Security and Trust
Security is a top priority at Smartria and we understand how important your data is to you and your clients. We realize that we have been entrusted with a significant amount of sensitive information and do not take this responsibility lightly. Our team works diligently to continuously improve security processes and controls and to make sure the data we hold is secure.
Smartria handles data with the utmost care and integrity, designing our systems with industry standard information security best practices, and continuously test to find and fix vulnerabilities. Whether it’s encrypting data from end to end, creating company policies, utilizing tools, or providing you with user access control features, we want customers to have confidence in the systems and services handling sensitive workloads as they are transported, processed, and stored.
We use Drata’s automation platform to continuously monitor and maintain our security controls and provide real-time visibility at employee, corporate, and hosting infrastructure levels. For in-depth details or to perform your vendor due diligence, please view our real-time security report here.
SOC 2 Audits:
We work with an independent AICPA certified auditing firm each year to achieve a SOC 2 Type 2 attestation report, which is extremely thorough. Our SOC 2 audit report is available by request for customers.
Infrastructure:
Our services are hosted on Amazon Web Services (AWS), which continuously maintains certification for a variety of global security and compliance frameworks. For more information about their certifications and compliance practices, please visit the AWS Security and AWS Compliance sites.
Data Security:
Data security is multi-faceted and you may have heard the terms “Data in Motion” or “Data at Rest”. Data in motion (or transit) is when your browser sends or receives information between your computer and a company’s application servers. If data isn’t encrypted between them, people can steal the information including passwords and sensitive data. We utilize encrypted sessions using an AES-256-CBC encrypted security certificate. Once the data reaches our servers and become “at rest”, we encrypt the data and have a series of keys for it to be unlocked. This is important because if someone were to get inside our servers, they wouldn’t be able to see plain text passwords, addresses, phone numbers, account descriptions, etc. We also have data backups of everything and all backups are encrypted.
If at any time data is compromised, we pledge to immediately notify our customers of that event and to keep all involved parties informed as to the status and remediation of that situation. To date, no such event has occurred at Smartria, and we work hard every day to ensure that remains the case.
Smartria offers and recommends that all of our customers utilize 2-factor authentication (2FA) and secure password policies and features to help our customers do their own part to maintain the security of theirs and their clients’ data.
Corporate Security:
To start, no matter how good our technical security is, if we are lax in our personnel processes, we aren’t secure. We implement a variety of controls towards this, including:
- All company laptops are actively managed. We require screensaver locks, full disk encryption, anti-malware protection, password manager use, vulnerability scanning, and automatic updates to be enabled.
- We implement a human review process augmented by automated checks to ensure consistent quality in our software development practices.
- Access to services, source code, and third-party tools are secured with two-factor authentication whenever possible.
- Employees are given the lowest level of access that allows them to get their work done and data access is logged.
- Our employee contracts include a confidentiality agreement.
- All personnel undergo background checks and receive regular security awareness training.
Sub-processors:
We engage third party vendors and service providers to perform certain functions on our behalf (such as payment processing). These third parties may have access to your Personal Data for the purpose of helping us market, provide and/or improve the services.
We engage with some vendors to receive custodial data through integrations. In this case, the data comes from the custodians to the vendors and then to us. These vendors are:
- Advent Custodial Data
- BridgeFT
- Plaid
For platform hosting, file & data storage and processing we use Amazon Web Services and MongoDB Atlas. We utilize a Managed Service Provider called OpSourced, to help manage platform hosting including scalability, monitoring, security updates, etc.
We utilize HubSpot for customer service, billing, marketing, and as a CRM. Stripe is used for payment processing.
Summary
This page is a high-level overview of some selected security controls. If you skipped over it, or want more details, please view our real-time security report here that is provided by Drata. A zip file of our security policies is available by contacting our support team.