Our customers entrust us with sensitive financial data, and we take that role seriously.

Organizational Security

Modern Treasury has developed a comprehensive set of security policies, which are shared with and made available to all employees and contractors with access to Modern Treasury systems.

• All of our employees are subject to annual security awareness training and mandatory background checks;
• Our employees use Multi-factor Authentication (MFA) for all access to internal or external services, including physical security keys;
• Access control to the application is based on roles and is fully auditable, with timely granting and revoking of employee access privileges;
• All our employee workstations are powered with next-gen antivirus and endpoint detection and response systems.

Governance, Risk, Compliance, and Privacy

• We perform annual audits for SOC II Type II compliance. The report is available under NDA.
• We help customers comply with data processing regulations such as GDPR, CCPA, and CPRA by providing them with Data Processing Addendums (DPA);
• Modern Treasury leverages a leading automated security and compliance platform to stay compliant by continuously monitoring our employees, systems, and tools to improve security posture.

Product Security

Access Control

• Granular user roles allow admins to control access scope tightly and minimize the risk of human error and bad actors;
• Detailed audit logs allow actions in the platform to be traced back to individual users and API keys, assuring accountability for all events;
• Platform-wide support for SAML, supported by Auth0, allows customers to leverage existing single sign-on mechanisms;
• Multi-factor Authentication (MFA) allows customers to further secure the authentication process.

Encryption and Authentication

• Strong encryption in transit (≥TLS 1.2) and at rest (≥AES 256 bit);
• Authentication and authorization for customer integrations can happen both via SAML or API keys.

Application Security

API Security

• HTTPS coupled with industry-standard ciphers makes API traffic secure point-to-point;
• API keys can be generated with granular permissions and are stored with multiple layers of encryption. Customers have a robust UI and API interface to audit and disable such keys. API keys and other encrypted components never leave the AWS key store;
• IP allowlisting and traffic rate limiting prevent API misuse;
• We regularly perform third-party penetration testing with industry-leading providers;
• Our Web Application Firewall (WAF) blocks common attacks, including the OWASP Top Ten.

Secure SDLC (Software Development Lifecycle)

• We perform comprehensive scanning in our application development, including static application security testing (SAST), dynamic application security testing (DAST), and software composition analysis (SCA);
• We maintain a stringent change management system to ensure code quality, accountability, and separation of duties.

Bug Bounty

Modern Treasury operates a vulnerability discovery rewards program with HackerOne. If you believe you have discovered a vulnerability or would like to participate in our rewards program, please reach out to bugbounty@moderntreasury.com.

Infrastructure and Security Operations

• Modern Treasury data is continuously backed up in multiple geographic regions to ensure always-on operational continuity.
• We avoid misconfigurations and weak security configs by applying industry-standard system hardening and top security practices (such as CIS AWS Level 1) to our production systems;
• We deploy IDS (Intrusion Detection System) across our entire cloud footprint to quickly receive alerts about potentially malicious activity and data exfiltration;
• We use industry-standard scanners to ensure our infrastructure, inclusive of customer-facing and backend systems, internal tooling, and resources are securely configured;
• Modern Treasury employee access to production is provisioned according to the Principle of Least Privilege. Elevated permissions are granted on a per-user basis, tightly scoped, and automatically revoked after use by Privileged Access Management (PAM) software;
• All infrastructure changes are vetted through detailed change controls that ensure updates are thoroughly reviewed, scanned for security issues, tested, formally approved, logged, and audited;
• We continuously monitor public information for new vulnerabilities, threat actors, and signs of compromise;
• We dedicate a team of on-call engineers and security operations personnel for immediate response;
• We continuously monitor our infrastructure for vulnerabilities to ensure quick discovery and remediation.