Fero Labs Inc. (‘Fero Labs’) is fully committed to the security of our customers’ data. We protect your data by implementing reliable and up-to-date security measures and by following industry best practices. Our external certifications provide independent assurance of Fero Labs’ dedication to protecting our customers by regularly assessing and validating the protections and effective security practices Fero Labs has in place. Our security practices include and are not limited to:
Data and privacy
We have a privacy policy in place that documents and clearly communicates to individuals the extent of personal information collected, the company's obligations, the individual's rights to access, update, or erase their personal information, and an up-to-date point of contact where individuals can direct their questions, requests or concerns.
We purge or remove customer data containing confidential information from the application environment, in accordance with best practices, when customers leave the service.
We have formal retention and disposal procedures in place to guide the secure retention and disposal of company and customer data.
We have documented processes and procedures in place to ensure that any privacy-related complaints are addressed, and the resolution is documented in the company's designated tracking system and communicated to the individual.
We retain customer transaction data for the life of a customer account. No historic transaction data is purged until the customer account is deleted.
We have a privacy policy available to customers, employees, and/or relevant third parties who need them before and/or at the time information is collected from the individual.
We review the privacy policy as needed or when changes occur and updates it accordingly to ensure it is consistent with the applicable laws, regulations, and appropriate standards.
We have established a privacy policy that uses plain and simple language, is clearly dated, and provides information related to the company's practices and purposes for collecting, processing, handling, and disclosing personal information.
We have a data classification policy in place to help ensure that confidential data is properly secured and restricted to authorized personnel.
Infrastructure security
We have infrastructure supporting the service patched as a part of routine maintenance and as a result of identified vulnerabilities to help ensure that servers supporting the service are hardened against security threats.
We perform periodic backups for production data. Data is backed up to a different location than the production system.
We use an intrusion detection system to provide continuous monitoring of the company's network and early detection of potential security breaches.
Our databases are replicated to a secondary data center in real-time. Alerts are configured to notify administrators if replication fails.
We restrict privileged access to databases to authorized users with a business need.
Our production systems can only be remotely accessed by authorized employees possessing a valid multi-factor authentication (MFA) method.
We complete termination checklists to ensure that access is revoked for terminated employees within SLAs.
We restrict privileged access to the production network to authorized users with a business need.
We require authentication to production data stores to use authorized secure authentication mechanisms, such as unique SSH key.
Our production systems can only be remotely accessed by authorized employees via an approved encrypted connection.
We restrict privileged access to encryption keys to authorized users with a business need.
We prohibit confidential or sensitive customer data, by policy, from being used or stored in non-production systems/environments.
An infrastructure monitoring tool is utilized to monitor our systems, infrastructure, and performance and generates alerts when specific predefined thresholds are met.
We restrict privileged access to the application to authorized users with a business need.
Our access control policy documents the requirements for the following access control functions: adding new users, modifying users, and/or removing an existing user's access.
We utilize a log management tool to identify events that may have a potential impact on the company's ability to achieve its security objectives.
We restrict privileged access to the firewall to authorized users with a business need.
Organizational security
We encrypt portable and removable media devices when used.
We deploy anti-malware technology to environments commonly susceptible to malicious attacks and configures this to be updated routinely, logged, and installed on all relevant systems.
We perform background checks on new employees.
We have a mobile device management (MDM) system in place to centrally manage mobile devices supporting the service.
We require passwords for in-scope system components to be configured according to the company's policy.
We require employees to complete security awareness training within thirty days of hire and at least annually thereafter.
We require contractors to sign a confidentiality agreement at the time of engagement.
We maintain a formal inventory of production system assets.
We require employees to sign a confidentiality agreement during onboarding.
We have electronic media containing confidential information purged or destroyed in accordance with best practices, and certificates of destruction are issued for each device destroyed.
Product security
Our databases housing sensitive customer data are encrypted at rest.
We use secure data transmission protocols to encrypt confidential and sensitive data when transmitted over public networks.
We capture system activity, including user activity, in transaction logs.
Our formal policies outline the requirements for the following functions related to IT / Engineering: vulnerability management, system monitoring.
SOC 2 Type II
We successfully completed the AICPA Service Organization Control (SOC) 2 Type II audit. The audit confirms that our information security practices, policies, procedures, and operations meet the SOC 2 standards for security, the highest standard of security and compliance.
Fero Labs Inc.
520 Broadway
New York, NY 10012, USA
Phone: +1 917 633 6041
Email: security@ferolabs.com