1. Organizational Security

Information Security Program
We maintain a comprehensive Information Security Program aligned with the SOC 2 Framework, a widely recognized auditing standard developed by the American Institute of Certified Public Accountants (AICPA). This program is communicated organization-wide to ensure consistent awareness and adherence.

Third-Party Audits
We undergo regular independent third-party audits to assess and validate the effectiveness of our security and compliance controls.

Roles and Responsibilities
Roles and responsibilities for maintaining security and protecting customer data are clearly defined and documented. All team members are required to review and accept security policies as part of their onboarding.

Security and Awareness Training
Our team receives ongoing security awareness training, including topics like phishing prevention and secure password practices, to stay up-to-date with industry standards.

Confidentiality
All team members sign an industry-standard confidentiality agreement before their first day of employment.

Background Checks
We perform background checks on all new hires in accordance with local laws to ensure a trustworthy workforce.

2. Cloud Security

Cloud Infrastructure Security
We host all services on Amazon Web Services (AWS), which maintains a robust security posture and numerous certifications. Learn more at AWS Security.

Data Hosting Security
Client data is hosted securely on AWS (within the U.S.) or on client premises, depending on the engagement.

Encryption at Rest
All databases are encrypted at rest, protecting stored information from unauthorized access.

Encryption in Transit
Data in transit is encrypted using Transport Layer Security (TLS) to ensure secure communication between systems.

Vulnerability Scanning
We conduct regular vulnerability scans and actively monitor our environments for threats.

Logging and Monitoring
Our systems are configured for continuous logging and monitoring of cloud activities to detect and respond to anomalies.

3. Business Continuity & Incident Response

Business Continuity & Disaster Recovery
We use AWS’s backup services to mitigate data loss risks due to hardware failures. Our systems are also equipped with automated alerts to notify teams of any service disruptions.

Incident Response
We have a defined Incident Response Plan, which includes escalation protocols, rapid mitigation, and effective communication during security events.

4. Access Security

Permissions and Authentication
Access to sensitive infrastructure is limited to authorized personnel only. We enforce Single Sign-On (SSO), 2-Factor Authentication (2FA), and strong password policies where applicable.

Least Privilege Access
We follow the principle of least privilege, granting access only to what is essential for an individual’s role.

Quarterly Access Reviews
Access reviews are conducted quarterly to ensure proper access controls are maintained.

Password Requirements
All team members must comply with our password complexity and strength policies.

Password Managers
We deploy password managers on company-issued laptops to help team members manage credentials securely.

5. Vendor & Risk Management

Annual Risk Assessments
We perform at least annual risk assessments to identify and mitigate potential threats, including fraud risks.

Vendor Risk Management
Vendors are assessed and reviewed for security risks before being approved. We ensure that appropriate due diligence is performed during vendor onboarding.