Last Updated: July 26, 2021
This Security Statement applies to the platforms and services offered by Finaeo Inc. (“Finaeo”). The protection and security of our customer data is critical to operating our business, and inherently built into our platforms from the ground up. To provide transparency into our security processes with our partners and customers, a detailed summary of our security posture is provided below.
All of Finaeo’s platforms are hosted in AWS. Direct access to Finaeo servers hosted in AWS is protected by multi-factor authentication and whitelisted VPN access to servers and databases. Access to AWS is restricted by role-based access control, based on least privilege access permissions.
Access Control Reviews
Access permissions are reviewed at least quarterly by Information Systems owners and the Security Working Group, with access revoked immediately upon employee termination.
Password policies are implemented for strong password complexity, rotation and re-use. All password fields hide user input.
- Finaeo platforms are logically isolated at the network level in AWS into an AWS Virtual Private Cloud (VPC) where AWS resources are launched in a virtual network defined by Finaeo. Finaeo has complete control over its virtual networking environment, including the selection of your own IP address range, creation of subnets, and configuration of route tables and network gateways.
- AWS has identified critical system components required to maintain the availability of the system and recover service in the event of an outage. Critical system components are backed up across multiple, isolated locations known as Availability Zones (AZ). Each Availability Zone runs on its own physically distinct, independent infrastructure, and is engineered to be highly reliable. Availability Zones are connected to each other with fast, private fiber-optic networking, enabling you to easily architect applications that automatically fail-over between Availability Zones without interruption.
- AWS Elastic Load Balancers are used to automatically distribute incoming application traffic across AWS ECS-managed containers, deployed on multiple Amazon EC2 instances in the cloud. This allows us to achieve greater levels of fault tolerance in the Finaeo platforms, seamlessly providing the required amount of load balancing capacity needed to distribute application traffic.
- Firewalls, routers, switches and internet backbone connections are all maintained with redundancy and high availability on a 24/7/52 basis by AWS.
- AWS manages redundant power to all infrastructure routers and switches, as well as the data centers themselves; redundant fibre connections to Internet backbone connectivity providers; and advanced route optimization technology to provide efficient routing among the multiple backbone carriers connected to the data centers.
- Finaeo utilizes AWS firewall-equivalent Security Groups and Route Tables to restrict traffic to servers and subnets based on source, destination, port and protocol.
- Databases are encrypted and deployed in private subnet tiers protected by AWS firewall-equivalent Security Groups.
- Access to platform servers, when required, is only available over encrypted, authenticated + MFA VPN access.
Server & Database Security
- Finaeo uses AWS auto-scaling groups to automatically scale on-demand, replace failed instances, and seamlessly roll out new deployments.
- Hardware failures are replaced expeditiously using AWS native capabilities to spin up new servers or volumes in AWS on demand.
- Databases deployed on AWS RDS Managed Services help to reduce operational overhead and risk by automating common activities such as change requests, monitoring, patch management, security, and backup/restoration services, and provide full lifecycle services to provision, run, and support the infrastructure.
Monitoring & Logging
- Finaeo platforms are constantly monitored with New Relic for application & infrastructure monitoring; AWS CloudWatch for centralized log aggregation (with logs encrypted using AES-256 during transport and at rest); AWS CloudWatch for alarms; AWS GuardDuty for intelligent threat detection & monitoring; host-based intrusion detection systems and file integrity monitoring; AWS Shield for threat remediation; AWS CloudWatch for auditing; and various other systems for real-time monitoring, alerting, forensics, and security.
- A central IT management system is used to track and maintain corporate IT assets and laptops.
- Paid vendor licenses go through a formal assessment and review process. Open source licenses must comply with internal policies for acceptable and non-restrictive licensing.
Business Continuity & Disaster Recovery
- Business Continuity and Disaster Recovery tests are performed and reviewed annually by the cross-departmental Security Working Group.
- Finaeo platforms and corporate services are all cloud-based, and can be fully implemented in both an office and remote setting.
- Finaeo platforms are deployed across multiple Availability Zones (data centers). A failure in one Availability Zone will natively and automatically redirect traffic to the other.
- In the event of catastrophic failures, terraform automation would be used to redeploy environments; continuous integration and deployment processes (CI/CD) is utilized to redeploy the services and databases, and data would be recovered from encrypted backups hosted in AWS.
Storage & Backups
- Database backups are performed at least daily, and stored for a minimum of seven days. All backups are encrypted during storage and transfer.
- Hard disks are stored on AWS SSD EBS volumes that are replicated across multiple servers in an Availability Zone to prevent loss of data.
- Data storage in AWS S3 buckets are replicated across multiple devices across at least Availability Zones, providing 99.999999999% durability over a given year. AWS S3 is designed to sustain concurrent device failures by quickly detecting and repairing any lost redundancy, and also regularly verifies data integrity using checksums.
- Customer data is encrypted in transit using HTTPS/TLS and encrypted at rest.
- Customer databases are located in data tiers in private subnets, and encrypted at rest.
- All database backups are encrypted in transit and at rest. Backups remain in AWS, and remain the country associated with the platform.
- Passwords are transmitted over TLS encrypted channels.
- Finaeo maintains a data classification system for public, internal, confidential, personally identifiable information (PII) and sensitive PII data.
Hardware & Media Disposal
- Finaeo office equipment and AWS data centers policies and procedures implement the proper erasure and disposal of data on laptops, hard disks and other hardware & media, including techniques such as overwriting, degaussing and 2-pass wipes.
- Encrypted keys are managed via AWS Key Management Service (KMS), with separate keys for development and production environments. As this is a managed AWS service, no human users have access to any of the keys.
Information Systems (IS) Policies
Clean Desk & Removable Media Policies
- Information System policies include a clean desk policy applied to all employee laptops via a central IT management system, and a ban on all removal media.
- Finaeo performs internal and major 3rd party vendor risk assessments at least annually.
Security Working Group
- Finaeo has a formal Security Working Group composed of management and technical leadership representatives from Engineering, Product, Customer Success, IT & Support, Compliance and HR. This group meets at least quarterly to review overall security posture; major events, trends and escalations; procedure and policy review; and various procedure testing, including disaster recovery, business continuity and breach response.
HR & Organizational Security
Background Checks & Confidentiality
- All employees undergo background checks covering 7+ years as part of the hiring process, including criminal, employment, reference and credential verification. The specific scope of any background checks shall always be subject to the applicable local laws and regulations.
- All employees are subject to confidentiality agreements as part their employment agreement.
- Employees that violate Finaeo policies will be subject to disciplinary reviews and actions.
Employee Onboarding & Offboarding
- Employee onboarding and offboarding procedures utilize automated notifications, reminders and auditing by our HR management system.
- These processes include access control enablement and revocation, and equipment removal and data destruction.
Security & Privacy Training
- All employees participate in security & privacy training as part of their onboarding process, as well as annually. This process is managed by Compliance & Operations teams, and with audit records maintained of all training completed.
AWS Data Centers: Physical Access
- Finaeo Canada platforms are fully hosted in AWS data centers in Canada.
- Finaeo US platforms are fully hosted in AWS data centers in the United States.
- AWS security personnel are on duty 24/7/52.
- Physical access to AWS data centers is controlled at building ingress points by professional security staff utilizing surveillance, detection systems, and other electronic means. Authorized staff utilize multi-factor authentication mechanisms to access data centers. Entrances to server rooms are secured with devices that sound alarms to initiate an incident response if the door is forced or held open.
AWS Data Centers: Alarms, CCTV, Inspection
- Electronic intrusion detection systems are installed within the data layer to monitor, detect, and automatically alert appropriate personnel of security incidents. Ingress and egress points to server rooms are secured with devices that require each individual to provide multi-factor authentication before granting entry or exit. These devices will sound alarms if the door is forced open without authentication or held open. Door alarming devices are also configured to detect instances where an individual exits or enters a data layer without providing multi-factor authentication. Alarms are immediately dispatched to 24/7 AWS Security Operations Centers for immediate logging, analysis, and response.
- Electronic intrusion detection systems are installed within the data layer to monitor, detect and automatically alert the 24/7 AWS Security Operations Centers and teams.
- Closed-circuit video surveillance (CCTV) at all entrance points on the interior and exterior of the building housing the data center facilities.
- AWS data centers security alarms are tested monthly, consistent with requirements for ISO 27001 and SOC.
AWS Data Centers: Access Cards, Badges, Visitors
- All AWS personnel and visitors are required to display their identity badges at all times when onsite at AWS facilities.
- Two-factor authentication is used to gain access to server rooms and sensitive areas of the data center.
- Only authorized AWS personnel have access to data center facilities.
- Visitor access control applies to all areas of the data centers, including business justification to access, least privilege, time-bound access, badges worn at all times, authorized staff escorts, and access limited only to justified areas.
AWS Data Center Infrastructure & Redundancy
Climate and Temperature
- AWS data centers use mechanisms to control climate and maintain an appropriate operating temperature for servers and other hardware to prevent overheating and reduce the possibility of service outages.
- Personnel and systems monitor and control temperature and humidity at appropriate levels.
Fire Detection and Suppression
- AWS data centers are equipped with automatic fire detection and suppression equipment.
- Fire detection systems utilize smoke detection sensors within networking, mechanical, and infrastructure spaces.
- In order to detect the presence of water leaks, AWS equips data centers with functionality to detect the presence of water.
- If water is detected, mechanisms are in place to remove water in order to prevent any additional water damage.
- AWS data center electrical power systems are designed to be fully redundant and maintainable without impact to operations, 24 hours a day.
- AWS ensures data centers are equipped with back-up power supply to ensure power is available to maintain operations in the event of an electrical failure for critical and essential loads in the facility.
Software Development Process
Agile SDLC Process
- Finaeo Product-Engineering teams operate in an Agile environment with continuous delivery capabilities. Tasks go through our standard SDLC process, including sprint planning, task documentation, development, code reviews, QA, build server testing, multiple deployment environments, automated production deployment and rollback capabilities.
- These processes include version control, coding standards and security best practices.
- Finaeo has fully separated AWS accounts for each platform’s production and development environments. Customer data in production is fully isolated at a network, logical, and access control level from local and development environments.
Segregation of Duties
- Finaeo has segregation of duties across the various departments and stages of the software development cycle. This includes onboarding processes triggered by HR, laptop and corporate IT access by IT administrators, engineering access by Engineering management, software testing by QA, platform support by Support teams, and shared security responsibility by Engineering, IT and the Security Working Group.
Patching and Anti-malware
- Finaeo has patch management processes and anti-malware systems in place to proactively manage security updates.
- Finaeo Platform uses Metadefender anti-virus deep scanning on all file uploads provided by users.
Vulnerability & Penetration Testing
- Monthly vulnerability testing and annual independent, manual penetration testing are performed to check for OWASP Top 10 security risks, amongst other security considerations. Critical and high-level fixes are remediated on a priority basis.
- Finaeo platform software 3rd party libraries are scanned for outdated or insecure versions. Library updates are reviewed, tested, and deployed into regular Sprint processes.
Breach & Incident Response
DDoS & Attack Prevention
- DDoS prevention is managed by Finaeo and AWS. Finaeo has premier enterprise support with AWS for immediate escalation and support of critical issues, including DDoS attacks. Finaeo will also work with 3rd party cyber breach response teams in the event of a major incident.
- Finaeo platforms use a combination of threat management and monitoring including AWS Shield, CloudWatch alarms, AWS CloudWatch centralized logging, New Relic application & infrastructure monitoring, and other tools to help monitor and prevent attacks.
- In the event of a major or reportable breach, affected customers will be notified within 72 hours, or earlier as required by law. Customers may be notified directly by Support or Customer Success teams.
- Incident response procedures involve clear identification of roles and responsibilities. The incident is first classified by impact to the system and whether breach has occurred, followed by escalation procedures and regular reporting intervals to affected customers. In the event of a major or reportable breach, Finaeo may appoint a 3rd party independent auditor to assess the scope and impact of a breach, assist in remediation, and write a full report of its findings.
- Finaeo has live and automated 24/7 monitoring of its platform. Dedicated Customer Success teams regular North American EST hours via email access, Intercom for live chat, and support ticketing. After-hour platform priority issues can be triggered via PagerDuty alerts.
- Keeping your data secure is a shared responsibility that also involves you maintaining appropriate security on your accounts. This includes ensuring sufficiently complex credentials & password rotation policies.
- Do not share your accounts or credentials with others, and provide accurate self-identification information for account validation or potential data requests in the future.
AWS Data Centers
- Finaeo Canada platform is fully hosted in AWS data centers in Canada regions.
- Finaeo USA platform (coming soon) will be fully hosted in AWS data centers in US regions.
- AWS maintains annual certifications and 3rd party audit reports including PCI DSS Level 1, ISO 27001, FISMA Moderate, FedRAMP, HIPAA, and SOC 1 & SOC 2.
- System and Organization Controls (SOC) Reports are independent, 3rd party examination reports that demonstrate how Rock Content achieves key compliance controls and objectives. Starting in 2022-Q1, Finaeo plans to complete SOC-2 security reviews for its platform, and intends to perform these annually on an ongoing basis.
The information contained herein is for general information purposes only. While we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the information, products, services, processes, activities or related materials referred to herein for any purpose. Any reliance you place on such information is therefore strictly at your own risk. In no event will Finaeo be liable for any loss or damage including without limitation, indirect or consequential loss or damage, or any loss or damage whatsoever arising, including from loss of data or profits arising out of, or in connection with, reliance upon this information.