Data Security, Privacy, & Redundancy

Last Updated: July 5th, 2023

Topics

• Access Controls

• Data Backup and Recovery

• Incident Response

• Security Awareness and Training

• Network Security

• Systems and Application Development Security

• Browser and Device Support

• Password Requirements

• Physical Security

• Data Encryption

• Monitoring and Logging

• Identity and Access Management

• Compliance with Legal and Regulatory Requirements

• Vendor Management

• Business Continuity Planning

• Vulnerability Testing

• System and Network Security Configuration Management

• Data Protection and Privacy

• Ransomware Prevention

• Change Management Protocols

• Continuous Monitoring and Improvement

• Third-Party Security Assessment and Due Diligence

• Whistleblower Policy

NOTE: See the live status of the Firm App application at: https://status.firm.app

Access Controls

Firm App requires strong passwords, MFA (multi-factor authentication), and regular reviews of user access and user authorization levels to the Firm App system and to Primary Vendors (those such as hosting providers which have access to customer data, files, or source code).

By default, the Firm App system requires lengthy passwords, a variety of character types, and dis-allows the top 1,000+ most common passwords.

MFA and Single Sign-On (SSO) are also available for both our customer applications as well as their clients.

Data Backup and Recovery

Data backup and recovery processes are critical for ensuring that data can be restored in the event of a disaster or other interruption. Firm App implements automated data backups stored under 99.999999999% (11 nines) durability, 256-bit AES encryption, and a physical separation of over 2,000 miles. All data is stored and transfered within the United States. Backup integrity is tested regularly under the disaster recovery plan drill.

Incident Response

Incident response planning is crucial for quickly and effectively addressing & documenting security incidents. As detailed in the Firm App SOC 2 Type 1 compliance report, Firm App has a documented incident response plan in place which includes regularly trains employees on how to respond to incidents and regularly testing the incident response plan.

Security Awareness and Training

Security awareness and training helps employees understand how to identify and prevent security threats. Firm App requires regular security training to developers including but not limited to the latest OWASP Top 10 Web Application Security Risks, regularly communicates security policies and procedures, and provides resources for developer to learn more about security best practices.

All employees also undergo mandatory annual Data Security training which covers topics like appropriate use of data, identifying data theft techniques such as phishing attacks, etc. The Firm App Employee Agreement includes data security & confidentiality clauses, guidelines for appropriate data usage, personal device limitations, etc.

Network Security

Network security is critical for protecting against threats to the network and systems. The Firm App office network connection is protected by a firewall, Wi-Fi Protected Access Version 2 (WPA2) encryption, and automatic security updates.

The Firm App application and databases are hosted on Amazon AWS within the United States. Amazon AWS provides a wide range of accreditations and certifications including, but not limited to, SOC 1/ISAE 3402, SOC 2, SOC 3, FISMA, DIACAP, and FedRAMP, PCI DSS Level 1, ISO 9001, ISO 27001, ISO 27017, ISO 27018. Details of the AWS certifications can be found on the AWS Cloud Security page, but please note that they require a first-party, signed Non-Disclosure Agreement.

All types of data transmission are performed via secure connections. This includes browser connections, native app connections, server-to-database connections, remote management connections, log access, database backups and restoration, etc.

Zero Trust Environment

Firm App deploys a Zero Trust Environment to enhance its cyber-security posture and safeguard its valuable digital assets. This approach operates on the principle of "never trust, always verify," ensuring that access to resources is strictly controlled and granted only after rigorous authentication and authorization. Instead of relying on traditional perimeter-based security measures, this strategy enforces strict access controls for every user, device, and network connection. Each access request is subjected to rigorous authentication and authorization processes, reducing the likelihood of unauthorized access and data breaches.

In Firm App's zero trust environment, systems, employees, and users are granted access to resources on a need-to-know basis, with access rights regularly reviewed and adjusted as necessary. Continuous monitoring of user activities, device health, and network conditions allows for real-time detection and mitigation of potential threats. This security model adapts to emerging risks and promotes a proactive stance against both internal and external threats, offering a more robust defense compared to traditional security architectures.

Systems and Application Development Security

Systems and application development security helps ensure that applications and systems are developed in a secure manner.

Secure coding practices are implemented including but not limited to:

• All user input (site-wide) are evaluated for malicious contents

• Error or exception messages are handled, presented, and logged in a secure manner to prevent sensitive data or coding information from being exposed

• Data encryption is applied to all potentially sensitive data to protect it from being stolen or intercepted

• Secure session management to prevent session hijacking and maintain the confidentiality of user data

• Application-specific access control mechanisms are used to prevent unauthorized access to sensitive data and functionality and are tested via automatic regression tests

• Cross-Site Scripting (XSS) prevention: Use XSS filters to prevent attackers from injecting malicious scripts into web pages

• Cross-Site Request Forgery (CSRF) prevention: Use CSRF tokens to prevent unauthorized requests from being executed

• Secure coding standards: Follow industry-standard secure coding practices, such as OWASP Top 10, to ensure that code is secure

All new code is manually and explicitly reviewed via a pull-request to ensure that secure coding practices are observed. This review includes:

• Creating a pull request explaining how the application was modified

• Automated unit testing to prevent regression

• Heuristics that automatically require security reviews such as exposing error data, route changes, new dependencies, etc

• A checklist of data security categories

• Approval receipt with timestamp, approving employee's name, and IP address

• Dependabot alerts for vulnerable dependencies with SLA for remediation

At this time, only the CTO may approve pull requests into the master branch.

Browser and Device Support

Firm App supports the latest two versions of all modern browsers including Chrome, Firefox, Microsoft Edge, and Safari. For security purposes, Internet Explorer 11 is not supported by Firm App since it is discontinued by Microsoft and no longer receives security updates.

The native Firm App apps for iPhone, iPad, and Android also support the latest two major versions of iOS and Android OS respectively.

Firm App does attempt to support previous versions of browsers and operating system within reason, but cannot guarantee compatibility.

Password Requirements

By default, Firm App requires passwords to be at least 10 characters and must include an upper-case letter, a lower-case letter, and at least one number or symbol. Firm App does not enforce a max length. All authentication pages are designed to support the majority of password managers, but please contact the support team with questions or problems.

MFA is also available for all logins, and is based on the industry standard 24-byte TOTP SHA1 6-digit code. Passwords are not stored directly, Firm App only keeps a heavily salted hash using modern best-practices. For that reason, passwords may not be "recovered" but must be "reset".

Single sign-on is also available for interested parties. Please contact the support team at [email protected].

Physical Security

The Firm App office has physical security measures installed to help ensure that assets and facilities are protected from theft or damage. Firm App implements security controls such as an always-locked exterior door along with individually locked offices and work spaces. Surveillance cameras are installed and monitored on all entrances and exits.

The Firm App application code and databases are hosted in Amazon AWS within the United States regions. Learn more about the Amazon AWS Data Center Physical Security Measures.

Data Encryption

Data encryption helps ensure that sensitive data is protected when transmitted or stored. Firm App implements encryption for data in transit and at rest, regularly monitors encryption usage, and implements secure key management practices.

For data transmitted between the user's browser or native app, TLS 1.3 or 1.2 is used. For security purposes, the following protocols are not enabled: TLS 1.0, TLS 1.1, SSLv2, SSLv3.

Database data, files, and backups are encrypted at rest using the industry standard AES-256 encryption algorithm.

Monitoring and Logging

Monitoring and logging helps detect and respond to security incidents. Firm App implements application monitoring for performance and security reasons. Suspicious activity such as repeatedly-failed login attempts, malicious inputs, repeatedly-failed attempts to view un-authorized data, sql injection, CSRF failures, etc, are logged and automatically reported. Logs include detailed information about the events but private information such as passwords are omitted for security purposes. The Incident Response Plan assigns responsibilities and identifies the required tasks for responding to an event.

Firm App also deploys an Intrusion Detection System (AWS GuardDuty) to monitor and report on databases, application servers, lambda functions, file storage & backups, etc.

Identity and Access Management

Identity and access management involves managing user identities and permissions. Firm App implements requires the use of a password manager, MFA, and with minimum length and complexity requirements for authentication with Primary Vendors or other applications containing private company or client data. Firm App regularly reviews which employees have access to vendors, etc and whether that level of access is required.

Compliance with Legal and Regulatory Requirements

To keep data security as a top priority, Firm App began its pursuit of SOC 2 compliance before the system went to market. In May 2023 Firm App engaged with a third-party BARR Advisory (a cloud-based cybersecurity & compliance consultant) to begin the SOC 2 Type 1 report. As indicated in the engagement letter, the SOC 2 Type 1 final report is due for completion July 14th, 2023 and will be available upon request. Firm App will then complete the second step (SOC 2 Type 2) later in 2023.

Vendor Management

Vendor management involves assessing and managing the risks posed by third-party vendors. Firm App regularly performs security assessments of third-party vendors, implements controls to mitigate identified risks, and has a documented process for managing vendor security. Part of the assessment is identifying Primary Vendors which are those who have any level of access to private company data or client data. Under Firm App policy, Primary Vendors require additional security requirements such as lengthy passwords, MFA, etc.

Business Continuity Planning

Business continuity planning involves preparing for potential business disruptions. Firm App has a documented business continuity plan in place which is available upon request. Firm App regularly reviews this plan to ensure employee awareness and to evaluate the effectiveness of the plan.

Vulnerability Testing

Firm App regularly performs vulnerability scanning, implements controls to address identified vulnerabilities depending on their severity, and regularly updates its testing process. Firm App uses an automated web and API vulnerability scanner to perform daily and weeklyscans of the application servers and API. Issues are categorized as low, medium, high, or critical. By policy, critical issues are resolved within one week maximum, high issues within two weeks, and other issues within one month.

System and Network Security Configuration Management

Firm App is committed to maintaining the security of its systems and networks and to protecting customer data. To achieve this goal, Firm App implements a comprehensive security configuration management process that includes:

• A well-defined application architecture with a reviewed, authorized, and documented change process

• Secure baseline configurations for systems such as application Dockerfiles

• Daily vulnerability scans with automated issue reporting & documented remediation processes

• A documented Incident Management Policy that is reviewed and updated regularly

• Compliance with industry standards such as OWASP Top 10 and SOC 2

• Training for developers and other employees including topics such as appropriate use of data, data security best-practices, etc

Data Protection and Privacy

Good data protection and privacy practices ensure software is secure and all customer data is protected. At a high-level, Firm App deploys these controls to ensure protection & privacy:

• Personal data is protected by unauthorized access via encryption at rest, secure transit, regularly reviewed access controls, and regular training on security best-practices for all employees

• As required in the employment agreement, access to customer data is limited to only those employees who require access in order to perform their job duties

• Access logs are maintained to track and monitor access and modification to customer data

• All data is encrypted in transit and at rest. Additionally, specific fields are encrypted independently as an additional security measure

• All data is backed up at least daily and is stored under 99.999999999% (11 nines) durability, 256-bit AES encryption, and a physical separation of over 2,000 miles

• All new code undergoes a security assessment. Vulnerability scans are conducted automatically to identify any new vulnerabilities.

• All employees will be required to complete regular security and privacy awareness training.

• User authentication enhanced with MFA will be required to access any personal data.

• Customers will be notified of any security breaches according to the Firm App Incident Response Plan

Ransomware Prevention

Ransomware prevention is important for preserving the privacy and safety of customer data along with the integrity of business processes that require access to the Firm App system. Firm App is designedfrom the ground-up with ransomware prevention in mind. Here are some examples:

• All customer data and all application source code is encrypted at rest, encrypted in transit

• Access to Primary Vendors by Firm App is limited to only include employees whose duties require access and the level of access no higher than the requirements of the task

• All data and files are backed up at least daily with AES-256 encryption, versioning enabled, redundancy, deletion markers, and active MFA required for modifications

• Application code is deployed in secure/hardened Docker containers with the latest security patches automatically installed on every release

• A variety of suspicious behaviors are automatically logged and reported to the development team

• All developers and employees are regularly trained on topics like data security and best practices

Change Management Protocols

Firm App abides by its documented Change Management Policy to ensure that changes are made with minimal disruption to the system and customers and to ensure that changes uphold stringent requirements for data protection and privacy. The Firm App Change Management Policy is summarized in three steps:

• Changes to Firm App architecture must be documented and reviewed by the development team including discussion of the proposed changes, the potential impact, and any associated risks

• All changes must be tested thoroughly before being released to the public. The testing process should include unit tests, integration tests, and user acceptance tests.

• In situations where a change may cause problems for user's pre-existing systems or processes, the change should be communicated in advance with enough notice for stakeholders to ask questions and otherwise prepare for the change.

Continuous Monitoring and Improvement

Firm App regularly reviews a variety of data sources to ensure the application is working effectively for customers and to ensure that new development is increasing the effectiveness. Reviewed data includes but is not limited to:

• Direct customer feedback from support representatives and sales persons

• Customer surveys and questionnaires

• Usages logs and other site analytics

Third-Party Security Assessment and Due Diligence

All vendors and associated services in use by Firm App are reviewed before implementation and then regularly to ensure they are up to date and in line with industry best practices. Vendors are reviewed on security policies, procedures, and controls via a thorough assessment of their system architecture and network security, as well as - if appropriate - a testing of their security controls to identify any areas of weakness or vulnerabilities that could be exploited by attackers.

If you have any additional questions, please message the Firm App support team at [email protected]

Any security questions or concerns may be reported to [email protected]

Whistleblower Policy

Our Whistleblower Policy is intended to encourage and enable employees and others to raise serious concerns internally so that we can address and correct inappropriate conduct and actions. It is the responsibility of all employees to report concerns about violations of our code of ethics or suspected violations of law or regulations that govern our operations. It is contrary to our values for anyone to retaliate against any employee or who in good faith reports an ethics violation, or a suspected violation of law, such as a complaint of discrimination, or suspected fraud, or suspected violation of any regulation. An employee who retaliates against someone who has reported a violation in good faith is subject to discipline up to and including termination of employment.

https://docs.google.com/forms/d/e/1FAIpQLSf22Z8SaiGICcRJAN7NEFssUU1uLTNZIHyJHl-IdF-VSZ8V4A/viewform?usp=sf_link