Data Security and Protection

 
 

Konfirmi takes privacy and data protection issues seriously.  

We lock up your data by complying with:

•  U.S. Commerce Department’s National Institute of Standards and Technology (NIST) cybersecurity frameworks

•  European Union’s General Data Protection Regulation (GDPR)

•  Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA)

•  GLBA, HIPAA, SOX, and various state laws and regulations

Privacy and Confidentiality

Konfirmi (“Konfirmi”, “we”, or “us”) provides advanced customer authentication and onboarding solutions for online businesses of all sizes (“Subscribers”).

As such, Subscribers use Konfirmi to verify the information provided by their customers or potential customers.  When a Subscriber’s customer or potential customer uses Konfirmi, we keep the information, documents, and other data provided to Konfirmi by the Subscriber’s customer or potential customer private and secure.  For more information, please see our Privacy Policy.

Konfirmi also keeps the information, documents, and other data that any Subscriber provides to Konfirmi (“Subscriber Information”) strictly private Konfirmi does not and shall not review or examine any of Subscriber Information without express permission from Subscriber.

Konfirmi  does not and shall not transfer, sell, share, or otherwise reveal any Subscriber Information with or to any person or entity, for any purpose whatsoever, except as necessary to perform the Services for Subscriber, and except to comply with any applicable law(s), court order(s), or subpoena(s).

Any Subscriber can do the following at any time by contacting us at the mailing address, email address, or phone number provided below:

»  Opt out of future contacts from us
»  See what data we have about the Subscriber, if any
»  Change or correct any data we have about the Subscriber
»  Have us delete any data we have about the Subscriber
»  Express any concern you have about our use of the Subscriber’s data.

Data Security Overview

Our app is secure by design — from the ground up.  And we keep things that way, throughout the development, implementation, updating, and maintenance cycles.

Like most quality online systems, all of your data with all of our applications is encrypted both “in transit” and “at rest.”  

In other words, all transmissions to and from our apps, and all items stored in our apps, are all encrypted using at least 256-bit SSL certificates, providing strong “bank-grade” security.

As an additional security measure, our systems are regularly checked and certified by security experts who specialize in high-risk industries like banking and financial services.  Please contact us if you would like a copy of the latest report.

Details

Cybersecurity, data protection, and privacy are integral parts of our software design, engineering, development, updating, and maintenance functions.

For example, as to all of our applications, we comply with the NIST’s Framework for Improving Critical Infrastructure Cybersecurity and Special Publication 800-171.  This in turn means our apps meet the standards imposed under the federal Health Insurance Portability and Accountability Act (HIPAA), the Sarbanes-Oxley Act (SOX), the Gramm-Leach-Bliley Act (GLBA), and related regulations.  

We also comply with various USA state laws relating to data protection and privacy, as well as the European Union’s GDPR and Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA).

More specifically, as to all of our applications, we provide at least the following features and maintain at least the following processes and procedures:

•  Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles; and

•  Establish and enforce security configuration settings for information technology products employed in organizational systems; and

•  Track, review, approve or disapprove, and audit changes to systems; and

•  Analyze the security impact of changes prior to implementation; and

•  Establish, implement, and enforce physical and logical access restrictions associated with changes to systems; and

•  Employ the principle of least functionality by configuring systems to provide only essential capabilities; and

•  Restrict, disable, and prevent the use of nonessential programs, functions, ports, protocols, and services; and

•  Apply deny-by-exception (blacklisting) policies to prevent unauthorized access, or deny-all, permit-by-exception (whitelisting) policies to allow only authorized access; and

•  Control and monitor software that Konfirmi makes available for local installation by its Subscribers; and

•  Limit information system access to authorized Subscribers, internal users, and related processes, with additional limitations on access to more sensitive data (Role Based Access Controls); and

•  Limit unsuccessful logon attempts; and

•  Use session lock with pattern-hiding displays to prevent access and viewing of data after a period of inactivity; and

•  Automatically terminate user sessions after defined conditions; and

•  Limit the transmission and storage of Subscriber and other user data to only necessary processes; and

•  Encrypt all data in transit and at rest; and

•  Establish capabilities and systems to allow current and former Subscribers and other users to obtain confirmation regarding whether or not data concerning them is being processed or used by Konfirmi, and if so where and for what purpose; and

•  Establish capabilities and systems to allow Subscribers and other users to obtain a copy of their data, free of charge, in a commonly used and machine-readable electronic format; and

•  Establish capabilities and systems to allow Subscribers and other users to easily delete and permanently erase their data; and

•  Establish capabilities and systems to allow Subscribers and other users to easily change, correct, and update their data; and

•  Ensure that all internal users are properly trained (Awareness and Training); and

•  Create, retain, and maintain information system audit records (Audit and Accountability Controls); and

•  Establish, maintain, and enforce baseline configurations and inventories of systems (Configuration Management Controls); and

•  Identify and authenticate internal users, processes, or devices, as a prerequisite to allowing access to systems (Identification and Authentication Controls); and

•  Provide multi-factor authentication options for all Subscribers; and

•  Establish capabilities and systems to allow Subscribers and other users to easily delete and permanently erase their data; and

•  Enforce a minimum password complexity and change of characters when new passwords are created; and

•  Obscure feedback of authentication information; and

•  Store and transmit only cryptographically-protected passwords; and

•  Establish, implement, and maintain incident-handling capabilities and systems  that include preparation, detection, analysis, containment, recovery, and Subscriber and other user response activities (Incident Response Processes); and

•  Establish, implement, and maintain capabilities and systems to track, document, and report incidents to affected Subscribers and other users, designated officials, and/or authorities both internal and external to the organization; and

•  Establish, implement, and maintain appropriate maintenance and updating on all information systems (Maintenance Processes); and

•  Protect, secure and ensure the proper destruction of all media containing Subscriber and other user data (Media Protection Controls); and

•  Screen internal users prior to authorizing access (Personnel Security Controls); and

•  Ensure that all systems containing Subscriber and other user data and/or sensitive systems information are protected during and after personnel actions such as terminations and transfers; and

•  Limit and secure physical access to systems (Physical Protection Controls); and

•  Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of Subscriber and other user data and/or sensitive systems information (Risk Assessment Processes); and

•  Regularly scan for vulnerabilities in organizational systems and applications; and

•  Remediate vulnerabilities immediately; and

•  Periodically assess security controls and implement action plans (Security Assessment Processes); and

•  Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems (System and Communications Protection Controls); and

•  Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems; and

•  Separate Subscriber and other external user, as well as internal user,  functionality from system management functionality; and

•  Prevent unauthorized and unintended information transfer via shared system resources; and

•  Identify, report, and correct information flaws in a timely manner (System and Information Integrity Requirement).