Security

Cashforce maintains security policies that provide guidance for information security within the organization and the supporting IT environment. These policies are shared with and made available to all employees and contractors with access to Cashforce information assets.

Security policies are reviewed at least on an annual basis.

Cashforce undertakes a security information risk assessment at least on an annual basis.

Cashforce maintains and provides information security awareness training to all employees and contractors on an annual basis that includes employee and contractor roles and responsibilities for information security, the need to comply with information security policies and where these documents can be found and the need to report security incidents and events

Cashforce conducts background checks of new employees and contractors who have access to resources that store or process customer data, in accordance with local laws.

All new employees and contractors with access to customer data are subject to non-disclosure and confidentiality commitments as part of their agreements with Cashforce.

Mobile devices are encrypted at rest using the AES encryption algorithm with a key of at least 128 bits (e.g., using BitLocker).

Cashforce installs and keeps up-to-date anti-malware software on employee workstations to protect against malware. The anti-malware software is configured to auto quarantine threats and auto update the agent on employee workstations.

Mobile devices storing or accessing customer data must be enrolled in Intune, Microsoft’s mobile device management solution. Intune allows Cashforce to push compliance and configuration security policies to mobile devices.

Firewalls are configured to permit only the minimum required network traffic for the platform and to allow access to the product infrastructure only from authorized IPs and ports.

Cashforce implemented a web application firewall to protect against attacks aimed at the Cashforce platform. The rules used to detect and block malicious traffic are aligned to the best practice guidelines documented by the Open Web Application Security Project (OWASP) in the OWASP Top 10 and similar recommendations. Protection from Distributed Denial of Service (DDoS) attacks is also incorporated in the solution, to ensure the availability of the product.

Cashforce uses a combination of shared databases and dedicated databases. Shared databases are used for e.g., users, workflows. For master data and transactional data, a unique database is used per tenant. A unique tenant identifier is assigned to all customer data in shared databases and the application framework ensures that any access to such data is limited to the specific tenant of the authenticated user.

Cashforce uses intrusion detection software on its product infrastructure. The IDS continuously monitors for malicious or unauthorized behavior. It monitors for activity such as unusual API calls or potentially unauthorized deployments that indicate a possible account compromise. The IDS also detects potentially compromised instances or reconnaissance by attackers.

Cashforce encrypts data at rest using the AES encryption algorithm with a key length of at least 128 bits.

Cashforce uses only secure communication protocols with end-to-end encryption for all connections using public networks: HTTPS protocol with TLS v1.2 or above, SFTP, SSH-2.

Cashforce has separate development, test, and production environments. Customer data is not used in our development or test environments.

Cashforce applies a systematic approach to managing change to prevent unintended service disruptions and maintain the integrity of service to customers. Cashforce ensures changes to customer-impacting aspects of the Cashforce platform are peer reviewed and tested prior to migration to production.

Changes to the Cashforce platform are automatically tested as part of the software delivery pipeline to identify potential defects. The software pipeline executes automated unit, integration, and functional tests.

Cashforce uses hardened and up-to-date Amazon Machine Images for its platform hosts. Amazon Machine Images are managed by Amazon and secure by default: remote access is limited, the number of non-critical packages is reduced, limiting exposure to potential security vulnerabilities, and security updates are automatically applied on the initial boot. Cashforce regularly applies security updates provided by Amazon to patch critical and important security vulnerabilities.

Cashforce performs regular vulnerability assessments. Cashforce uses a combination of different industry-recognized vulnerability scanners to regularly scan the product infrastructure, container images, source code and dependencies (static code analysis).

Cashforce organizes at least on a yearly basis penetration testing by an independent third party to scan and test running infrastructure and applications.

Load is balanced over multiple container instances hosted on multiple hosts. Instances and hosts scale automatically based on demand and failover automatically in case of failure.

Cashforce is redundant and highly available across 3 AWS datacenters. Production databases have multi-AZ enabled, replicating and synchronizing data automatically to stand-by databases in another datacenter and allowing production databases to automatically failover to stand-by databases in another datacenter without administrative intervention.

Production database backups are automatically taken daily and are redundantly stored in multiple Amazon Web Services availability zones to prevent data loss due to failure of any single hardware componen

Cashforce maintains a disaster recovery plan to recover from backup and restore services in case of a disaster. The plan is tested at least on an annual basis.

Cashforce uses Amazon Web Services to host its cloud infrastructure. Amazon Web Services is an industry-leading service provider and provides a global secure infrastructure. It establishes high standards for information security within the cloud and has a comprehensive and holistic set of controls for physical security. Amazon Web Services maintains audited security and compliance programs including SOC 1, SOC 2, ISO27001, PCI DSS and CSA compliance. Learn more about Compliance at AWS.

AWS infrastructure services include backup power, HVAC systems, and fire suppression equipment to help protect servers and hardware. Learn more about Data Center Controls at AWS.

AWS on-site security includes a number of features such as security guards, fencing, security feeds, intrusion detection technology, and other security measures. Learn more about AWS physical security.

Cashforce uses the Amazon Web Services data centers in the Ireland region (eu-west-1) to host its cloud infrastructure.