Compliance & Security
At moovel, we take a holistic approach to security and have created an implemented process that ensures the security of our information assets are well protected. Our program provides the framework for keeping our company at a desired security level by assessing the risks we face, deciding how we will mitigate them, and planning for how we keep the program and our security practices up to date. moovel has undergone a SOC I, Type 2 audit engagement for 5 years and received unqualified/unmodified opinions in each of those years.
AWS Data Center Compliance
moovel’s cloud infrastructure is housed in Amazon Web Services (AWS) data centers, which is recognized to be a top tier cloud service provider. AWS provides a broad set of capabilities in terms of data center security, network security, and a significant number of certifications. This level of data center and operational security allows moovel to be compliant with many of the most stringent industry standards.
SOC 1 Type 2 AWS
The SOC 1 Type II report covers controls in place at a Service Organization intended to meet the needs of the user entity. The type II report additionally includes an auditor’s overview of the operating effectiveness of the controls in place to achieve the control objectives.
SOC 2 Type 2 AWS
Similar to the SOC 1 in the evaluation of controls, the SOC 2 report is an attestation report that expands the evaluation of controls to the criteria set forth by the American Institute of Certified Public Accountants (AICPA) Trust Services Principles. These principles define leading practice controls relevant to security, availability, processing integrity, confidentiality, and privacy applicable to service organizations.
ISO Cert AWS
AWS is ISO 27001 certified which sets the standards for an information security management system (ISMS).
Payment Processor Compliance
Payments are processed through our third-party payments processing vendor, Braintree. Braintree is PCI-DSS Level 1 Compliant as a merchant service provider.
moovel Security Features
Logical Access
AWS is ISO 27001 certified which sets the standards for an information security management system (ISMS).
Security Incident Event Management (SIEM)
moovel’s SIEM system gathers extensive logs from production systems. The SIEM alerts on triggers which inform the Security team based on correlated events for investigation and response.
Network Security
moovel has taken reasonable measures to protect the infrastructure on which customer data is stored, maintained, or transmitted. These measures include two-factor authentication, VPN access to production systems, as well as the use of access control lists and defined network boundaries.
Encryption
moovel has taken reasonable measures to protect the infrastructure on which customer data is stored, maintained, or transmitted. These measures include two-factor authentication, VPN access to production systems, as well as the use of access control lists and defined network boundaries.
Change Management
We follow best practices for both planned and unplanned changes to production systems. Additionally, we process enhancements and feature requests through a documented change request process. These processes are audited annually via our external auditors.
Incident Response
In case of a system alert, events are escalated to our 24/7 teams providing Operations, Network Engineering, and Security coverage. Employees are trained on security incident response processes, including communication channels and escalation paths.
Backup, Retention, and Restoration
moovel performs appropriate backup and recovery measures for production data and redundant system availability in the event of a loss of, or damage to systems or data.
Our Disaster Recovery (DR) program ensures that our services remain available or are easily recoverable in the case of a disaster. This is accomplished by building a robust technical environment, utilizing service clustering and network redundancies to eliminate single points of failure, and performing an annual tabletop exercise.
Infrastructure
Our network security architecture consists of multiple security zones. More sensitive systems, like database servers, are protected in our most trusted zones. Other systems are housed in zones commensurate with their sensitivity, depending on function, information classification, and risk.
Our network is protected by redundant firewalls, best-in-class router technology, HTTPS over public networks, and regular audits.
Threat Intelligence Program
moovel participates in threat intelligence sharing programs and monitor threats posted to these threat intelligence networks and takes action based on the probability and potential severity of an exposure.
Network Vulnerability Scanning
Regular third-party ASV scans gives us deep insight for quick identification of out-of-compliance or potentially vulnerable systems.
Third-Party Penetration Tests
In addition to our extensive internal scanning and testing program, each year moovel employs third-party security experts to perform a broad penetration test across production systems.
Intrusion Detection and Prevention
Major application data flow ingress and egress points are monitored with Intrusion Detection Systems (IDS) or Intrusion Prevention Systems (IPS). The systems are configured to generate alerts when incidents and values exceed predetermined thresholds and uses regularly updated signatures based on new threats.
Have Questions?
Here at moovel we strive to be a resource for you and your team. If you have any comments, questions, or concerns please click the contact us button below and we will route your information to one of our security representatives.
Source:
