Rewind signs CISA’s “Secure by Design” pledge, strengthening our commitment to security

At Rewind, security is not just a feature, it’s fundamental. 

Our customers rely on us to protect, back up, and restore their critical SaaS data, and we take that responsibility seriously. That’s why we’re proud to announce that we have signed the Cybersecurity & Infrastructure Security Agency (CISA) Secure by Design pledge, reinforcing our commitment to continuous security improvements and industry-leading best practices.

As a Secure by Design signatory, we join Rewind partners including AWS, GitHub, and Okta and align ourselves with other global security leaders in ensuring that security is embedded at every level of our technology, operations, and customer experience.

What is the Secure by Design pledge?

CISA’s Secure by Design pledge is a commitment for technology providers to make security the default, rather than an afterthought. The pledge sets out seven key goals, each designed to strengthen the cybersecurity posture of technology companies and improve protection for customers.

At Rewind, these principles are already core to our approach, and we are further committing to specific actions that will enhance security across our products.

The seven Secure by Design pledge goals and our commitments

1. Multi-Factor Authentication (MFA)

Goal: Within one year, demonstrate actions to measurably increase the use of multi-factor authentication across the manufacturer’s products.

Rewind’s commitment:

• MFA options: We have added both time-based one-time password (TOTP) and WebAuthn allowing users to pick their preferred MFA solution. Recently, we have enhanced our backup codes functionality allowing users a fallback option should their MFA become lost or compromised.
• User education: We will actively encourage MFA adoption through product prompts and security guidance to maximize protection for our customers.
• Admin control: Within the next 12 months, we will allow administrators the ability to to enforce MFA for all users of their organization

2. Default passwords

Goal: Within one year, demonstrate measurable progress towards reducing default passwords across the manufacturer’s products.

Rewind’s commitment:

• No default passwords—ever: Rewind does not use default passwords anywhere in our product today, and we commit that we will never introduce them in the future.

3. Reducing entire classes of vulnerability

Goal: Within one year, demonstrate actions taken towards enabling a measurable reduction in the prevalence of one or more vulnerability classes.

Rewind’s commitment:

• Bug bounty data-driven approach: Using insights from the Rewind bug bounty program, we will focus on addressing the most common vulnerability class within the next 12 months and continue our systematic approach to reducing risks for Rewind customers.

4. Security patches

Goal: Within one year, demonstrate actions taken to measurably increase the installation of security patches by customers.

Rewind’s commitment:

• Fully managed patching: Rewind is an entirely SaaS-based platform, so customers do not need to install security patches themselves.
• Commitment to patch SLAs: We commit to installing security patches within our patch process SLAs, which are audited as part of our SOC 2 program.

5. Vulnerability disclosure policy (VDP)

Goal: Within one year, publish a vulnerability disclosure policy (VDP) that encourages responsible security research and allows for coordinated vulnerability disclosure.

Rewind’s commitment:

• Public vulnerability disclosure policy: We have published a clear and transparent Rewind Vulnerability Disclosure Policy that allows security researchers to report issues responsibly.
• Safe harbor for researchers: We ensure that ethical security researchers are protected from legal action when reporting vulnerabilities in good faith.

6. Common vulnerabilities and exposures (CVEs)

Goal: Within one year, demonstrate transparency in vulnerability reporting by including accurate common weakness enumeration (CWE) and common platform enumeration (CPE) fields in common vulnerability and exposure (CVE) records, and issue CVEs in a timely manner for critical vulnerabilities.

Rewind’s commitment:

• Develop a CVE policy: Within the next 12 months, Rewind commits to demonstrating transparency in vulnerability reporting by creating and following a procedural document that outlines the steps our Security Engineering team will take in the event that we uncover a vulnerability, which would necessitate us to assign and issue a CVE record for any of Rewind’s products. 

7. Evidence of intrusions

Goal: Within one year, demonstrate a measurable increase in the ability for customers to gather evidence of cybersecurity intrusions affecting the manufacturer’s products.

Rewind’s commitment:

• Expanding audit logs: Rewind already has a comprehensive audit log that is exposed to end users. We commit to continually enhancing the events that are auditable, providing customers with greater visibility into actions taken within their accounts.
• Security tool integration: Over the next 12 months, we will deliver enhanced notification capabilities, allowing customers to integrate Rewind’s security alerts with their existing security tooling for real-time monitoring.

Why this matters for our customers

By signing the Secure by Design pledge, we are reinforcing our commitment to security and transparency. Our customers trust Rewind to protect their critical SaaS data, and we take that trust seriously. This pledge is not just about compliance and ‘checking a box’—it’s about continuously raising the bar for security, ensuring businesses can recover confidently from any data incident.

At Rewind, security isn’t just a responsibility—it’s a promise.