Security

At Modern Treasury, we understand the importance of keeping our customer's information secure. We value security as a top priority and implemented a comprehensive security program. We understand that trust is earned and we are dedicated to earning and maintaining the trust of our customers by protecting their information.

PCI DSS 4.0

Modern Treasury is certified PCI DSS 4.0 compliant. Payment Card Industry Data Security Standard (PCI DSS) is the global standard for protecting sensitive payment card data, and version 4.0 is the most rigorous and up-to-date version yet.

To achieve PCI DSS compliance, we implemented several security controls, including:

• Strong encryption for all payment card data
• Regular security testing and vulnerability scanning
• Access controls to restrict access to sensitive data
• Employee training on security best practices

These controls are designed to provide our customers with the highest level of security for payment card data.

SOC 2 Type II and SOC 1 Type II Compliant

SOC 2 Type II and SOC 1 Type II frameworks are recognized as the gold standards for data security and privacy. Modern Treasury has undergone SOC 2 and SOC 1 assessments by an independent third-party auditing firm. We are reassessed every year to confirm that our organization’s goals align with our internal controls, security protocols, data handling processes, and meet the Trust Services Criteria for Security, Availability, and Confidentiality. These practices also include continuous testing and monitoring of our systems, and regular risk assessments.

NIST CSF 1.1

We are committed to maintaining the highest standards of data protection and cybersecurity, so we align our information security program with the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) 1.1. NIST CSF 1.1 provides a comprehensive and flexible approach to managing cybersecurity risks, enhancing our ability to identify, protect, detect, respond, and recover from cyber threats.

DPA Complying with GDPR, CCPA and CPRA

We understand the complexities of data processing regulations and the importance of compliance for our customers in the finance industry. By providing them with a Data Processing Addendum (DPA) and/or California Privacy Terms, we help our customers manage their compliance obligations under regulations such as the General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA).

A DPA is a legal contract between, in the case of most service providers, a data controller and a data processor that sets out terms and conditions for processing personal data. It helps customers manage their compliance obligations under applicable data processing regulations by outlining the responsibilities of both parties and providing a clear understanding of how personal data will be handled.

Our DPA is designed to help customers manage their compliance obligations under applicable data processing regulations by clearly defining the roles and responsibilities of both parties. The document includes provisions describing how Modern Treasury protects personal data, what security measures we’ve implemented, how Modern Treasury would respond in the event of a data breach and more. It also provides a clear explanation of data processing activities and any subprocessors involved.

Modern GRC

Modern Treasury leverages a leading automated security and compliance platform to stay compliant by continuously monitoring our employees, systems, and tools to improve our security posture.

We understand that the compliance landscape is constantly changing, and we are committed to staying ahead of the curve by using the latest technology and best practices. Our automated security and compliance platform is designed to keep us up to date with the latest regulations and standards, so that we can respond to potential threats quickly and effectively.

Access Control

Granular User Roles

Maintaining data control is paramount. We implemented a granular access control system that enables our customers to control access scope with precision and minimize the risk of human error and bad actors. Our solution includes advanced features that allow customer admins to define the exact permissions a role has, down to the level of individual resources (eg. Expected Payments, Internal Accounts, etc.). Admins can even define constraints, such as limiting access to a specific bank account, ensuring that users can only view or interact with the precise data they are permitted to see. This fine-grained control empowers admins to create roles tailored to their unique business needs, managing permissions with high specificity. Admins can easily assign and adjust access levels for their team members, ensuring that only authorized personnel can view and edit sensitive information. This added layer of security not only helps protect user data, but also provides additional assurance that information is only accessible by those who need it.

Audit Logs

When it comes to handling financial data, accountability and transparency are indispensable. Our detailed audit logs are designed to provide a clear and comprehensive record of all actions taken within the platform, allowing such actions to be traced back to individual users and API keys.

This feature is designed to allow customers to quickly and easily identify the source and take the appropriate action in the event an issue arises. Furthermore, it allows customers to have a clear oversight on their team’s actions.

Our dashboard allows customers to view and bulk export their audit logs with just a few clicks, making it easy to analyze data and gain insights quickly. Additionally, our enterprise customers can seamlessly stream audit logs directly into their log management systems and Security Information and Event Management systems (SIEMs).

SAML, SCIM, and MFA Support

Platform-wide support for SAML (Security Assertion Markup Language), provides security and convenience for our customers. SAML allows our customers to leverage their existing single sign-on mechanisms. We support this through integration with Auth0 by Okta, a leading provider in identity management.

We also support SCIM (System for Cross-domain Identity Management specification), a protocol for directory sync. Directory sync simplifies user lifecycle management for IT admins by providing a single source of truth for information about users. Customers use their identity provider to automate employee onboarding, employee offboarding, and user role provisioning to ensure seamless and centralized role access control.

With MFA (Multi-factor Authentication), our customers can secure their accounts with an extra level of protection, requiring users to provide a second form of authentication, such as a time-based one-time password (OTP) or text message code, in addition to their password. This helps to prevent unauthorized access.

Data Segmentation

All customer data is separated using logical segmentation. Every piece of data, including file and database row, has metadata that indicates the “context” of the data. And the context is used to determine the ownership and authorization of the data every time the data is accessed. Data segmentation is a fundamental design of our application.

Our enterprise customers also have the opportunity to request designated and segmented computing and storage resources that are specifically allocated for exclusive use, ensuring maximum performance and reliability for their operations, and heightened security.

Encryption and Authentication

Strong Encryption

Modern Treasury uses strong encryption in transit and at rest throughout the platform.

We use Transport Layer Security (TLS) ≥ 1.2, the industry standard for secure communications, to encrypt all data in transit. All data transmitted between our customers and our servers, as well as between our servers to bank partners’ servers, is encrypted to help protect against eavesdropping, tampering, and impersonation.

We also use Advanced Encryption Standard (AES) 256-GCM, the most secure encryption method currently available, to encrypt all sensitive data at rest. All sensitive data stored on our servers is encrypted to protect against unauthorized access.

Our strong encryption in transit and at rest protocols are designed to meet or exceed the highest industry standards.

Authentication

SAML or API Key

Modern Treasury offers both SAML and API key authentication and authorization as our integration options. SAML, or Security Assertion Markup Language, allows for secure exchange of user authentication and authorization data between systems. API keys, on the other hand, provide a secure way for customers to access our platform through a unique identifier and secret key. With these options, our customers can choose the method that best fits their security needs and easily integrate with our platform.

Webhook Signature

To provide authentication for our webhook, every webhook payload from Modern Treasury is digitally signed. The cryptographic signature is used to verify the identity of the sender and verify that no one tampered with the message during the transit.

Bank Connection Fingerprinting

To serve our customers, Modern Treasury communicates with bank partners on their behalf. We use TLS ≥ 1.2 encryption for data in transit; we also ensure the authenticity of bank servers by validating SSL certificates as well as fingerprinting the bank servers by collecting and monitoring the servers’ unique identifying information, including server IP addresses, SSH server host keys, and SSL certificates.

This information gives Modern Treasury the visibility it needs to detect bank server anomalies, including potential extreme cases such as DNS and hostname takeover or private key compromise of the bank servers.

Tokenization

Introducing advanced tokenization technology that provides an additional layer of security for the most sensitive data. With our tokenization process, we further isolate customer data by securely storing it in our secure token vault, replacing it with a unique token that can only be used by authorized parts of the system. This process provides another line of defense for sensitive data,  even in the event of a breach.

API Security

HTTPS with Strong Ciphers

All of our API traffic uses HTTPS, the industry-standard for secure data transfer, in conjunction with industry-standard ciphers, to ensure that all API traffic is secure point-to-point. HTTPS encrypts the data being transferred between systems, making it difficult for third parties to intercept and read the information.

API Key with Granular Permissions and Multi-Layer Encryption

We offer API keys that can be generated with granular permissions, giving our customers the ability to control exactly what actions can be performed with the key. Furthermore, our API keys are stored with multiple layers of encryption, to help  protect against any unauthorized access. We also provide our customers with a robust user interface and API interface that allows them to easily audit and disable any keys that may have been compromised.

Per API Key IP Allowlisting and Traffic Rate Limiting

To prevent API misuse, our customers can easily configure IP allowlist per API key, giving them the power to determine who has access to their data. In addition, we have traffic rate limiting in place to prevent overuse and misuse of the API. This feature helps to ensure that the API usage is kept within a predefined threshold, preventing any one user or system from overwhelming the API with too many requests. Together, these features are designed to make sure that our API will be available and responsive to legitimate requests while preventing any malicious, accidental, or unauthorized misuse.

Web Application Firewall (WAF)

Our Web Application Firewall (WAF) defends against common cyber attacks. It effectively blocks the OWASP Top Ten, the most critical and prevalent vulnerabilities that threaten web applications. Our WAF is designed to protect web applications against SQL injection, cross-site scripting, and other malicious attacks. It’s configured to proactively identify and block threats before any damage can be caused. It also provides detailed reporting and forensic capabilities to help us quickly investigate and remediate any security incidents.

Secure Software Development Lifecycle (SDLC)

Comprehensive Scanning

Modern Treasury performs comprehensive scanning during our application development process to check our products for any vulnerabilities. Our testing includes a combination of static application security testing (SAST), dynamic application security testing (DAST), and software composition analysis (SCA).

SAST analyzes the source code of the application to identify potential vulnerabilities before they can be exploited. DAST, on the other hand, simulates real-world attacks on the application while it is running to identify vulnerabilities that may not be detectable during static testing. SCA checks all the third-party components used in the application for known vulnerabilities.

This combination of testing methods helps us identify and remediate vulnerabilities early in the development process.

Stringent Change Management

To help maintain code quality and accountability in the development process, we implemented a stringent change management system that promotes best practices in coding and enforces strict guidelines for code review and approval.

Our change management system includes the requirement that all changes to the codebase are thoroughly reviewed and tested before being implemented. This approach helps us catch potential issues early and helps ensure that only high-quality code is deployed to production.

Furthermore, our system also includes a separation of duties, meaning that different team members are responsible for different stages of the development process. This not only helps to ensure that every code change is thoroughly reviewed, but also reduces the risk of a single individual having too much control over the codebase.

Our change management system is regularly audited, and we are always looking for ways to improve it.

Continuous Backups

Data availability and continuity of operations is crucial to us. We have a robust data backup and recovery system that ensures that our customers' data is always safe and accessible. Data backups that are continuously taken in multiple cloud data centers located in different regions. This approach ensures that if there is an issue with one data center, data are still accessible. This also allows us to minimize the risk of data loss in the event of natural disasters, power outages, or other unforeseen events.

Our data backup and recovery system is regularly tested to ensure that it is working correctly and that we are able to quickly restore data in case of emergency. We also ensure that all backups are encrypted and immutable.

Autoscaling

Maintaining excellent availability and performance, and delivering the high SLA that we promise to our customers is one of our core missions. For that, we dynamically adjust the amount of computational resources in our infrastructure, ensuring we provide our service even during peak-hour traffic. We engineered autoscaling at almost every layer of our infrastructure, from database to computing resources, to CDN to DNS.

Static IPs

Static IP addresses are permanent, unchanging IP addresses. To help our customers manage their ingress and egress firewalls, Modern Treasury implemented static IPv4 addresses both for traffic sent to Modern Treasury, and for webhooks received from Modern Treasury. This allows our customers to easily allowlist and authorize access to their resources, and also makes it easy to track and monitor access logs.

System Hardening and Top Security Practices

We harden our systems by applying industry-standard system-hardening and top security practices. We follow guidelines such as CIS AWS Level 1, which are widely recognized as the best practices for securing cloud-based systems. This helps us configure our systems in a secure manner, reducing the risk of misconfiguration and weak security configs. Our team regularly monitors and audits our systems to ensure that they are configured correctly and that any new vulnerabilities are identified and remediated quickly.

Intrusion Detection System (IDS)

To detect threats in real time and perform rapid response, we utilize an Intrusion Detection System (IDS) that is deployed across our entire cloud footprint.

The IDS is designed to quickly detect and alert us of any potentially malicious activity and data exfiltration attempts. It uses advanced algorithms and machine learning to analyze network traffic and identify suspicious patterns of behavior, which helps us take immediate action to investigate and remediate any security incidents. Our IDS is continuously updated with the latest threat intelligence and security updates to ensure that it is always able to detect the latest threats. Any new events identified from the IDS will alert our team for a timely response.

DDoS Protection

A distributed denial-of-service (DDoS) attack is a malicious attempt to disrupt the normal traffic of a targeted server, service or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic.

At Modern Treasury, we leverage the latest cloud technologies to shield against DDoS attacks so we can provide our services and operate with high availability even under such attack.

Infrastructure Scanning

We regularly assess and audit our infrastructure, including customer-facing and backend systems, and internal tooling and resources, using infrastructure configuration scanning to ensure our infrastructure is secure and configured correctly.

The scanning is designed to identify and report any security vulnerabilities, misconfigurations, and compliance issues, so we can quickly identify and remediate any vulnerabilities and misconfigurations in our infrastructure. Our security team regularly monitors and audits the results of these scans and works closely with our development team to ensure that any vulnerabilities are addressed quickly and effectively.

Least Privilege

Principle of Least Privilege (POLP) for employee access ensures that our employees only have the minimum access necessary to perform their job responsibilities. Our access provisioning system is designed to grant access based on an employee's role and responsibilities, and it is regularly reviewed and updated to ensure that it is still in compliance with the POLP. This approach not only helps to protect our customers’ data, but also helps to minimize the risk of security breaches caused by human error.

Audit Trail

We monitor and record every single activity across the entirety of our cloud infrastructure, allowing us control over storage, analysis, and remediation actions, providing impeccable visibility and accountability. We also store and backup our audit trail at a maximum security location, preventing unauthorized access and malicious tampering.

Infrastructure as Code (IaC)

Modern Treasury engineering practices IaC. By treating our infrastructure as code, we are able to manage, version, and audit our infrastructure in the same way we do with application code. Our IaC approach allows us to automate the provisioning and configuration of our infrastructure, which ensures that it is consistently configured across all environments. This improves the reliability and consistency of our systems while reducing the risk of human error. It also allows us to easily rollback to previous configurations in case of issues.

Email Security with DKIM, SPF, and DMARC

To bolster the security and integrity of our email communications, we implemented technologies such as DKIM (DomainKeys Identified Mail), SPF (Sender Policy Framework), and DMARC (Domain-based Message Authentication, Reporting, and Conformance) for both applicable inbound and outbound email servers.

By deploying DKIM, we attach a digital signature to emails, allowing the recipient to verify that the email was indeed sent from our domain and has not been tampered with. And in reverse, we verify the DKIM signature for received messages. SPF helps us prevent spammers from sending messages on behalf of our domain, and DMARC provides an extra layer of verification, coupled with reporting capabilities to enhance our response to email threats. These protocols are designed to fortify our email systems against phishing, spoofing, and other malicious activities.

Threat Intelligence

Cybersecurity is a field of emerging attacks and ever-evolving exploitations. To stay ahead of the threats, our team regularly monitors and analyzes the threat intelligence information and data from a variety of sources, including industry reports, government agencies, and other trusted partners. This allows us to stay informed about the latest threats and vulnerabilities and take proactive measures to protect our systems and data.

24/7 Security

We have a dedicated team of information security personnel who are available on-call to ensure that customer information is always safe and secure.

Background Checks and Security Training

Security starts with people. We conduct thorough background checks and annual security training on all our employees. This training covers the latest security best practices and helps our staff identify and respond to security risks effectively. We also provide annual security coding training to our developers, which focuses on secure coding practices to prevent potential vulnerabilities in our systems and applications.

Multi-Factor Authentication (MFA) and Role-Based Access Control (RBAC)

With MFA, our employees are required to provide two or more forms of identification before being granted access to any of our systems. This added layer of security ensures that only authorized personnel can access the company’s digital assets. We also implement Role-Based Access Control (RBAC), which ensures employees can only access the systems and information relevant to their role. This means that even if an attacker manages to compromise an employee's credentials, they couldn’t  access sensitive information the employee was  not authorized to see.

Next-Gen Antivirus and Endpoint Protection

We provide  our employees with next-generation antivirus and endpoint detection and response (EDR) software on their workstations. These systems use advanced algorithms and artificial intelligence to detect and block cyber threats. They also provide real-time monitoring and protection.

Modern Treasury takes a proactive approach to test our systems. One important aspect of this approach is regular third-party penetration testing. This process involves simulating real-world attacks on our systems by penetration testers to identify and address any potential vulnerabilities.

We make sure that our testing providers are industry-leading, meaning that they have a team of experts with the necessary knowledge, experience, and tools to conduct a thorough and comprehensive testing.

Our team works closely with these security professionals to simulate various types of attacks and identify any weaknesses in our systems. We also make sure all our attack surfaces are covered by the testing, both  external application penetration testing on our web dashboard and API and internal penetration testing on our network segmentation and cloud infrastructure. Regularly performing these tests puts us in the best position to identify and address any potential vulnerabilities before they can be exploited.

Modern Treasury hosts a bug bounty program through HackerOne. A bug bounty program is a way for us to identify and fix vulnerabilities in our systems by incentivizing security researchers and ethical hackers to report any bugs or vulnerabilities they find. This gives us the advantage to quickly identify and fix potential security threats before they can be exploited by malicious actors.