Our security practices aren’t limited to our development and best practices. It’s important to us that we provide the security features you need too.
Last updated on Feb 27, 2023
Our security team is dedicated to keeping your information secure while ensuring that we provide the best service possible. We do it with an unwavering philosophy of making security a requirement in everything we do. C2FO is always working to improve our security posture through better process and automation. In short, we make security convenient.
Every year, we hire certified, independent third-party professionals to perform detailed audits of all our security practices.
Our SOC 2 Type 2 report provides reasonable assurance that C2FO’s practices are achieved based on the AICPA Trust Services Criteria for security, availability, processing integrity and confidentiality. You can email the team at [email protected] to request a copy of the most recent SOC 3 report for a summary of the results.
C2FO is certified compliant with the International Organization for Standardization’s 27001:2013 Information Security Management Standard. This widely recognized standard measures every aspect of C2FO’s organizational and technical controls against global security standards.
In addition to our own internal vulnerability assessments, we contract certified professionals to find and exploit vulnerabilities in our product at least once every year. Everything found is classified based on risk, duly prioritized and remediated accordingly.
We practice security in depth which means making security a requirement for everything we do.
We build our information security requirements on four key pillars:
We select the policy points that are strictest but reasonable based on these standards. Those policy points then become the standard for all security. Establishing a minimum standard for security also makes us consider our entire company, who we are, what actually matters, and what it means to be “secure”. It is important to note that these pillars are not prioritized in any order. It’s often the case that the requirements coming from one pillar are based on requirements coming from one or more of the others. What does matter to us is knowing why we made the decisions we did.
Need to Know and Least Privilege are universal concepts for any security program, not just C2FO. The goal is to limit access in a responsible and unintrusive way. Over the course of any 90-day period, access logs will start to reveal a pattern showing us exactly what behavior we can expect to see from anyone or anything that is functioning properly. That behavior is exactly what is needed and nothing more. We will work to prune away any access that isn’t reflected in the story told by those logs. Simply put, if you don’t need to access certain data in the course of your work then it’s best to keep that data and those privileges safely tucked away. This goes for people, applications, third-party services, and anything else interacting with C2FO information and systems.
All security policies are based on risk. First, classify all information. Then, we consider the likelihood that the information could be compromised. Finally, we consider the impact on the business if a compromise did occur. With those three aspects ranked, we can create a risk score. The score will give us an idea of how important it is that we protect the asset or information. If a vulnerability has been discovered, the risk score will tell us how quickly we must act to remediate the issue. All assets interact with information, so all assets are subject to regular risk assessments. Most importantly, the risk score determines which security controls we must enforce to minimize the likelihood of a compromise. The mission of any information security team is to eliminate Risk altogether.
Everyone has their role to play when it comes to security. This starts with their role within the company and continues to the team, the project and the assets with which they’re associated. We align these roles with access in a way that is consistent with our philosophy. Using role-based access controls (RBAC) enables us to understand how the company works and the relationships connecting all operations and solutions. Projects will change as the company evolves. Employees are promoted or move departments. By using roles, these changes can happen smoothly and with little or no impact on the business.
We make security a requirement throughout the development lifecycle. Our team of security engineers is involved with the engineering architecture, feature design, code review and continuous monitoring after release. All code is manually reviewed to ensure security, stability and completeness. There are automated scans throughout the development process that check code for common vulnerabilities found in the NVD listing. Our full stack is continually tested in completely separated development, staging and acceptance environments before it’s deployed to production.
All data is encrypted at rest and in transit using industry standards, including AES-256, PGP, SFTP, and TLS 1.2 and higher. Encryption keys are generated, stored and accessed using password managers for both personnel and service account access.
Our service is deployed to both AWS and GCP across multiple geographical regions giving you the option of where to house your data. Both cloud providers feature top-of-the-line security controls which we configure and closely monitor using cloud security posture management (CSPM) tools. Services are hosted in Docker containers which are orchestrated in Kubernetes clusters to ensure that environments are consistent across test and production. Docker also allows us to create minimal images so that we’re only deploying exactly what we need to with no stray tools that may come with standard OS distributions. Another key security practice is the use of infrastructure as code with Helm and Terraform.
We regularly make database backups and restoration tests to minimize data loss.
All services are integrated into central log monitoring, analysis and alerting tools so you know that someone is always ready to respond if there’s an incident.
Our product integrates seamlessly with your ERP using SFTP plugins. Once configured, your ERP will send PGP-encrypted CSV files needed to support your own cashflow marketplace. You will be assigned a highly trained C2FO implementation engineer to make sure that your ERP connection is valid and running in one of our testing environments before you go live with your vendors.
The security climate is always changing and so are the threats. It’s important to us that we keep up. That’s why we treat every security audit, every vulnerability assessment, and every security incident that makes news as opportunities to grow. It’s not just the world of cybersecurity that’s always changing, though. As our products and technology develop, so do our procedures and controls. The only constant is our dedication to our mission.