Security

DebtBook enforces a password complexity standard for all users and stores credentials using encrypted functions like bcrypt.

Authenticate users using your own SAML-based identity provider without requiring them to enter additional login credentials. If you’re using password-based authentication, you can turn on 2-factor authentication (2FA).

In addition to password-based authentication, users can turn on 2-factor authentication (2FA) to add an additional layer of security to their account. Users can download and install an authenticator app (like Authy or Google Authenticator) on their phone or tablet capable of generating time-based one-time (TOTP) passcodes that can be manually entered after successfully provided a password.

This can be required for all members of an organization using a setting.

We enable permission levels within the app to be set for internal members of your organization as well as external guests that you may collaborate with. Permissions can be set to control access to certain parts of the application as well as the ability to read or write data.

Our physical infrastructure is hosted and managed within Amazon Web Services (AWS) using their secure data centers. DebtBook leverages many of the platform’s built-in security, privacy, and redundancy features. AWS continually monitors its data centers for risk and undergoes assessments to ensure compliance with industry standards. Amazon’s data center operations have been accredited under ISO-27001, SOC 1 and SOC 2/SSAE 16/ISAE 3402, PCI Level 1, FISMA Moderate, and Sarbanes-Oxley (SOX).

DebtBook utilizes the US-East-1 region currently and distributes resources across multiple AZs.

All of our servers are within our own virtual private cloud (VPC) with network access control lists (ACLs) that prevent unauthorized requests from getting to our internal network.

DebtBook is served entirely over HTTPS. All data sent to or from DebtBook is encrypted in transit using 256-bit encryption. Our API and application endpoints are TLS/SSL only (v1.2). This means we only use strong cipher suites and utilize HTTP Strict Transport Security (HSTS) to ensure browsers interact with DebtBook only over HTTPS. We also encrypt data at rest using the AES-256 encryption algorithm.

Access to customer data is limited to authorized employees who require it for their job. We run a zero-trust corporate network so there are no corporate resources or additional privileges gained from being on DebtBook’s internal network. We utilize single sign-on, 2-factor authentication (2FA), and enforce strong password policies to ensure access to all cloud-related services is protected.

We have established an internal protocol for handling security events which includes escalation procedures, rapid mitigation, and documented post mortem. All employees are formally informed and presented with related policies.

DebtBook utilizes third-party security tools to scan for vulnerabilities on a regular basis. Twice yearly we engage third-party security experts to conduct detailed penetration tests on the DebtBook application and infrastructure. Our product development team immediately responds to any identified issues or potential vulnerabilities to ensure the quality and security of the application.

A letter of attestation is available upon request.

DebtBook uses third party security tools to continuously scan for vulnerabilities and responds to actionable findings in a timely manner.

DebtBook encourages responsible disclosure of security vulnerabilities. For details on how to conduct responsible security research and report findings to DebtBook, please see our Vulnerability Disclosure Program information page.

We aim for an uptime of 99.9% or higher. You can check our stats around uptime and application response time by visiting https://status.debtbook.com.

We’ve been building the DebtBook application infrastructure with continuity in mind. All of our infrastructure and data are spread across multiple AWS availability zones to ensure our application will continue to work should one of those data centers fail.

We treat infrastructure-as-code so we can easily deploy new infrastructure and application components easily in the event of a catastrophic failure. We’re planning for multi-region failover in the near future.

Data is backed up automatically daily using AWS services for restoration to a particular point-in-time.

DebtBook has established and implemented formal controls to protect client data and ensure the integrity of all outputs that may be used for financial reporting.

DebtBook has established and follows strict information security policies and controls which encompass the trust service categories related to security, availability, processing integrity, and confidentiality.

All DebtBook employees go through a thorough background check before hiring.

We take a least-permission-required approach to the access and handling of data. While we retain a minimal amount of customer data and limit internal access on a need-to-know basis, all employees are required to review related security policies and are trained on proper data handling to ensure they uphold our strict commitment to the privacy and security of your data.

All employees sign a confidentiality agreement before they start at DebtBook.

All of our employees’ machines and laptops are using mobile device management software to ensure each device follows our information security standards, including proper passwords and encryption.

Our employees’ machines are defended by anti-virus and malware solutions.

We keep our systems up-to-date with the latest security patches and continuously monitor for new vulnerabilities through compliance and security mailing lists. This includes automatic scanning of our code repositories for vulnerable dependencies.