Security Standards: Keeping your data safe
Phyllo is built on top of infrastructure and services that use industry grade security standards.At every stage of our engineering process, we place a strong emphasis on system security and customer privacy.
Step-by-Step: How We Protect What Matters Most
We enforce strict access controls, utilizing multi-factor authentication (MFA) and adhering to the principle of least privilege. This ensures that only authorized personnel have access to sensitive information.
We implement coding best practices focused on the OWASP Top 10. Development, testing, and production environments are separated. All code changes are peer reviewed and tested prior to deployment into production.
We use advanced encryption protocols to safeguard data both in transit and at rest. Our systems employ 256-bit AES encryption for stored data and SSL/TLS for data transmitted over the internet, protecting against unauthorized access.Our database is hosted in a Virtual Private Cloud with AWS. AWS follows top IT security standards, including SOC 2 Type II, SOC 3, PCI-DSS certification, and ISO 27001.
We conduct regular security audits and penetration tests to identify and address potential vulnerabilities. This proactive approach helps us address weaknesses before they can be exploited.
Our production environments have security logging, uptime monitoring, and system availability metrics of our core services. This helps our security team enforce automated monitoring and uptime.
Proof of Protection: Our Certified Security Standards
Strengthening Data Security with SOC2 Compliance
Our SOC 2 (Type 2) shows our commitment towards a continuous effective build and improvement of our system and organization controls regarding security, privacy, availability, and confidentiality. This report explains the extreme care we take to earn and maintain our users trust in Phyllo, its systems, and product.
Frequently asked questions
What security measures do you have in place to protect the data?
We employ multiple layers of security measures, including encryption for data at rest and in transit, firewalls, intrusion detection systems, and regular security audits to safeguard your data.
What encryption standards do you use for data security?
We use 256-bit AES encryption for data at rest and TLS 1.3 with RSA 2048-bit key for data in transit. These industry-standard encryption methods ensure that your data is securely protected from unauthorized access.
How do you handle user data privacy?
We adhere to strict privacy policies and practices to ensure that user data is collected, stored, and processed in accordance with applicable privacy laws and regulations.
What is your policy for data retention and deletion?
We retain data only as long as necessary for business purposes or as required by law. Upon request or when data is no longer needed, we ensure secure deletion of data according to our data retention and deletion policies.
How do you manage access to sensitive information within your organization?
Access to sensitive information is controlled through role-based access controls and multi-factor authentication. Employees are granted access only to the data they need for their roles, and access is reviewed regularly.
Are your systems and softwares regularly tested for vulnerabilities?
Yes, we conduct regular vulnerability assessments and penetration testing to identify and address potential weaknesses in our systems and software, ensuring they remain secure against emerging threats.
What happens if there is a security breach or data loss?
In the event of a security breach or data loss, we follow our incident response plan, which includes immediate containment, investigation, notification to affected parties, and remediation efforts. We also review and update our security measures to prevent future incidents.
How do you ensure third-party vendors comply with your security standards?
We evaluate third-party vendors through security assessments and due diligence processes. We also require them to adhere to our security standards and include necessary provisions in our contracts to ensure compliance.
What laws do you comply with when it comes to data privacy?
Phyllo operates in many countries that each have their own laws about data privacy and security.Our legal team continually monitors the evolving regulatory landscape to identify changes and determine what action Phyllo needs to take to uphold our obligations in each jurisdiction.To find out more, please read our Privacy Policy.
