Security Policy

At Finance Active, we take information security very seriously. We are proud to be involved as much as possible when the challenge is to protect the data that our customers entrust to us. We therefore want to clarify our approach to security.



Summary:


  • How is our information security approach framed?

  • How is the confidentiality of user data ensured?

  • How is the security level of our information system controlled?

  • How are employees aware of our safety policy?

  • What are our commitments regarding the availability of our applications?

  • What is put in place to secure access to our applications?

  • What technologies do we use for data encryption?

  • How do we protect ourselves from malware and vulnerabilities?

  • What is put in place to protect our computer network?

  • How is the physical security of our infrastructure guaranteed?



How is our information security approach framed?


We have defined an Information Systems Security Policy, and an Information Security Management System aligned with the ISO/IEC 27001 standard. In addition, a classification of information based on its confidentiality level has been implemented. With the aim of defining an adapted and measured response to the risks related to the information manipulated, all the documents we produce are classified according to this scale. A set of security measures is applied to each confidentiality level, throughout the life cycle of the information carrier. We also ensure that the security of our information system is considered in all phases of our projects, from the design and specification phases of the system to its removal from service.



How is the confidentiality of user data ensured?


We impose strict controls on the access by our employees to the data that you entrust to us. We make sure that this data is not accessed by anyone who does not have legitimate access to it. The operation of our services, however, requires that certain employees have access to systems that store and process customer data. For example, to be able to analyze a problem you are encountering, our support team may have to access your data. All of our employees are required to comply with our safety rules and our company treats these issues with the utmost attention: the use of generic accounts is prohibited, and a review of the employees’ access rights is carried out regularly to ensure that the change processes have worked properly in the event of a change in the situation of our staff.



How is the security level of our information system controlled?


To guarantee the best security level, we regularly request qualified service providers to carry out audit missions on our information system. In a non-exhaustive way, these missions are conducted to check compliance with the ISO/IEC 27001 standard on our certified perimeter, or to perform black box and gray box penetration tests on our SaaS systems.



The ISO/IEC 27001 certified perimeter of Finance Active


The ISO/IEC 27001 standard defines the requirements for setting up an Information Security Management System (ISMS). The ISMS identifies security measures to ensure the protection of Finance Active assets. The goal is to protect the functions and information of any theft, loss, or alteration, and computer systems from any intrusion or disaster.

Finance Active has been certified according to the ISO/IEC 27001 standard on the following scope:



Software edition, integration, support and provision in SaaS mode of the Fairways solutions for debt management, guarantees and foreign exchange risk.


Finance Active is committed to protecting your privacy. For the protection of personal data, Finance Active appointed a Data Protection Officer (DPO) who ensures the security of personal data is respected and that processes comply with European laws (including GDPR). The data we collect is mainly used by Finance Active services and in no case is transferred to a third party, except for the strict requirements of the contract execution. All suppliers selected by Finance Active comply with the regulations on the protection of personal data.


Subprocessor

Purpose

Location

Equinix

Hosting

France

Auth0

User authentication

EU

Zendesk

Support request management

EU

Salesforce

CRM

EU

Microsoft (Office 365)

Collaborative corporate IT

EU

Amazon Web Services

Backup retention

EU



How are employees aware of our safety policy?


All of our staff participate throughout their activities on behalf of the organization to awareness and training actions adapted to their profile and missions. This enables us to guarantee that good security practices are spread across the different teams.



What are our commitments regarding the availability of our applications?


Our strategy to ensure the availability of our applications and our customers’ data is based on a set of complementary elements:

  • Distribution of the production and backup servers in two data centers responding to good business management practices

  • Duplication of data on these two data centers

  • Use of hardware-tolerant storage

  • Regular backup of the information system:

    • Daily backup kept for 2 weeks

    • Weekly backup kept for 2 months

    • Monthly backup kept for 2 years

    • Annual backup kept for 10 years

Except in cases of force majeure, our:

  • Recovery Point Objective, i.e. the maximum targeted period in which data might be lost, is 24 hours

  • Recovery Time Objective, i.e. the targeted duration of time in which our application must be restored, is 4 business hours



What is put in place to secure access to our applications?


All access to applications and services offered by Finance Active is subject to user authentication. We delegate the management of the user authentication to specialized suppliers implementing the following standards:

  • Delegation of authorization: OAuth 2.0 (RFC 6749 and RFC 6750)

  • Secure exchange of authorization tokens: JSON Web Tokens (RFC 7519)

At the application level, a verification of the user authentication and rights to access data is carried out at each request. Users can only access their space and data from the space to which their account is linked.



What technologies do we use for data encryption?


The exchanges between the user workstations and our applications are fully encrypted from your browser to our servers using HyperText Transfer Protocol Secure (RFC 2818).

The cryptographic suites are implementations recognized as market standards, and the authentication of our Internet facing services is based on certificates signed by a recognized public certification authority.



How do we protect ourselves from malware and vulnerabilities?


The operating systems and software we use are firmly maintained by their publisher, an active community (for open source software), or a service provider. To reduce the attack surface, only the necessary services and applications are installed on our servers. In addition, major updates and security updates are systematically deployed.

We also monitor the identification of new vulnerabilities by following the release flows of several CERTs, such as CERT-FR or CERT-US, and we ensure that all machines within our information system are protected by a system malware prevention (antivirus, etc.) properly maintained.



What is put in place to protect our computer network?


Our computer network is segmented according to areas of homogeneous security. A filtering of the incoming and outgoing flows of each area is carried out. Any interconnection between our network and an external network (third party network, Internet, etc.) is encrypted and goes through dedicated infrastructure including the appropriate security elements (firewalls, etc.).



How is the physical security of our infrastructure guaranteed?



Data center


Our servers are hosted in state-of-the-art European data centers for physical security and access control. We make sure that:

  • The companies selected for hosting our servers are ISO/IEC 27001 certified.

  • The organization in cold corridors/warm corridors is respected.

  • The autonomous fire detection and extinguishing system are in place.

  • The redundancy of the power supply is present.

  • The physical access monitoring and filtering are performed.

  • The multifactor access control is used.



Physical access control at the premises of Finance Active


The delivery of physical access to our premises follows a process to ensure the person identity. Access badges are personal and non-transferable. Staff other than the one explicitly authorized but called to intervene in sensitive areas (maintenance or repair of buildings, non-computer equipment, visitors, etc.), intervene systematically and imperatively under surveillance.

Access to the premises is subject to video surveillance, and premises are guarded outside working hours.