Data security is woven into the fabric of our service offering. It affects our choice of applications, the tools we use to integrate them, our internal policies, and the design of your user experience.
Unlike many security promises you may encounter, this statement focuses on people because they tend to be the weakest link in any security regimen. Yes, we use enterprise-grade security and we can talk at length about transaction layer security, encryption and other technical aspects of security, but when it comes to data security what really matters is how you interact with the tools.
The weakest link in any security regimen is human. Security mechanisms are cumbersome and easily circumvented by people who have a job to do, a deadline to meet, and whose memory for complicated sequences of characters is limited. Recognizing this reality, we have focused on your user experience to make the most secure procedures the ones that are easiest to use and understand. This not only helps you, it also helps our own staff. They feel the same deadline pressures as you do and may be tempted to cut corners too. Thus, the overall user experience has been carefully crafted to make data security a central part of every interaction between you and our staff.
We use an enterprise-grade password management tool to keep track of all our credentials. It generates a random multi-digit password for every application. Since we no longer need to remember passwords, they can be as long as we want – literally dozens of characters. The only password we need to remember is the master password to gain access to the password management tool. Each master password is unique to the employee and must be memorized to ensure that it is never pasted to the underside of the laptop or kept in a drawer.
The tool we use allows us to share access to an application without disclosing the password, in the few instances where shared access is required. It also allows us to audit our staff credentials to ensure they never reuse passwords and that they choose only highly secure credentials.
Our strict policy is to never leave computers unattended and unlocked. Passwords are never shared between staff. Information is accessible to staff only on a need-to-know basis. We use role-based access control lists to create strict borders around your data. We do periodic audits on all activities related to sensitive information. We use a process management tool to ensure that proper procedures are followed in all scenarios.
The process management tool runs periodically to expire passwords and force our staff to create new passwords, including the master password for the password management tool.
We never send sensitive information by email – it is shared to you on a protected cloud drive. When you upload files to the cloud, we run an automated program on the cloud server to move the file into a secure location as soon as it is uploaded.
We use only enterprise-grade tools to manage your most sensitive information. These tools allow us to audit and track all transactions. Most of our tools now use OAuth 2 mechanisms to limit access to only those functions that are truly required for any given transaction and to time out credentials so that access is granted for only a short time.
All of our tools use https (transaction layer security) protocol based on public-key encryption to
ensure that only your browser and the server can decrypt the data. Most tools use geo-fencing to ensure that staff access to the data is coming from a physical location that we expect for that employee.
Sensitive data is encrypted on the database servers (encrypted at rest) so that access to the database must be done by a secure application rather than through an insecure channel.
Fundamentally, we employ a layered approach to information security. The outermost layer is training and awareness. Inside that layer is user design to make proper data security the easiest and most natural way of interacting with our systems. The next layer is process enforcement to ensure that
best practices are followed, employee audits are performed regularly, and best practices are introduced as needed. Next is password management which minimizes human error, enables ultra-strong passwords, and enables credential security audits. Inside that layer is need-to-know enforcement to ensure that the only staff to use your sensitive data are truly required to do so. The next layer is OAuth 2 security to ensure your identity is positively confirmed, to limit exposure to only those bits of data that are required to do the job, and to minimize the amount of time that access is granted. Finally, at the core of our data security model is data encryption at rest and in flight using modern encryption methods.
Our goal is your peace of mind. We work hard every day to make this a reality.