Data Security and Compliance
Data Security is Express1099’s Top Priority!
Our team acknowledges the significance of protecting our client's data. In order to guarantee the safety of all client data, we have put in place standard security protocols and upheld multiple layers of security precautions.
Here is a summary of the security criteria and procedures established by Express1099 to safeguard our client's data.
Compliance
SOC 2 Compliance
SOC 2 certification represents a security standard developed by the American Institute of CPAs (AICPA) for service organizations. It mandates that companies institute and uphold a series of controls and protocols aimed at guaranteeing the confidentiality, integrity, and availability of client data.
These controls encompass policies and procedures concerning security, availability, processing integrity, confidentiality, and privacy. SOC 2 audits are conducted to assess whether a company's systems and processes align with these standards.
As a SOC 2-certified software, Express1099 undergoes routine audits to confirm that its systems and procedures adhere to the SOC 2 criteria. This demonstrates that Express1099 has put in place and consistently maintains a comprehensive set of controls and protocols to safeguard client data and privacy in all aspects of its operations.
CCPA Compliance
The California Consumer Privacy Act (CCPA) is a privacy legislation that grants specific rights to California residents regarding their personal information (PI).
PI encompasses any data that can be used to identify, describe, relate to, or associate with a particular individual or household.
As a service provider responsible for managing the PI of California residents, Express1099 adheres to all CCPA regulations. This implies that Express1099 ensures that California residents have the right to be informed about the collection of their PI, the right to access their PI, the right to request the deletion of their PI, and the right to opt out of the sale of their PI.
PCI DSS Compliance
The Payment Card Industry Data Security Standard (PCI DSS) comprises a collection of policies and protocols put in place to guarantee secure transactions involving credit, debit, and cash cards, as well as to prevent the improper use of cardholders' personal information.
Express1099 ensures that all the payment processing tools it employs meet the PCI compliance requirements for the encryption and secure transmission of credit card data.
Data Protection
Firewall
We have integrated a Web Application Firewall (WAF) that filters incoming traffic, carefully examining requests for any malicious patterns, thus guaranteeing that only authorized and legitimate access is permitted.
Antivirus
Our system is safeguarded by antivirus software that continually observes the behavior of devices, files, and applications. It detects irregularities and acts to prevent potential threats.
PII Data Security
We adhere to all the standard regulations for securing PII (Personally Identifiable Information) data to guarantee the security of our clients and their vendor's personal information, including Social Security Numbers, email addresses, phone numbers, and more.
Encryption - Data-in-Rest, Data-in-Motion &
Data-in-UseWe apply encryption to all client data, whether it is stored in our database (Data- at-Rest) or transmitted between networks or devices (Data-in-Transit).
Additionally, we implement SSL (Secure Sockets Layer) and TLS (Transport Layer Security) cryptographic protocols to encrypt data that is currently being accessed or read (Data-in-Use) to ensure its security at all stages.
Database Management
Access to production databases is limited solely to individuals with a specific and legitimate need to access production data. We also employ data fragmentation techniques and regularly conduct data backups as a precautionary measure to guard against unexpected security incidents.
Defense In-Depth Security
We adhere to a Defense-in-Depth security architecture, which employs a layered security approach encompassing various levels of security mechanisms and controls.
Oracle Cloud Infrastructure Security
Our database is managed using Oracle Cloud Infrastructure Security, and our servers are protected by Compute Security measures.
Each instance in the cloud is associated with a dedicated whitelist that restricts communication to only specific sources, ensuring a controlled and secure access environment.
Data Loss Prevention
We implement standard Data Loss Prevention (DLP) practices to prevent the loss of sensitive data and the unauthorized removal of data from our system.
Network Security
Secure Remote Access - VPN
We have limited the access to our servers, data, and tools exclusively to authorized Express1099 corporate personnel who connect through our secure VPN network. Furthermore, we only permit access from approved IP addresses in specific geographical locations, adding an extra layer of security.
Wireless Security
To safeguard the confidentiality of our data, we have implemented restrictions on accessing our system through unauthorized wireless networks.
Internet URL Filtering
To shield our system from security threats, we have implemented measures to block access to websites that may contain potentially harmful content, such as phishing pages, across our network.
Preventive Measures
Secure Software Development - DevSecOps
We embrace the DevOps methodology for testing and deploying to guarantee secure software development. This entails incorporating established security measures throughout the development cycle.
Threat Modeling
We proactively create strategies to identify and mitigate potential security threats and vulnerabilities right from the development of our application.
API Security
Recognizing the potential for APIs to expose sensitive data, we maintain a dedicated security checklist for our API endpoints. This enables us to detect and address any potential security vulnerabilities effectively.
Incident Management
We have established streamlined protocols to address unforeseen security incidents promptly and effectively.
Change Management
We strictly adhere to a standardized process that involves meticulous planning, testing, and validation to ensure that every change is implemented without posing any risks to the data.
Security Standards
Security Policies
Our comprehensive security policies encompass a wide array of measures and guidelines, including access controls, encryption protocols, regular audits, and vulnerability assessments. We rigorously follow these policies to guarantee complete data protection.
Security Awareness Training
The Express1099 team possesses a well-defined understanding of data security and remains updated on emerging technologies and security mechanisms designed to counter security threats.
Escalation Matrix
In the case of security incidents, we have established a clear and organized escalation matrix, delineating the responsible personnel and the corresponding notification procedures for each escalation level. These procedures are diligently adhered to.
Security Evaluation
Penetration Testing
Our penetration testing practices adhere to OWASP standards, a comprehensive guide for identifying and mitigating security vulnerabilities in web applications. We conduct frequent tests on our systems to uncover potential vulnerabilities.
Monitoring and Response
We maintain regular monitoring and scanning of our network and applications to identify potential security threats. When such threats are detected, we conduct event log analysis and take proactive measures to mitigate the threat.
Windows/Server Hardening
We implement a series of server hardening processes to eliminate potential points of vulnerability for security attacks on our servers. This helps enhance the security of our infrastructure.