Security matters to Silverfin! Protecting the integrity, availability and confidentiality of our customers' data is our main concern. As Silverfin aims to be fully transparent towards its customers and users of Silverfin, it has drafted this security policy. This policy provides an overview of (i) the general security measures taken to protect its customer’s data, as well as the (ii) additional technical and organizational measures applicable to our Silverfin platform (and the (personal) data stored therein) in light of our obligations under applicable privacy legislation (“Security Policy”).
GENERAL SECURITY MEASURES
1. Silverfin is ISO 27001 Certified
The ISO/IEC 27000 family of standards helps organisations keep information assets secure.
Using this standard helps our organisation manage the security of assets such as financial information, intellectual property, employee details and information entrusted to us by third parties. Our specific ISO 27001 (Information technology, Security techniques and Information security management systems) certification specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organisation.
View our ISO/IEC 27001 certificate here.
2. Data
All of our data is backed up every minute, with a standby failover. We make sure the data is immediately written to multiple servers. Furthermore, there are daily backups made, which are stored in multiple locations. Your uploaded data is stored on servers that use advanced technology to avoid errors. Silverfin operates on a dedicated network that is carefully protected by firewalls and monitored at all times.
3. HTTPS
We send all data encrypted over HTTPS. Data that is being sent between you and us is always sent using HTTPS, and everything is fully encrypted. This level of data security is also used by banks.
4. Updates
We closely monitor security updates, so you don't have to. And as soon as fixes are available, we install the updates. This way, the latest security patches are always used in our software infrastructure.
5. Status pages
You can always check the current status of Silverfin here: status.getsilverfin.com. That way, you can easily see if all systems are working correctly, if any planned maintenance work is taking place, or if anything out of the ordinary is happening.
TECHNICAL AND ORGANIZATIONAL MEASURES
The provision of the Silverfin platform and the related services leads to the collection and processing of personal data by Silverfin, in its capacity as a data processor, on behalf of its customers. For more information, please consult our Data Processing Addendum.
Silverfin implements appropriate technical and organisational measures, as set forth below, to ensure, to the best of its abilities, the protection of (i) the personal data – including protection against careless, improper, unauthorised or unlawful use and/or processing and against accidental loss, destruction or damage; and (ii) the confidentiality and integrity of the personal data. When implementing said measures, Silverfin has taken into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.
1. MANAGEMENT DIRECTION FOR INFORMATION SECURITY
(i) Silverfin has implemented an appropriate information security policy.
(ii) Silverfin has suitably qualified information security specialists, supported by the Silverfin business leadership.
(iii) Silverfin management requires employees and third-party contractors with access to customer information to commit to written, confidentiality, and privacy responsibilities with respect to that information. These responsibilities survive termination or change of employment or engagement.
2. HUMAN RESOURCE SECURITY
(i) Silverfin provides information security awareness information to employees and relevant third-party contractors.
3. ACCESS CONTROL
3.1 User Access Management
(i) Silverfin implements access control policies to support creation, amendment and deletion of user accounts for systems or applications holding or allowing access to customer information.
(ii) Silverfin implements a user account and access provisioning process to assign and revoke access rights to systems and applications.
(iii) The use of “generic” or “shared” accounts is prohibited without system controls enabled to track specific user access and prevent shared passwords.
(iv) Silverfin monitors and restricts access to utilities capable of overriding system or application security controls.
(v) User access to systems and applications storing or allowing access to customer information is controlled by a secure logon procedure.
3.2 Physical Access Management
(i) Physical access to facilities where customer information is stored or processed is protected in accordance with good industry practices[f]
4. COMMUNICATIONS SECURITY
4.1 Network Security
(i) Silverfin logically segregates customer data within a shared service environment.
(ii) Silverfin secures network segments from external entry points where customer data is accessible.
(iii) External network perimeters are hardened and configured to prevent unauthorized traffic.
(iv) Inbound and outbound points are protected by firewalls and intrusion detection systems (IDS). c. Ports and protocols are limited to those with specific business purposes.
(v) Silverfin synchronizes system clocks on network servers to a universal time source (e.g. UTC) or network time protocol (NTP).
4.2 Cryptographic Controls
(i) Customer data, including personal data, is encrypted at rest.
4.3 Cloud Controls
(i) Silverfin encrypts data during transmission between each application tier and between interfacing applications.
5. OPERATIONS SECURITY
5.1 Service Management
(i) Silverfin has implemented formal operating procedures for system processes impacting customer data. This notification may occur through generic change logs. Procedures must track author, revision date and version number, and must be approved by management.
(ii) Silverfin monitors service availability.
5.2 Vulnerability Management
(i) Silverfin performs annual penetration testing for systems and applications that store or allow access to customer data, including personal data. Identified issues must be remediated within a reasonable timeframe.
(ii) Silverfin has implemented a patch and vulnerability management process to identify, report and remediate vulnerabilities by:
-
performing a security assessment of the application and underlying infrastructure on a regular basis;
-
implementing vendor patches or fixes; and,
-
developing a remediation plan for critical vulnerabilities.
(iii) Silverfin has implemented controls to detect and prevent malware, malicious code and unauthorised execution of code. Controls must be updated regularly with the latest technology available (e.g. deploying the latest signatures and definitions).
5.3 Logging and Monitoring
(i) Silverfin generates administrator and event logs for systems and applications that store or allow access to customer data.
(ii) Silverfin reviews system logs periodically to identify system failures, faults, or potential security incidents affecting customer information.
6. THIRD-PARTY SUPPLIER MANAGEMENT
(i) Silverfin has contractual agreements with third parties handling customer information which must include appropriate information security, confidentiality, and data protection requirements, as detailed in the agreement concluded. Agreements with such parties are reviewed periodically to validate that information security and data protection requirements remain appropriate.
(ii) Silverfin reviews its third parties’ information security controls periodically and validates that these controls remain appropriate according to the risks represented by the third party’s handling of customer information, taking into account any state-of-the-art technology and the costs of implementation.[i]
(iii) Silverfin restricts third party access to customer data, including personal data.
(iv) If requested by the customer, Silverfin provides the customer a list of third parties with required access to customer data, including personal data.
(v) Silverfin permits access to customer data, including personal data, only as necessary to perform the services that the third party has contractually agreed to deliver.
7. RESILIENCE
(i) Silverfin performs business continuity risk assessment activities to determine relevant risks, threats, impacts, likelihood, and required controls and procedures.
(ii) Based on risk assessment results, Silverfin documents, implements, annually tests and reviews its Business Continuity and Disaster Recovery (BC/DR) plans to validate the ability to restore availability and access to customer data in a timely manner, in the event of a physical or technical incident that results in loss or corruption of customer data.
8. AUDIT AND COMPLIANCE
(i) Silverfin periodically reviews whether its systems and equipment storing or enabling access to customer data, including personal data, comply with legal and regulatory requirements and contractual obligations owed to customer.
(ii) Silverfin maintains current independent verification of the effectiveness of its technical and organisational security measures (e.g. ISO certification). The independent information security review are performed at least annually.
Questions?
Any questions or concerns with regard to the provisions of this Security Policy must be directed at security@silverfin.com
To consult our Vulnerability Disclosure Policy please click here