Customer trust, reliability, and data security are critical to everything we do at DebtBook.

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Suspendisse varius enim in eros elementum tristique. Duis cursus, mi quis viverra ornare, eros dolor interdum nulla, ut commodo diam libero vitae erat. Aenean faucibus nibh et justo cursus id rutrum lorem imperdiet. Nunc ut sem vitae risus tristique posuere.

Product Security and Reliability

Password and Credential Storage

DebtBook enforces a password complexity standard for all users and stores credentials using encrypted functions like bcrypt.

2FA

In addition to password-based authentication, users can turn on 2-factor authentication (2FA) to add an additional layer of security to their account. Users can download and install an authenticator app (like Authy or Google Authenticator) on their phone or tablet capable of generating time-based one-time (TOTP) passcodes that can be manually entered after successfully provided a password.

This can be required for all members of an organization using a setting.

Permissions and Role-based Access Control

We enable permission levels within the app to be set for internal members of your organization as well as external guests that you may collaborate with. Permissions can be set to control access to certain parts of the application as well as the ability to read or write data.

Network and application security

Data Hosting

Our physical infrastructure is hosted and managed within Amazon Web Services (AWS) using their secure data centers. DebtBook leverages many of the platform’s built-in security, privacy, and redundancy features. AWS continually monitors its data centers for risk and undergoes assessments to ensure compliance with industry standards. Amazon’s data center operations have been accredited under ISO-27001, SOC 1 and SOC 2/SSAE 16/ISAE 3402, PCI Level 1, FISMA Moderate, and Sarbanes-Oxley (SOX).

DebtBook utilizes the US-East-1 region currently and distributes resources across multiple AZs.

Virtual Private Cloud

All of our servers are within our own virtual private cloud (VPC) with network access control lists (ACLs) that prevent unauthorized requests from getting to our internal network.

Encryption

DebtBook is served entirely over HTTPS. All data sent to or from DebtBook is encrypted in transit using 256-bit encryption. Our API and application endpoints are TLS/SSL only (v1.2). This means we only use strong cipher suites and utilize HTTP Secure Transport Security  (HSTS) to ensure browsers interact with DebtBook only over HTTPS.  We also encrypt data at rest using the AES-256 encryption algorithm.

Permissions and Authentication

Access to customer data is limited to authorized employees who require it for their job. We run a zero-trust corporate network so there are no corporate resources or additional privileges gained from being on DebtBook’s internal network. We utilize single sign-on,   2-factor authentication (2FA), and enforce strong password policies to ensure access to all cloud-related services is protected.

Incident Response

We have established an internal protocol for handling security events which includes escalation procedures, rapid mitigation, and documented post mortems. All employees will be formally trained and presented with related policies.

Penetration Testing

DebtBook utilizes third-party security tools to scan for vulnerabilities on a regular basis. Twice yearly we engage third-party security experts to conduct detailed penetration tests on the DebtBook application and infrastructure. Our product development team immediately responds to any identified issues or potential vulnerabilities to ensure the quality and security of the application.

A letter of attestation is available upon request.

Availability and Reliability

Uptime

We have an uptime of 99.9% or higher. You can check our stats around uptime and application response time by visiting https://status.debtbook.com.

Failover and business continuity

We’ve been building the DebtBook application infrastructure with continuity in mind. All of our infrastructure and data are spread across multiple AWS availability zones to ensure our application will continue to work should one of those data centers fail.

We treat infrastructure-as-code so we can easily deploy new infrastructure and application components easily in the event of a catastrophic failure. We’re planning for multi-region failover in the near future.

Data is backed up automatically daily using AWS services for restoration to a particular point-in-time.

Security and Compliance Programs

Certifications
SOC 2 Type 1

DebtBook enforces a password complexity standard for all users and stores credentials using encrypted functions like bcrypt.

People
Background checks

All DebtBook employees go through a thorough background check before hiring.

Training

We take a least-permission-required approach to the access and handling of data. While we retain a minimal amount of customer data and limit internal access on a need-to-know basis, all employees are required to review related security policies and are trained on proper data handling to ensure they uphold our strict commitment to the privacy and security of your data.

Confidentiality

All employees sign a confidentiality agreement before they start at DebtBook.

Vulnerability control
Mobile Device Management (MDM)

All of our employees’ machines and laptops are using mobile device management software to ensure each device follows our information security standards, including proper passwords and encryption.

Malicious software prevention

Our employees’ machines are defended by anti-virus and malware solutions.

Vulnerability management

We keep our systems up-to-date with the latest security patches and continuously monitor for new vulnerabilities through compliance and security mailing lists. This includes automatic scanning of our code repositories for vulnerable dependencies.