Finix’s commitment to security is attested annually by independent third-parties for compliance with PCI DSS, SOC 2 (Type 2), and GDPR frameworks. Additionally, Finix undergoes external vulnerability scans and penetration testing at least quarterly by an ASV (Approved Scanning Vendor). Finix security personnel conduct internal vulnerability scans and network segmentation penetration testing at least quarterly. Any findings noted in both external security assessments are evaluated by the Chief Information Security Officer (CISO) and Engineering team. Findings are remediated within 30 days of discovery and the triage is documented within Finix’s internal project management/issue tracking system (Atlassian Jira). Finix is hosted by AWS’ (Amazon Web Services), a cloud-service provider with robust security controls in place at its data centers -
As we have all read in recent articles about data breaches, no service provider is immune to breach regardless of their size or technical complexity (e.g., Facebook, Sony, eBay, Adobe, JP Morgan Chase, and Yahoo just to name a few). With that said, it is very uncommon for a Service Provider to commit to uncapped liability with regards to a breach of confidential information. We understand this risk along with your concern, taking these items incredibly seriously when architecting and developing the Finix Payments Platform.
All customer data is encrypted at rest using strong cryptographic algorithms. As an added layer of protection, customer data is encrypted client-side (by Finix) and server-side (by AWS). With that said, in order for an attacker to steal customer data stored by Finix, the attacker would need to simultaneously compromise both Finix and AWS in order access all cryptographic keys required to decrypt customer data. In the unlikely event of a data breach, all customer data would be rendered unreadable due to this cryptographic key management scheme. The likelihood that an attacker can compromise both Finix and AWS (without alerting security personnel) is equivalent to lightning striking twice in the same exact location. In order to ensure the ongoing operating effectiveness of AWS’ security controls, the Finix Head of Compliance reviews AWS’ SOC 2 (Type 2) report, PCI Attestation of Compliance, and ISO 27001 certification at least annually. Any control deficiencies found within AWS’ audit reports are reviewed by Finix’s Risk Assessment Committee to determine if there is any material impact on the security, availability, and confidentiality of Finix proprietary and customer data in the AWS cloud. Currently, AWS has a very clean track record and no reported findings/control gaps have been identified in their recent external audit reports.
If you would like more information, please contact us at firstname.lastname@example.org