Security

At Modern Treasury, we understand the importance of keeping our customer's information secure. We value security as a top priority and implemented a comprehensive security program. We understand that trust is earned and we are dedicated to earning and maintaining the trust of our customers by protecting their information.

Access Control

Granular User Roles

It is paramount to maintain control over your data and who has access to it. That's why we have implemented granular user roles, which give our customers the ability to control access scope with precision and minimize the risk of human error and bad actors. Admins can easily assign and manage access levels for their team members, ensuring that only authorized personnel can view and edit important information. This added layer of security not only helps protect your data, but also gives you peace of mind that your information is only accessible by those who need it.

Audit Logs

When it comes to the handling of financial data, accountability and transparency are indispensable. Our detailed audit logs provide a clear and comprehensive record of all actions taken within the platform. These logs allow actions to be traced back to individual users and API keys, assuring accountability for all events. This means that if any issues arise, our customers can quickly and easily identify the source and take the appropriate action. Furthermore, it allows you as a customer to have a clear oversight on your team’s actions and thus makes sure that your business runs smoothly.

Our dashboard allows customers to view and bulk export their audit logs with just a few clicks, making it easy to analyze data and gain insights quickly. Additionally, our enterprise customers can seamlessly stream audit logs directly into their log management systems and SIEMs, ensuring that they have access to critical data whenever they need it.

SAML, SCIM, and MFA Support

Platform-wide support for SAML (Security Assertion Markup Language), provides not only security but also ease of use for our customers. This allows our customers to leverage their existing single sign-on mechanisms. We support this through integration with Auth0 by Okta, a leading provider in identity management, which ensures that our customers can take advantage of the latest and most secure authentication technologies available.

We also support SCIM (System for Cross-domain Identity Management specification), a protocol for directory sync. Directory sync simplifies user lifecycle management for IT admins by providing a single source of truth for information about users. Customers use their identity provider to automate employee onboarding, employee offboarding, and user role provisioning to ensure seamless and centralized role access control.

With MFA (Multi-factor Authentication), our customers can secure their accounts with an extra level of protection, requiring users to provide a second form of authentication, such as a time-based one-time password (OTP) or text message code, in addition to their password. This helps to prevent unauthorized access and keeps your data safe.

SAML, together with MFA, allows you to easily manage the access of your team members, ensuring that only the right people have access to your data.

Designated Resources

Our enterprise customers have the opportunity to request for designated and segmented computing and storage resources that are specifically allocated for exclusive use, ensuring maximum performance and reliability for your operations, and heightened security.

Encryption and Authentication

Strong Encryption

One of the most important things at Modern Treasury is protecting our customers' data. We have implemented strong encryption in transit and at rest to ensure that our customers' data is always secure.

We use Transport Layer Security (TLS) >= 1.2, the industry standard for secure communications, to encrypt all data in transit. This means that all data transmitted between our customers and our servers is protected against eavesdropping and tampering, ensuring that it remains private and secure.

We also use Advanced Encryption Standard (AES) 256-GCM, the most secure encryption method currently available, to encrypt all data at rest. This means that all data stored on our servers is protected against unauthorized access, ensuring that it remains confidential and secure.

Our strong encryption in transit and at rest protocols are designed to meet or exceed the highest industry standards, providing our customers with the peace of mind that their data is always protected.

Authentication via SAML or API Key

Modern Treasury offers both SAML and API key authentication and authorization as our integration options. SAML, or Security Assertion Markup Language, allows for secure exchange of user authentication and authorization data between systems. API keys, on the other hand, provide a secure way for customers to access our platform through a unique identifier and secret key. With these options, our customers can choose the method that best fits their security needs and easily integrate with our platform.

Tokenization

Introducing advanced tokenization technology that provides an additional layer of security for the most sensitive data. With our tokenization process, we further isolate your data by securely storing it in our secure token vault, replacing it with a unique token that can only be used by authorized parts of the system. This process ensures that even in the event of a breach, your sensitive data remains safe and secure.

SOC 2 Type II and SOC 1 Type II Compliant

Modern Treasury is SOC 2 Type II and SOC 1 Type II compliant, which demonstrates our commitment to customer trust, and reinforces our rigorous practices that are recognized as the gold standard for data security and privacy.

External auditors have undergone a thorough examination of our security controls and data handling procedures, and have provided attestation reports without exception. These reports outline our robust Governance, Risk Management, and Compliance (GRC) practices which are continuously tested and monitored.

This level of compliance ensures that we have the necessary controls in place to establish a greater trust with our customers. Please visit our Trust Center for more information.

DPA Complying with GDPR, CCPA and CPRA

We understand the complexities of data processing regulations and the importance of compliance for our customers in the finance industry. We have made it a priority to help our customers comply with regulations such as the GDPR, and the CCPA as amended by the CPRA by providing them with a Data Processing Addendum (DPA) and/or California Privacy Terms.

A DPA is a legal contract between a data controller and a data processor that sets out the terms and conditions for the processing of personal data. It helps customers comply with data processing regulations by outlining the responsibilities of both parties and providing a clear understanding of how personal data will be handled. Our DPA is designed to help customers comply with data processing regulations by clearly defining the roles and responsibilities of both parties. This includes the protection of personal data, security measures, data breaches, and more. It also provides a clear understanding of the data processing activities and any subprocessors involved.

Modern GRC

Modern Treasury leverages a leading automated security and compliance platform to stay compliant by continuously monitoring our employees, systems, and tools to improve security posture.

We understand that the compliance landscape is constantly changing and that's why we are committed to staying ahead of the curve by using the latest technology and best practices. Our automated security and compliance platform ensures that we are always up to date with the latest regulations and standards, and that we are able to respond to potential threats quickly and effectively.

API Security

HTTPS with Strong Ciphers

All of our API traffic uses HTTPS, the industry-standard for secure data transfer, in conjunction with industry-standard ciphers, to ensure that all API traffic is secure point-to-point. HTTPS encrypts the data being transferred between systems, making it impossible for third parties to intercept and read the information. By using industry-standard ciphers, we ensure that the encryption methods we use are up-to-date and secure.

API Key with Granular Permissions and Multi-Layer Encryption

When using Modern Treasury API, we offer API keys that can be generated with granular permissions, giving our customers the ability to control exactly what actions can be performed with the key. Furthermore, our API keys are stored with multiple layers of encryption, ensuring that they are protected from any unauthorized access. We also provide our customers with a robust user interface and API interface that allows them to easily audit and disable any keys that may have been compromised.

IP Allowlisting and Traffic Rate Limiting

To prevent API misuse, our customers can easily configure IP allowlist per API key, giving them the power to determine who has access to their data. In addition, we have traffic rate limiting in place to prevent overuse and misuse of the API. This feature ensures that the API usage is kept within a predefined threshold, preventing any one user or system from overwhelming the API with too many requests. With these features, our API will be available and responsive to legitimate requests while preventing any malicious, accidental, or unauthorized misuse.

Static IPs

Static IP addresses are permanent, unchanging IP addresses, and to help our customers manage their ingress and egress firewalls, Modern Treasury has implemented static IPv4 addresses both for traffic sent to Modern Treasury, and for webhooks received from Modern Treasury. This allows our customers to easily allowlist and authorize access to their resources, and also makes it easy to track and monitor access logs.

Web Application Firewall (WAF)

Our WAF is the ultimate defense against common cyber attacks. It effectively blocks the OWASP Top Ten, the most critical and prevalent vulnerabilities that threaten web applications. With our WAF, web applications are protected against SQL injection, cross-site scripting, and other malicious attacks. It proactively identifies and blocks threats before any damage can be caused. It also provides detailed reporting and forensic capabilities to help us quickly investigate and remediate any security incidents.

Secure Software Development Lifecycle (SDLC)

Comprehensive Scanning

Modern Treasury performs comprehensive scanning during our application development process to ensure that our products are free from vulnerabilities. Our testing includes a combination of static application security testing (SAST), dynamic application security testing (DAST), and software composition analysis (SCA) to provide the most thorough and accurate results.

SAST analyzes the source code of the application to identify potential vulnerabilities before they can be exploited. DAST, on the other hand, simulates real-world attacks on the application while it is running to identify vulnerabilities that may not be detectable during static testing. And SCA checks all the third-party components used in the application to ensure that they are free from known vulnerabilities.

By using this combination of testing methods, we are able to identify and remediate vulnerabilities early in the development process.

Stringent Change Management

To maintain code quality and ensure accountability in the development process, we have implemented a stringent change management system that promotes best practices in coding and enforces strict guidelines for code review and approval.

Our change management system ensures that all changes to the codebase are thoroughly reviewed and tested before being implemented. This approach allows us to catch potential issues early and ensures that only high-quality code is deployed to production. Furthermore, our system also includes a separation of duties, meaning that different team members are responsible for different stages of the development process. This not only ensures that every code change is thoroughly reviewed but also eliminates the risk of a single individual having too much control over the codebase.

Our change management system is regularly audited to ensure that it is being followed correctly, and we are always looking for ways to improve it.

Continuous Backups

Data availability and continuity of operations is crucial to us. We have a robust data backup and recovery system that ensures that our customers' data is always safe and accessible. Data backups that are continuously taken in multiple cloud data centers located in different regions. This approach ensures that if there is an issue with one data center, data are still accessible. This also allows us to minimize the risk of data loss in the event of natural disasters, power outages, or other unforeseen events.

Our data backup and recovery system is regularly tested to ensure that it is working correctly and that we are able to quickly restore data in case of emergency. We also ensure that all backups are encrypted to protect sensitive information.

Autoscaling

Maintaining excellent availability and performance, and delivering the high SLA that we promised to our customers is one of our core missions. For that, we dynamically adjust the amount of computational resources in our infrastructure, ensuring we provide our service even during peak-hour traffic. We engineered autoscaling at almost every layer of our infrastructure, from database to computing resources, to CDN to DNS.

System Hardening and Top Security Practices

We harden our systems by applying industry-standard system hardening and top security practices. We follow guidelines such as CIS AWS Level 1, which are widely recognized as the best practices for securing cloud-based systems. By adhering to these guidelines, we are able to ensure that our systems are configured in a secure manner, reducing the risk of misconfiguration and weak security configs. Our team regularly monitors and audits our systems to ensure that they are configured correctly and that any new vulnerabilities are identified and remediated quickly.

Intrusion Detection System (IDS)

To detect threats in real time and perform rapid response, we utilize an Intrusion Detection System (IDS) that is deployed across our entire cloud footprint.

The IDS is designed to quickly detect and alert us of any potentially malicious activity and data exfiltration attempts. It uses advanced algorithms and machine learning to analyze network traffic and identify suspicious patterns of behavior. This allows us to take immediate action to investigate and remediate any security incidents. Our IDS is continuously updated with the latest threat intelligence and security updates to ensure that it is always able to detect the latest threats. Any new events identified from the IDS will alert our team for a timely response.

DDoS Protection

A distributed denial-of-service (DDoS) attack is a malicious attempt to disrupt the normal traffic of a targeted server, service or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic.

At Modern Treasury, we leverage the latest cloud technologies to shield against DDoS attacks so we can provide our services and operate with high availability even under such attack.

Infrastructure Scanning

We regularly assess and audit our infrastructure, including customer-facing and backend systems, and internal tooling and resources, using infrastructure configuration scanning to ensure our infrastructure is secure and configured correctly.

The scanning is designed to identify and report any security vulnerabilities, misconfigurations, and compliance issues. By scanning the infrastructure, we are able to quickly identify and remediate any vulnerabilities and misconfiguration in our infrastructure. Our security team regularly monitors and audits the results of these scans and works closely with our development team to ensure that any vulnerabilities are addressed quickly and effectively.

Least Privilege

Principle of Least Privilege (POLP) for employee access ensures that our employees only have the minimum access necessary to perform their job responsibilities. Our access provisioning system is designed to grant access based on an employee's role and responsibilities, and it is regularly reviewed and updated to ensure that it is still in compliance with the POLP. This approach not only helps to protect our customer's data but also helps to minimize the risk of security breaches caused by human error.

Infrastructure as Code (IaC)

Modern Treasury engineering practices IaC. By treating our infrastructure as code, we are able to manage, version and audit our infrastructure in the same way as we do with application code. Our IaC approach allows us to automate the provisioning and configuration of our infrastructure, which ensures that it is consistently configured across all environments. This improves the reliability and consistency of our systems while reducing the risk of human error. It also allows us to easily rollback to previous configurations in case of issues.

Audit Trail

We monitor and record every single activity across the entirety of our cloud infrastructure, allowing us control over storage, analysis, and remediation actions, providing impeccable visibility and accountability. We also store and backup our audit trail at a maximum security location, preventing unauthorized access and malicious tampering.

Threat Intelligence

Cybersecurity is a field of emerging attacks and ever evolving exploitations. To stay ahead of the threats, our team regularly monitors and analyzes the threat intelligence information and data from a variety of sources, including industry reports, government agencies, and other trusted partners. This allows us to stay informed about the latest threats and vulnerabilities and take proactive measures to protect our systems and data.

24/7 Security

We have a dedicated team of information security personnel who are available on call to ensure that your information is always safe and secure. With their expertise and comprehensive security tooling, rest easy knowing that our information security team is working around the clock to keep your data secure and protected from potential threats.

Background Checks and Security Training

Security starts with the people. We conduct thorough background checks and annual security training on all our employees. By conducting background checks, it allows us to hire only the most trustworthy individuals. In addition, we also provide annual security awareness training to our employees to help them stay vigilant and aware of potential threats. This training covers the latest security best practices and helps our staff identify and respond to security risks effectively. We also provide annual security coding training to our developers, which focuses on secure coding practices to prevent potential vulnerabilities in our systems and applications. Our commitment to security is evident in the measures we take to ensure the integrity of our team.

Multi-Factor Authentication (MFA) and Role-Based Access Control (RBAC)

With MFA, our employees are required to provide two or more forms of identification before being granted access to any of our systems. This added layer of security ensures that only authorized personnel can access the company’s digital assets. But we don't stop there, we also implement RBAC which ensures that employees only have access to the systems and information that is relevant to their role. This means that even if an attacker manages to compromise an employee's credentials, they would still be unable to access sensitive information that they are not authorized to see.

Next-Gen Antivirus and Endpoint Protection

We equip our employees with the latest and most advanced security technologies. One of the ways we do this is by providing our employees with next-generation antivirus and endpoint detection and response (EDR) software on their workstations. These cutting-edge systems use advanced algorithms and artificial intelligence to detect and block even the most sophisticated cyber threats. They also provide real-time monitoring and protection, ensuring that our employees' workstations are always protected.

Modern Treasury takes a proactive approach to test our systems. One important aspect of this approach is regular third-party penetration testing. This process involves simulating real-world attacks on our systems by penetration testers to identify and address any potential vulnerabilities. We make sure that our testing providers are industry-leading, meaning that they have a team of experts with the necessary knowledge, experience and tools to conduct a thorough and comprehensive testing. Our team works closely with these security professionals to simulate various types of attacks and identify any weaknesses in our systems. We also make sure all our attack surfaces are covered by the testing, not only including external application penetration testing on our web dashboard and API, but also internal penetration testing on our network segmentation and cloud infrastructure. By regularly performing these tests, we are able to identify and address any potential vulnerabilities before they can be exploited.

Modern Treasury hosts a bug bounty program through HackerOne. A bug bounty program is a way for us to identify and fix vulnerabilities in our systems by incentivizing security researchers and ethical hackers to report any bugs or vulnerabilities they find. This allows us to quickly identify and fix potential security threats before they can be exploited by malicious actors. By actively seeking out vulnerabilities, we are able to stay ahead of potential threats and ensure the integrity of our systems.