2.0 provides improved authentication because its initial requests for credentials are made under the SSL protocol and its access object is a transitory token.

If a token is compromised, it is deleted immediately and another one is created — and API credentials are completely safeguarded. Each app version also has its own set of credentials to access Intrepid Networks® servers, which are white-listed when they are released to the customer. Both the app credentials and the user credentials are required. The security scheme utilizes a token-based methodology which will authenticate the user and device.

 

Intrepid Networks® never stores the password for users in plain text. When the user enters his password, it’s hashed using the bcrypt hash function and the result is stored in a database table associated with the user. Upon periodic validation on an entered password, the password is hashed using the same library and only the hash is compared. In the unlikely event that this hash is ever leaked, this methodology is resistant to brute-force attacks because of the adaptive slowness of bcrypt and built-in salt.

 

5. SERVER DATA STORAGE
Data is encrypted at rest using AWS managed keys that are FIPS 140-2 compliant. 

Many data points, like map markers or shapes, can be deleted directly through the UI, depending on the given user’s security role and if they created the data. 

For Connect, Intrepid’s messaging tool, there is no auto-delete but users or admins can delete files and Intrepid Support can be contacted to delete group conversations upon request. 

For any other data, upon request, Intrepid Networks® can be contacted to clear out your database beyond a specified date-point. 

 

6. PHONE DATA STORAGE
No unencrypted PII (Personally Identifiable Information) or any other sensitive data are stored on the phone when a user logs out for any reason. Last logged in username is stored locally, but encrypted, in order to facilitate easy re-login. 

While the user is logged in, encrypted map and chat data may be cached locally. We encrypt all data at rest and in transit. 

 

7. USER ACCOUNT SUSPENSION & DELETION
Organization appointed Organization Administrators have the ability to create, edit, suspend and delete user accounts. Only appointed Organization Administrators have these rights. Should an Organization Administrator desire to suspend or delete an account while in use, the user will cease the ability to utilize Intrepid Response or view any data within 2 minutes (the device authentication heartbeat). 

 

8. DEPARTMENT SUSPENSION & DELETION
Intrepid System Administrators may suspend or delete whole departments should an organization request such an action. Deletion will automatically occur if an organization does not renew their Intrepid subscription upon the termination date of the existing contract.

​

9. INTREPID NETWORKS® STAFF
All Intrepid Networks® staff with access to production data are U.S. citizens or U.S. residents with work permits. All Intrepid Networks® staff have cleared background checks and some of our employees hold U.S.G. security clearances, including the CEO. 

 

10. ACCESS TO ORGANIZATION DATA/INTEGRATION INTO ORGANIZATION SYSTEM

The Intrepid Response platform does not require integration or connection to existing organization systems in order to be fully functional.  It is possible to enable integration(s) to customer system(s) through Intrepid’s customer accessible API, but is not required.

 

11. SINGLE SIGN ON(SSO) AND MULTI-FACTOR AUTHENTICATION(MFA) SUPPORT

SSO and MFA support is provided through integration with Microsoft Azure Entra ID (formerly Azure Active Directory).  Please note that currently, Intrepid Response can only support integration with a single Entra ID tenant.

 

12. COMPLEX PASSWORD SUPPORT

Native or “local” user accounts in Intrepid Response require complex password with the following criterias:

• Must be between 8 and 64 characters

• May not be the same as your username

• May not be identical to previous 10 passwords

• Must contain both alphabetic and numeric characters

 

Organizations may also integrate with Microsoft Entra ID (formerly Azure Active Directory) to enforce organization specific requirements.

 

13. PREVIOUS PASSWORDS

The Intrepid Response platform requires that new passwords may not be identical to previous 10 passwords.

 

14. FAILED LOGIN LOCKOUT

After 5 failed login attempts, users are locked out until an Organizational Administrator can reset and reactivate the user’s account.
 

15. CJIS COMPLIANCE FOR LAW ENFORCEMENT

While Intrepid Response is not specifically designed to process Criminal Justice Information (CJI) data, it does support key controls required for CJIS compliance. The platform adheres to key requirements outlined in the CJIS Security Policy to help agencies meet CJIS requirements. 

 

Intrepid Response supports several CJIS compliance requirements including: 

• Data encryption at rest and in transit using FIPS 140-2 compliant ciphers that can support 256-bit encryption  

• Failed login lockout after 5 attempts  

• Auditing and logging capabilities to satisfy AU-2/AU-3 requirements  

• System use notification before granting access  

• Data hosting within the United States  

 

As a reminder, there is no central CJIS authorization or accreditation body, nor a standardized assessment approach to determine if a solution is CJIS compliant.

 

Additionally, Intrepid Networks employees who have access to production data participate in annual CJIS awareness training, and the company can provide a signed CJIS Security Addendum for agency records to support compliance efforts.

 

16. HIPAA COMPLIANCE

The Intrepid Response platform is not specifically designed to manage medical information and is not currently  HIPAA compliant.  Intrepid does follow security best practices to ensure information is protected and secure but has not been specifically designed to comply with HIPAA compliance requirements.

 

17. INCIDENCE RESPONSE PLAN

Intrepid Networks is NIST SP 800-171 compliant, CMMC Level 2 compliant, and FedRamp High authorized. As part of these security compliance and certification, Intrepid Network maintains a detailed Incident Response plan that is regularly reviewed and maintained.  To obtain more details, please contact your Intrepid Business Development representative.

 

18. AI/ARTIFICIAL INTELLIGENCE

Intrepid continuously collaborates with our customers and evaluates technologies that will best serve our customers’ needs.  This evaluation process also includes Artificial Intelligence and Large Language Model (LLM) technologies.  The current Intrepid Response platform does not include native AI/LLM implementations.