Discover our latest AI-powered innovations around faster payments, smarter workflows, and real-time visibility.Learn more →
Legal Center
Security Policy
Posted on: April 18, 2024
- Scope. As described in this Security Policy, Modern Treasury uses commercially reasonable technical and organizational measures designed to prevent unauthorized access, use, alteration, or disclosure of Customer Data stored on Modern Treasury systems. This Security Policy applies to Modern Treasury systems and personnel. The Products include security options that Customer may use (see Section 5 below), and Customer is responsible for its own configurations and the security of its own systems. While certain Products may enable Customer to connect with its accounts at Banks or other Third-Party Platforms, Modern Treasury does not control how such third parties secure or process data.
- Encryption & Customer Data.
- Customer Data is encrypted in transit (TLSv1.2) and at rest in Modern Treasury production environments (AES-256).
- Modern Treasury personnel credentials for Product production environments are encrypted.
- Modern Treasury logically separates Customer Data from that of other customers and uses measures designed to prevent Customer Data from being exposed to other customers.
- Asset Management. Modern Treasury implements asset management policies and prohibits storage of Customer Data on electronic storage devices such as thumb drives or laptops.
- Access Controls.
- Systems access by Modern Treasury personnel is determined on a need-to-use basis, as defined based on the responsibilities and duties of the position held.
- Modern Treasury requires personnel to use unique user IDs, complex passwords and multi-factor authentication to access Product production environments.
- Application Security & Customer Controls.
- The Products allow Customer to use multi-factor authentication as described in the Documentation.
- In addition, the Products allow Customer to manage its User permissioning, determine payment approval rules (for the Payment Products) and access and export audit trails, subject to the plan features available under Customer’s Order.
- Customer may export its Customer Data through the standard functionality of the Products.
- Network Security, Environmental & Physical Controls.
- The Products operate on Amazon Web Services (“AWS”) and are protected by security and environment controls of AWS. Information regarding AWS security is available at https://aws.amazon.com/security/.
- Modern Treasury’s physical offices maintain security surveillance and visitor access restrictions.
- Personnel Management.
- Modern Treasury conducts background checks of all employees with access to Customer Data.
- All Modern Treasury personnel undergo annual security awareness training. Modern Treasury personnel in developer roles undergo annual secure coding training.
- Modern Treasury immediately disables physical and logical access to Modern Treasury resources upon personnel termination.
- Organizational Policies. Modern Treasury maintains and regularly reviews internal organizational policies, including a Data Protection Policy, Encryption and Key Management Policy, Information Security Policy, Risk Assessment and Management Program, System Access Control Policy, and Vulnerability Management Policy.
- Business Continuity & Disaster Recovery
- Modern Treasury maintains a Business Continuity Plan (“BCP”) and Disaster Recovery Plan (“DRP”) to govern contingency plans for certain business interruptions and disasters affecting its business and Products.
- Modern Treasury tests the BCP and DRP annually.
- Security Assessments
- Modern Treasury engages a third-party auditor to conduct an annual SOC 2, Type II (or similar or successor) report (“SOC 2 Reports”). Modern Treasury engages a third party to conduct annual vulnerability assessments and reports (“Vulnerability Reports”). SOC 2 Reports and summary Vulnerability Reports are available to Customer on annual request, subject to confidentiality terms.
- In addition, Modern Treasury performs ongoing internal vulnerability scanning and regular external vulnerability scanning.
- Incident Response. Modern Treasury maintains an Incident Response Plan (“IRP”) to respond to potential security incidents, malware infection or intrusions to the Products or Customer Data, based on severity of impact.
- Security Breach. If Modern Treasury becomes aware of unauthorized access to or disclosure of Customer Data due to a breach of Modern Treasury's security (“Security Breach”), then unless limited by Laws, Modern Treasury will notify Customer of the Security Breach within three (3) business days of confirmation and provide Customer with information about when and where the Security Breach may have occurred, the effect on Customer Data and Modern Treasury’s corrective action in response to the Security Breach.
Subscribe to Journal updates
Discover product features and get primers on the payments industry.