Financial Cents Cybersecurity Practices
The FTC recently issued a new set of rules for protecting financial and personally identifiable information hosted by businesses. The rules directly affect our customers who regularly file taxes on behalf of their clients to the IRS and host their clients’ documents and other information on Financial Cents.
Security has and always will be at the top of the priority list for Financial Cents. To keep our customers informed and in compliance with the new FTC rules, we’ve put together a list of cybersecurity practices that Financial Cents employs to secure our user’s data and their client’s information.
General Security Practices
- Bi-annual security assessments conducted by third-party cybersecurity experts.
- Penetration testing and code vulnerability scanning done regularly by our engineers.
- Automated dependency vulnerability detection and remediation to keep us informed of any newly discovered vulnerabilities coming from third-party services and packages.
- All data is encrypted at rest including databases, file storage systems and internal service communications.
- All data, regardless of type, is encrypted during transit. When customers request their data using the browser from our servers, we only fulfill the request if a TLS secure connection has been established.
- Multi-factor authentication is provided and recommended to our users.
- Financial Cents staff have restricted access to customer information. Fine-grained access control allows us to give access to specific parts of the application only to the personnel who need it and are trained to safely handle such access.
- Staff are also rigorously trained and kept up-to-date with cybersecurity threats and how to mitigate them.
- We maintain an audit log of activities on sensitive records that provide us and our customers with detailed information on any modification or deletion of data.
- Disposal of information is done when the records are no longer needed. For example, deleted records are permanently removed after no more than 6 months. We only keep recently deleted records to prevent permanent loss of data in case of accidental deletion.
- To be prepared for any unauthorized intrusion, Financial Cents developed a comprehensive incident response plan that addresses processes, roles and responsibilities that are followed in case of a security event.
- All incidents are immediately reported to the CEO and CTO who in turn are responsible for the immediate containment and remediation of any vulnerabilities.
Physical Server Security
- We utilize both Digital Ocean and AWS (Amazon) as our cloud service providers. Both providers are SOC II, SOC III, GDPR and HIPPA compliant.
- Servers are located in New York City and Virginia (USA) and are protected 24/7 by trained guards and surveillance cameras.
- Read more about Digital Ocean’s security practices here https://www.digitalocean.com/security
- Read more about AWS security practices here https://aws.amazon.com/compliance/data-center/controls
Client Portal Security Practices
Many of our customers utilize our client portal to collect information and documents from their clients and to communicate with their clients. Our easy-to-use portal provides your clients with a password-less authentication process. To securely authenticate your clients, we employ a set of industry-leading technologies and mechanisms to verify their identity.
- When a client is sent the email to access the client portal, an encrypted long-form password is included in the link along with a special identifier. The encrypted password expires every thirty days and a new password is generated for your client. This acts as a more secure username and password for your client as the combination automatically rotates every 30 days.
- When the link is visited by your client, they are prompted to again verify their identity by entering a 6-digit code that gets sent to their email address or as SMS to their phone number. This mechanism prevents accidental sharing of the secure link from allowing unauthorized access.
- We highly recommend that your clients enable the newly released SMS based 2-factor authentication to further secure their accounts. Reach out to our customer success team to learn more.
- Once your client is in the portal, we track the email address they used to gain access. If the email address is changed by you or if the contact is removed, the client loses access to the portal. This prevents terminated employees and otherwise no-longer authorized clients from accessing the portal.
What makes our Client Vault feature even more secure?
Data stored in the vault has additional security measures in-place.
- All fields other than the “Name” field are double encrypted at rest and only fully decrypted upon user request.
- Data access is controlled by specific permissions granted by authorized users to other team members within your firm. Permissions are generally controlled by the firm owner within the application.
- Data is not searchable except for the Name field. Due to the strong encryption mechanism, data cannot be searched.
- Vault records are never revealed in email or in-app notifications or transmitted anywhere outside of an authenticated secure connection.
- When vault records are deleted, they are immediately removed from all systems (no grace period to undo deletion).
- Audit trails of the vault records do not contain any sensitive information. Only the action and the user conducting the action are stored. Whereas other fields such as password or custom fields are never retained in the log.
What can you do to further secure your account?
Financial Cents highly recommends that all users enable 2-factor authentication by visiting their profile and adding and verifying their primary phone number. Enabling 2-FA protects your account in case your username and password combination are compromised.
Our customers and potential customers are entitled to a copy of our annual security letter of attestation upon request. If you would like a copy of this letter, please contact our customer support and they’ll be happy to assist.
If you have questions or require further information about our security practices, please don’t hesitate to reach out to us.