Security
Data security and reliability is top priority at Foundant Technologies, and we know it is for our clients as well. That’s why we apply industry-leading practices across the organization to keep client information safe. To achieve this we use the proven, tested, best-in-class security tools, technologies, practices, and procedures described below.
Compliance
Soc 2 Type 2 audited
We are Service Organization Controls 2 (SOC 2) Type 2 audited and third-party evaluator certified by The American Institute of CPAs (AICPA). This audit uses the Trust Services Principles, published by the AICPA, to evaluate the effectiveness of a service organization’s controls with respect to security.
PCI
Confidential payment data is not processed or saved on Foundant systems.
Hosting Environment and Physical Security
We use Amazon Web Services (AWS) hosting, selected for their high standards of data center security. Learn more about AWS security here: aws.amazon.com/security/
Network Security
All Foundant applications are only accessible over secure channels using HTTPS and the latest TLS ciphers. Traffic over HTTPS is encrypted and is protected from interception by unauthorized third parties. Foundant follows current best practices for security, including the use of strong encryption algorithms with a key length of at least 128 bits.
Foundant’s multi-tier architecture segregates application systems from the public Internet. Public traffic to the website passes through a Web Application Firewall (WAF) and then is routed to application systems running on private subnets.
Authentication
Clients log in to Foundant using a password which is known only to them. Password length, complexity and expiration standards are enforced. Passwords are not stored; instead, as is standard practice, only a secure hash of the password is stored in the database.
Users can optionally configure their accounts to use Two-Factor Authentication, by means of an authenticator app such as Google Authenticator, Microsoft Authenticator, or Authy. Users are also automatically logged out of their session after a period of time.
Application Development and Testing
Privacy and security considerations are integral parts of our comprehensive software development lifecycle.
Development staff receive regular training on Secure Coding Practices, including avoidance of the OWASP Top Ten Web application vulnerabilities.
Penetration testing of the website is regularly conducted by a qualified third party. In addition, regular internal vulnerability scans are conducted.
Data Privacy
Please see our privacy policy, which details the types of personal information we collect, our handling of this information, and our customers’ privacy rights.
Transaction Data Retention, At-Rest Protection, Data backups and retention
All data stored in the Foundant system is encrypted at rest. Data backups are taken and stored every 6-24 hours. Data backups are stored in a separate AWS region where possible and a separate AWS availability zone where that is not possible.
High Availability
Our Business Continuity and Disaster Recovery program includes not just measures to ensure the high availability of Foundant’s IT assets, but also contingency planning for natural disasters and other possible disruptions. IT measures are used to ensure high availability include running Foundant services in multiple redundant cloud Availability Zones and replication of the application database to a standby system.
Current system status and recent uptime statistics are continuously available at https://foundant.statuspage.io/.
Incident Response
We have deployed a variety of security and monitoring tools for our production systems. There is 24×7 monitoring of the security status of its systems and automated alerts are configured for security and performance issues.
While we don’t anticipate there ever being a breach of our systems, Foundant has put in place a Security Incident Response Plan which details roles, responsibilities and procedures in case of an actual or suspected security incident.
Our Organization
All full-time team members are subject to background checks that include one or more of the following: criminal history, education, and current and past employment. In addition, Foundant maintains an information security training program that is mandatory for all employees.