Certifications & Compliance
CollateralEdge has achieved a SOC 2 Type 1 certification for security and as part of our SOC 2 compliance program, we undergo periodic audits that test the effectiveness of the design and implementation of internal controls related to financial reporting, governance, information security, and cybersecurity. We can provide a SOC 2 report and related attestations of compliance upon request.
The IT infrastructure supporting the CollateralEdge applications are housed in AWS datacenters and CollateralEdge relies on AWS to provide appropriate physical and environmental security controls over the datacenters and network devices housed within. Amazon has significant experience in designing, constructing, and operating large-scale datacenters and has implemented various controls to ensure physical access to datacenters is limited to authorized personnel. To ensure these controls are operating effectively on an ongoing basis, CollateralEdge periodically reviews AWS SOC 2 reports and other security and compliance documentation provided by AWS.
CollateralEdge practices the “principle of least privilege” when it comes to managing access to its IT devices and infrastructure. This means that employees and contractors are given the level of access necessary to conduct their specific job duties and no more. Role-based access controls are enforced on company equipment as well as critical IT infrastructure and software tools / applications. Strong password requirements are enforced, and multi-factor authentication (MFA) is required for access to sensitive software tools or applications. Ongoing user access reviews are conducted on a regular basis and the company has formal procedures around employee onboarding, offboarding, and access level changes due to role changes.
CollateralEdge uses third-party vendors to provide various products and services to the company that are necessary to operate the business. To mitigate risks arising from these third-party relationships, CollateralEdge has implemented a formal Vendor Management Program that risk rates each vendor and requires initial and ongoing assessments of each based on the assigned risk. These assessments are reported to the Risk Committee on a regular basis and include a review of the financial condition, operations, internal controls, and the security and compliance programs of each vendor.
Respect for the privacy of personal and other sensitive or confidential information is fundamental to our business. When transacting with our bank customers and providing our products and services, we intentionally limit or restrict the collection of personally identifiable information (PII) related to the underlying bank customer by asking for only anonymized transactional and financial information.
As part of our SOC compliance program, we have implemented various tools and applications within our AWS environment that monitor the health of our IT infrastructure, detect threats and vulnerabilities, and prevent unauthorized use or access. AWS CloudWatch is configured to monitor the IT infrastructure in AWS and provide real-time alerts to DevOps personnel regarding resource availability and utilization. Amazon GuardDuty provides continuous security monitoring and uses threat intelligence feeds and machine learning to identify unexpected and potentially unauthorized changes within the AWS environment. Amazon Inspector is a security vulnerability assessment service that continuously tests the network accessibility of Amazon EC2 instances and the security state of applications running on those instances. Several other tools and applications are configured to monitor the AWS environment and trigger alerts to appropriate Dev Ops or Risk personnel for triage and resolution.