Security & Compliance

FROM THE DESK

Security is our top priority.

“The security of our application and our customers’ information is always a top priority for CollateralEdge. Accordingly, we have implemented industry standards and best practices for information security, cybersecurity, and compliance.”

— Brandon Pabalate, Director, Risk & Compliance

Certifications & Compliance

CollateralEdge has achieved a SOC 2 Type 1 certification for security and as part of our SOC 2 compliance program, we undergo periodic audits that test the effectiveness of the design and implementation of internal controls related to financial reporting, governance, information security, and cybersecurity. We can provide a SOC 2 report and related attestations of compliance upon request.

 

Physical Security

The IT infrastructure supporting the CollateralEdge applications are housed in AWS datacenters and CollateralEdge relies on AWS to provide appropriate physical and environmental security controls over the datacenters and network devices housed within. Amazon has significant experience in designing, constructing, and operating large-scale datacenters and has implemented various controls to ensure physical access to datacenters is limited to authorized personnel. To ensure these controls are operating effectively on an ongoing basis, CollateralEdge periodically reviews AWS SOC 2 reports and other security and compliance documentation provided by AWS.

 

Logical Security

CollateralEdge practices the “principle of least privilege” when it comes to managing access to its IT devices and infrastructure. This means that employees and contractors are given the level of access necessary to conduct their specific job duties and no more. Role-based access controls are enforced on company equipment as well as critical IT infrastructure and software tools / applications. Strong password requirements are enforced, and multi-factor authentication (MFA) is required for access to sensitive software tools or applications. Ongoing user access reviews are conducted on a regular basis and the company has formal procedures around employee onboarding, offboarding, and access level changes due to role changes.

 

Vendor Management

CollateralEdge uses third-party vendors to provide various products and services to the company that are necessary to operate the business. To mitigate risks arising from these third-party relationships, CollateralEdge has implemented a formal Vendor Management Program that risk rates each vendor and requires initial and ongoing assessments of each based on the assigned risk. These assessments are reported to the Risk Committee on a regular basis and include a review of the financial condition, operations, internal controls, and the security and compliance programs of each vendor.

 

Privacy

Respect for the privacy of personal and other sensitive or confidential information is fundamental to our business. When transacting with our bank customers and providing our products and services, we intentionally limit or restrict the collection of personally identifiable information (PII) related to the underlying bank customer by asking for only anonymized transactional and financial information.

When you visit our website, we may passively collect information such as IP address, browser information, and the content or pages visited on the site. We also collect information that is voluntarily entered in various forms on our website such as names, email addresses, and other demographic information. We use this information to provide services and information that you request; to enhance, improve, operate, and maintain the website, our products, programs, services, and other systems; to prevent fraudulent use of our site, products, and services; to tailor your user experience; to maintain a record of our dealings with you, and for other administrative purposes. We may also use the personal information you provide to contact you regarding our products and services. We will not disclose your personal information to third parties without your consent, other than as mentioned above and more fully in our Privacy Policy, linked below.

Learn More

 

Ongoing Monitoring

As part of our SOC compliance program, we have implemented various tools and applications within our AWS environment that monitor the health of our IT infrastructure, detect threats and vulnerabilities, and prevent unauthorized use or access. AWS CloudWatch is configured to monitor the IT infrastructure in AWS and provide real-time alerts to DevOps personnel regarding resource availability and utilization. Amazon GuardDuty provides continuous security monitoring and uses threat intelligence feeds and machine learning to identify unexpected and potentially unauthorized changes within the AWS environment. Amazon Inspector is a security vulnerability assessment service that continuously tests the network accessibility of Amazon EC2 instances and the security state of applications running on those instances. Several other tools and applications are configured to monitor the AWS environment and trigger alerts to appropriate Dev Ops or Risk personnel for triage and resolution.