Payference Security
Security is crucial for us at Payference.
At our core, we are committed to providing our customers with a secure and reliable platform to store and process their valuable data. That's why we continually evaluate and enhance our internal processes and controls to ensure that our product is aligned with the latest and most effective security practices. We understand that data security is of utmost importance to our customers, and that's why we prioritize the safety and confidentiality of your data above all else.
With our SOC 2 compliance, you can rest assured that we meet the highest standards of security and confidentiality in the industry. Trust us to keep your data safe, so you can focus on leveraging our product to drive value for your business.
On this page, you'll find additional information about our internal security, which we implement to ensure a safe experience with our product and services.
Data Security Controls Currently in Place
- Our data centers are hosted on Amazon Web Services (AWS) which are accredited under ISO 27001, SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II), PCI Level 1, FISMA Moderate, and Sarbanes-Oxley (SOX).
- Our database is encrypted at rest using industry-grade AES-256, block-level storage encryption.
- Continuous Protection ensures that we keep our data safe from any database failures.
- All communication is encrypted via 2048-bit TLS.
- To securely transfer files, Payference uses SFTP.
Account Security Controls Currently in Place
- All login attempts are logged and monitored.
- After 6 failed login attempts, a user is locked out until we verify if there was malicious intent.
- Multi-Factor Auth available for enhanced authentication security.
- Payference routinely checks and gets alerted for malicious & suspicious activity.
FAQ
-
Is your security audited by third-parties?
In addition to our regular SOC 2 audit program, our Security Assurance Program includes a yearly audit that involves third-party experts confirming the security of our product. This audit includes penetration tests and source code audits.
In addition, we partner with a number of accounting solutions that regularly assess and clear the security of our application and integrations.
-
Do you encrypt data at rest?
Payference stores all data in an encrypted database in the AWS cloud. The DB is encrypted with a best-in-class encryption algorithm - AES-256. We use Amazon Key Management Server for managing encryption keys. User passwords are one-way hashed and stored in an encrypted DB pointed out above.
-
Is audit logging enabled?
Yes, Payference logs all user activity to enable easy auditing of usage patterns.
-
Is Multi-Factor Authentication supported?
Users can protect their accounts with OTP based MFA.
-
Is role-based access control supported?
Our product offers role-based access control that allows administrators to provision different levels of access.
-
Is there a Service Level Agreement?
We offer a Service Level Agreement for our product. More information can be provided upon request.
-
Is access monitoring enabled?
We log and monitor all access attempts to our company resources. Audit logs are reviewed on a regular basis for security events.
-
Are backups enabled?
We ensure that data is backed up across multiple locations and can be retrieved within our recovery time objective if a failure does occur.
-
Is data erasure supported?
Customer data is deleted within one month after contract termination. Additional details can be found in our Data Deletion policy (upon request).
-
Is encryption-in-transit enabled?
All of our communications at transit external or internal are encrypted via 2048-bit TLS.
-
Is encryption-at-rest enabled?
We use the Advanced Encryption Standard (AES) algorithm with a key size of 256 bits.
-
How is physical security handled?
Physical security for our data centers is managed by Amazon Web Services.
-
How is data access handled?
We strictly monitor access to customer data and only permit it on an as-needed basis.
-
What type of logging is enabled?
We keep detailed logs of all activities on company resources and review logs to identity irregularities on a weekly basis.
-
What is the password security?
We enforce stringent password policies for all our employees and users and also offer MFA (Multi-factor Authentication).
-
Is there employee security training?
As part of our SOC compliance, we require security awareness training upon hire and annually thereafter.
-
How is incident response handled?
We have a dedicated incidence response team and plan. More information is available in our Incident Response Policy (upon request).
-
What controls exist for email protection?
Phishing is a topic covered during regular security awareness training for our employees. In addition, industry standard email security controls are in place - including DKIM, SPF and DMARC.