Findify implements and maintains the following security measures. Findify may update or modify the security measures from time to time, taking into account that such updates or modifications are not degrading the overall security of its services.
Compliance and Certification
PCI DSS: Findify’s payment and card information is handled by Braintree, which has been audited by an independent PCI Qualified Security Assessor and is certified as a PCI Level 1 Service Provider, the most strict level of certification available in the payments industry.
Privacy Shield: Privacy Shield is a certification program that applies to US based companies. Because Findify is a EU-based company, we are not part of the Privacy Shield. However, our sub-processors such as AWS and others (see our Subprocessors section) are in fact part of the Privacy Shield.
Physical Access Control: Findify is hosted on AWS (Amazon Web Services). AWS data centers feature a layered security model, including extensive safeguards such as:
According to the AWS Security white paper, AWS also complies with an impressive array of certifications.
Infrastructure control: Direct access to infrastructure, networks and data is minimized to the greatest extent possible. Only the designated authorized Findify operations team members have access to configure the infrastructure and the access is made via VPN. Specific private keys are required for individual servers, and keys are stored in a secure and encrypted location.
Third-party audit: AWS undergoes various third-party independent audits on a regular basis and can provide verification of compliance controls for its data centers, infrastructure, and operations. This includes, but is not limited, to SSAE 16-compliant SOC 2 certification and ISO 27001 certification.
Operating system: Findify is using a Linux based operating system for all its applications. We constantly upgrade our machines to the latest operating system and apply the latest security updates.
High availability: The Findify architecture has been designed to eliminate the single points of failures. All the components that deliver the Findify service are replicated over several availability zones within AWS. This design also allows Findify to perform application and infrastructure updates with a minimal impact on the service availability.
Data backups: Findify keeps daily encrypted backups of the merchant configuration, the customer data and other critical data in AWS, using S3 storage. Backup files are stored redundantly across multiple availability zones. While never expected, in case of a production data loss (in case all the replicas go down), we will restore the data from these backups.
Network and Transmission
Internal network: Only the APIs are publicly accessible from Internet. Findify’s production environment, where all the customer data and customer facing applications sit, is located in a logically isolated Virtual Private Network (VPC). Production and non-production environments are segregated. All network access between hosts is restricted using security groups to only allow authorized services to interact between each other.
Encryption technology: By default, our Merchant JS communicates with findify.io using Transport Layer Security (TLS), which is regularly updated to use updated ciphersuites and TLS configurations. We support TLS 1.1 and 1.2.
Data Security and Privacy
Data storage and isolation: Findify stores data in a multi-tenant environment. All the data is replicated over several availability zones. Findify logically isolates each merchant’s data, and logically separates each end-consumer’s data from the data of other end consumers. Data for an authenticated merchant will not be displayed to another merchant (unless a merchant allows the data to be shared). A central authentication system is used across all services to increase uniform security of data.
Retention: Findify retains end-consumers data for a period of 2 years. We remove individual events after 2 years. All event data is eradicated from the service and from the servers without additional archiving in order to prevent the threat of intrusion.
Data Removal: End-consumers may request the erasure of their personal data stored by Findify, via the data controller. We’ve built the tools and processes necessary to help our customers fulfil these requests. In addition, all the data of an ecommerce store is removed upon that customer’s termination of service.
Data Access: End-consumers can request to have a summary of their data collected by Findify, via the data controller, provided their unique and visit identifiers. More explanation on how to get these values is provided in our FAQ.
Anonymization: Findify does not collect all types of data, as part of its analytics platform. The personal data such as an IP address is automatically anonymized by Findify before being stored in Findify databases.
Monitoring: All the Findify applications and servers transmit metrics to our monitoring service. We regularly watch the monitoring dashboards (per service) to detect unusual patterns in the metrics. Alerts are created there so that the system alerts our monitoring team when a service goes over normal thresholds.
Security Development Lifecycle: Findify has a continuous delivery platform, which means all code changes are committed, tested, shipped, and iterated on in a rapid sequence. A continuous delivery methodology, complemented by pull request, continuous integration (CI) significantly decreases the likelihood of a security issue and improves the response time to and the effective eradication of bugs and vulnerabilities.
Account security: Findify secures its dashboard authentication secrets using the industry best practice methods to salt and repeatedly hash your credentials before it is stored.
Incident response: Findify has implemented an incident response plan. In case of an accident involving the customer data, we will promptly react to the security incident, inform you and update you accordingly.
Rest API authentication: Findify’s REST API uses personal auth tokens or an API key for authentication. Authentication tokens are passed using the auth header are used to authenticate a user account with the API.
Personnel security: Findify personnel are required to conduct themselves in a manner consistent with the company’s guidelines regarding confidentiality, business ethics, appropriate usage, and professional standards.
Risk management: All Findify product changes must go through code review, CI, and build pipeline to reach production servers. Only designated employees on Findify’s operations team have secure shell (SSH) access to production servers.
Disclosure policy: Findify notifies customers of any data breaches as soon as possible via email, followed by multiple periodic updates throughout each day addressing progress and impact.
Security training: All new Findify employees attend a “Security 101” training during the onboarding process. In addition, all Findify employees must take the Security and Privacy training once a year, which covers the Information Security policies, best practices and privacy principles.