We follow a documented and systematic approach to manage our business with the highest level of compliance and security in mind. This page addresses our commitment to Compliance & Security Governance, Platform & Infrastructure Security, and Platform Availability.
We have documented and codified numerous policies and procedures addressing cyber & information security, fraud prevention and detection, software lifecycle management, code of conduct, vendor management, and internal controls.
Our Information Security Committee meets regularly to review and improve our compliance program, and provides regular updates to our board of directors.
We follow a documented and systematic approach to request, document, implement, and provide permissions of least privilege for changes to our systems.
We conduct pre-employment background checks on all team members, and they must complete cybersecurity & phishing awareness training annually.
We employ third parties to perform routine scans and testing on our systems, including continuous vulnerability scanning and annual penetration testing, to ensure their security.
We employ a strict role-based access control (RBAC) model across all of our internal and external systems to only give permission of least privilege based on the team member’s role. All team member access is reviewed and updated regularly. We enforce multi-factor authentication (MFA) when available.
We encrypt all data both at rest (AES-256-GCM) and in transit (TLS 1.2/1.3).
All of our environments are fully segregated from each other (production and non-production), and no client personally identifiable information (PII) is migrated to non-production environments.
We do not store any sensitive PII data in our database systems such as social security numbers, date of birth, or banking information.
We have a documented business continuity plan that is reviewed at least annually and tests both natural disaster and cyber incident real-world scenarios.
All production data is backed up regularly and systems are implemented across multiple availability zones to ensure adequate recovery time.
We monitor the platform and its infrastructure’s health continuously and log any issues for immediate review.
