It takes more than just saying “Bank-level security.”
With team members from NCC Group, Palantir, and having a former security consultant as CEO, it’s not hyperbole to say that security is in our DNA.
Security is a core requirement of trust, not just a box to tick.
Security in our Organization
We recognize that social engineering can be the easiest backdoor to many systems, so we place as much emphasis on securing our people and processes as we do our technology. To accomplish that, we have comprehensive security policies, extensive training across our company, and external auditing of our practices.
- We are PCI-DSS v3.1 compliant and apply PCI standards when dealing any cardholder information, including card numbers and associated billing data
- All employees use two-factor authentication for both internal communication and access to Final systems
- All employees undergo security training and use secure and encrypted communication channels for any sensitive information
- Final maintains and regularly reviews logs of all system interaction and application behavior
Network and Servers
As a startup, building new means we can leverage technology that outperforms anything used in the past 30 years, taking into account best practices as they evolve.
- We encrypt all network traffic and require TLS 1.2 with HSTS and forward secrecy for all internal and external network communications
- We take a 'deny by default' approach to network security for both incoming and outgoing traffic
- We segment the network so that each type of server is isolated from each other and that no sensitive systems are exposed directly to each other or the outside world
- Only a few necessary servers have Internet access and in fact most servers have no Internet access nor Internet-routable IPs
- Development and Production environments are isolated from each other with completely independent networks and no shared infrastructure
- We believe in defense in depth and restrict access between services with both network-level and local firewall rules and software-level ACLs
- Access to our secure network requires both cryptographic signature and multi-factor authentication with all production shell access limited to administrators through a bastion host
- Our infrastructure undergoes periodic internal security scans and penetration testing by third party security experts
Security is a process, not a product, so we write all of our software with security at the forefront of our process.
- All of our applications interact with the same publicly available API
- We peer review all software and configuration changes for security, compliance, and performance implications prior to publishing new versions of our API or customer applications
- We track security alerts for all of our software and take an aggressive approach to software patches
- All customer data is stored encrypted at rest
- We employ third party security experts for software vulnerability audits
While we can’t predict the next earthquake or power outage, we can have a plan in place that ensures zero downtime and data loss.
- All Final services and infrastructure components have redundancy across geographic areas
- We follow strict failover and incident response policies in the event that any system has an error or goes down
- We test disaster recovery failover at least quarterly
- Audit trails and transaction logs allow us to reconstruct data in the event that a backup system fails
- Offsite backups of all data are taken through snapshots at a regular interval and stored securely
Security and Support
We’re here to help. If you have any questions or concerns about security, please contact us at firstname.lastname@example.org.
Final’s team of support engineers is committed to providing you with the best experience possible. We’ll do our best to respond to any customer service or technical support issues efficiently and with care.
Security vulnerabilities are an unfortunate but recognized issue in software. At Final we take them very seriously. We appreciate your help in notifying us of vulnerabilities in a responsible manner.
If you are a security researcher and have found a potential security vulnerability in our systems, please send details to email@example.com.