PactFi Inc. is committed to excellence — both of its products and how it serves its customers. Our product is designed to help customers make their business better through high performance, secure highly available solution, and trust. To demonstrate this, we have consistently applied industry leading security practices to our own practices. These values underpin what we do at PactFi.
PactFi has been designed to embody the latest security standards and protocols.
The production infrastructure of PactFi is hosted by Amazon Web Services (AWS). AWS data centers and AWS services deliver the physical infrastructure, environmental controls, access control mechanisms, and monitoring systems to enable the highly secure and highly available offerings from PactFi.
Through our relentless commitment to excellence and relationships with AWS, PactFi is able to provide enterprise-grade offerings to organizations of all sizes.
Compliance at PactFi demonstrates our ongoing commitment to maintaining rigorous security controls for managing our customers’ data through independent attestation and certification.
Security and Control Environment
The Information Security Team is responsible for ensuring the confidentiality, integrity, and availability of all PactFi information within facilities, on equipment, or transiting networks owned by or in direct partnership with PactFi. Specific methods used to achieve these objectives include, but are not limited to: development and distribution of security policies and procedures, security assessments, monitoring and processing of security alerts, and responding to security incidents.
People, Policies, and Training
PactFi is committed to hiring individuals that are world-class professionals in their discipline and are committed to the key principles of the organization of honestly, respect, confidentiality, and compliance.
To guide its professionals, PactFi maintains a set of policies, standards, and guidelines to serve as the body of requirements and guidelines for implementing highly secure and highly available systems.
Based on the policies, standards, and guidelines of the organization, personnel are required to complete new hire and annual security awareness trainings. Those with responsibilities that impact the security of PactFi’s product and compliance efforts receive additional training on a variety of topics.
PactFi leverages global security frameworks to guide its security processes and controls. Key topics, such as Physical Security, Authentication, Encryption, Network Security, and System Hardening are detailed below.
Physical Security and Environmental Controls
PactFi uses Amazon Web Services (AWS) for its hosting needs. AWS has obtained a SOC 2 Type 2 certification over the services used by PactFi, including the physical and environmental security control of its data centers.
The security of PactFi systems, devices, and accounts starts with secure credential creation and management.
Administrative access to the PactFi environments is limited to administrators through multi-factor authentication. Within the PactFi environment, PactFi deploys the concept of least privilege. Through role-based access control features within AWS, PactFi is able to provide highly granular permissions to different types of administrators at PactFi (e.g. server administration, database administration, network administration).
Protecting sensitive information is deeply embedded in PactFi’s DNA. Encrypting data in transit and at rest is one of the primary tools PactFi employs as a key part of its commitment to customers.
Firewalls are an important part of any security effort. In generic terms, a firewall refers to a control that can be used to prevent certain network traffic from entering a private network. PactFi leverages firewalls throughout the network and between different zones in the network including application firewalls, web application firewalls, and network-layer firewalls.
Additionally, network traffic is continuously monitored. Refer to the Logging & Monitoring section for further details.
Hardened baseline configurations help drive consistency within the operational environment and provide assurances that systems are built leveraging software approved by PactFi, while minimizing the attack surface for a potential malicious code event to exploit.
As part of a baseline configuration, Information Security-approved tools for malicious software detection are default requirements within configuration baselines. These applications provide system-level detection, monitoring, and alerting of potential security events and can prevent malicious code from executing. These tools also have defined integration paths to enterprise monitoring and event management capabilities, allowing the Information Security Team to aggregate themes and activities across the environment, invoke incident response actions, and support forensics investigations.
Security Assessments and Vulnerability Management
Security assessments, performed by the Information Security Team, are performed before production deployments of new or updated features, services, configuration, or code changes.
Security testing of infrastructure, including network devices and operating systems, is supported through vulnerability scanning and subsequent remediation.
Logging Processes and Pipeline
Logging is a critical part of the information security management we do at PactFi because logs help ensure the security of PactFi systems. The Information Security Team provides product teams with standard methods and tools to easily transmit logs from any system at PactFi to the Information Security Team. The event pipeline receives logs from different sources and aggregates them into a single location globally available to authorized incident response personnel.
Incident Response Personnel
The Incident Response Team is a 24/7 team that monitors systems and alerts to initially identify security events and triage incoming alerts. Events are tracked in a centralized tracking tool where details of the event are captured and an impact of the potential business impact of the event. Additional teams are included for remediation of events through a standardized and streamlined process.
PactFi has implemented an incident management program that includes the policies and procedures to manage risks timely and effectively. Based on the documented Incident Response Plan, security events are assigned to appropriate personnel for analysis prior to an event being designated as an incident. Once identified as an incident, PactFi applies a standardized approach of assigning a severity level to the incident to properly classify, prioritize, and respond to the incident. Additionally, the organization has documented its incident communication plan to document and define the roles, responsibilities, compliance obligations, and communication procedures for an incident.
PactFi uses Amazon Web Services (AWS) for its hosting needs. PactFi has architected its environment to be highly redundant and provide high availability to its customers.
The organization has developed retention policies and schedules to outline the required retention periods for records.