Modern Treasury, Parafin, and JP Morgan discuss the transformational potential of instant bank payments.Watch the webinar
Our customers entrust us with sensitive financial data, and we take that role seriously.
Granular access controls, API-wide encryption, stringent certifications and organizational measures make Modern Treasury a safe partner to move and track money with.
Modern Treasury has developed a comprehensive set of security policies, which are shared with and made available to all employees and contractors with access to Modern Treasury systems.
- All of our employees are subject to annual security awareness training and mandatory background checks;
- Our employees use Multi-factor Authentication (MFA) for all access to internal or external services, including physical security keys;
- Access control to the application is based on roles and is fully auditable, with timely granting and revoking of employee access privileges;
- All our employee workstations are powered with next-gen antivirus and endpoint detection and response systems.
Governance, Risk, Compliance, and Privacy
- We perform annual audits for SOC II Type II compliance. The report is available under NDA.
- We help customers comply with data processing regulations such as GDPR, CCPA, and CPRA by providing them with Data Processing Addendums (DPA);
- Modern Treasury leverages a leading automated security and compliance platform to stay compliant by continuously monitoring our employees, systems, and tools to improve security posture.
- Granular user roles allow admins to control access scope tightly and minimize the risk of human error and bad actors;
- Detailed audit logs allow actions in the platform to be traced back to individual users and API keys, assuring accountability for all events;
- Platform-wide support for SAML, supported by Auth0, allows customers to leverage existing single sign-on mechanisms;
- Multi-factor Authentication (MFA) allows customers to further secure the authentication process.
Encryption and Authentication
- Strong encryption in transit (≥TLS 1.2) and at rest (≥AES 256 bit);
- Authentication and authorization for customer integrations can happen both via SAML or API keys.
- HTTPS coupled with industry-standard ciphers makes API traffic secure point-to-point;
- API keys can be generated with granular permissions and are stored with multiple layers of encryption. Customers have a robust UI and API interface to audit and disable such keys. API keys and other encrypted components never leave the AWS key store;
- IP allowlisting and traffic rate limiting prevent API misuse;
- We regularly perform third-party penetration testing with industry-leading providers;
- Our Web Application Firewall (WAF) blocks common attacks, including the OWASP Top Ten.
Secure SDLC (Software Development Lifecycle)
- We perform comprehensive scanning in our application development, including static application security testing (SAST), dynamic application security testing (DAST), and software composition analysis (SCA);
- We maintain a stringent change management system to ensure code quality, accountability, and separation of duties.
Modern Treasury operates a vulnerability discovery rewards program with HackerOne. If you believe you have discovered a vulnerability or would like to participate in our rewards program, please reach out to firstname.lastname@example.org.
Infrastructure and Security Operations
- Modern Treasury data is continuously backed up in multiple geographic regions to ensure always-on operational continuity.
- We avoid misconfigurations and weak security configs by applying industry-standard system hardening and top security practices (such as CIS AWS Level 1) to our production systems;
- We deploy IDS (Intrusion Detection System) across our entire cloud footprint to quickly receive alerts about potentially malicious activity and data exfiltration;
- We use industry-standard scanners to ensure our infrastructure, inclusive of customer-facing and backend systems, internal tooling, and resources are securely configured;
- Modern Treasury employee access to production is provisioned according to the Principle of Least Privilege. Elevated permissions are granted on a per-user basis, tightly scoped, and automatically revoked after use by Privileged Access Management (PAM) software;
- All infrastructure changes are vetted through detailed change controls that ensure updates are thoroughly reviewed, scanned for security issues, tested, formally approved, logged, and audited;
- We continuously monitor public information for new vulnerabilities, threat actors, and signs of compromise;
- We dedicate a team of on-call engineers and security operations personnel for immediate response;
- We continuously monitor our infrastructure for vulnerabilities to ensure quick discovery and remediation.