At Finance Active, security is not a preliminary reflection. Since the beginning, the entire information system has been constructed on the basis of the fundamental principles of information security, also known as DICT:
Confidentiality: Prevent the disclosure of information to non-authorized people or systems.
Integrity: Maintain and ensure the precision and the coherence throughout the entire life cycle of your data.
Availability: Ensure all information is at your disposal at all time.
Traceability: Monitor and journalize the access to information. Thanks to the implementation of ISMS (Information Security Management System), Finance Active is commited to achieving and maintaining these principles and the trust of our customers.
Certifications and audit control
- Data centers, offices and Finance Active solutions are certified in line with the ISO 27001:2013 standard
- The management of the Finance Active information system security is aligned with the standard ISO 27001:2013
- This recognized standard aims at the establishment, implementation, maintenance and improvement of the Information Security Management System (ISMS).
- This alignment with the ISO 27001 standard results in the implementation of a set of processes in order to ensure the security of all Finance Active activities.
To reinforce and update the security system permanently, Finance Active is regularly audited by specialized companies. These audits include the infrastructure, instrusion tests, protection of vulnerabilities and ISMS surveillance audits in accordance with ISO 27001:2013 standard.
The Finance Active infrastructure is hosted in European top-rated data centers, extremely confidential, non-identifiable from the outside, armoured and under camera surveillance. Besides the public services such as electronic installations, lighting, air-conditioning, fire detection system,… The infrastructure that hosts the data (development, revenue, pre production and production) is completely owned, controlled, managed and maintained by Finance Active. The servers of Finance Active are stored on French territory and and on platforms not covered by the USA PATRIOT ACT.
- The companies selected by Finance Active to host their applications and data are certified ISO 27001. The certificate ISO/IEC 27001 was supplied by Lloyd’s Register Quality Assurance. The ISO 27001 standrd is an international standard that certifies the security of information systems. It covers a wide perimeter: security policy, business continuity management, physical security, access management and back-up systems. The ISO 27001 standard requires a regular risk re-evaluation and ensures continual improvement.
- Every data center is completely protected 24x7x365 by security guards and guarantees the physical security:
- Fireproof protection systems
- A 3-level power supply redundancy
- Access control by badge and retinal scan, ensuring maximum security
- Physical surveillance during on-site interventions
The Finance Active infrastructure uses a high availability architecture to enable full operational failover. A failure of a single component (server / disk / switch / firewall) must not result any customer service interruption or loss of customer data. In case of primary failure, the redundant architecture will allow complete failover on the secondary servers.
Every installation is protected by a cascade of Firewalls, IDS (InTrusion Detection Systems), IPS(InTrusion Prevention Systems) and anti-virus/anti-mailware protection.
The internal network infrastructure is securely segmented using firewalls, virtual networks (VLANS), and access control lists (ACLs), which limits access and communication between systems. No system or individual can reach another system unless explicitly authorized to do so. Finance Active has taken measures in terms of firewalls and network hardware to ensure that its infrastructures can not be the victims of denial of service, theft of information, identity theft or compromise.
- The platforms of Finance Active support a variety of authentication protocols SSO (SAML2/ ADFS/Active Directory / LDAP) allowing clients to use their proper authentication system and manage in a centralized way the access of users. That includes especially:
- The complexity of passwords
- Protection against brute-force attacks
- Secured password storage
- The internal access are submitted to the following policy
- The distant accesses are only authorized via VPN
- The accesses are based on the minimal privileged principles
- Client data access is strictly limited to competent and qualified people (system administrators/ Architects and Finance Active experts/RSSI/support)
- Every access is monitored and registered
- All systems (for example, firewalls, routers, network switches, and operating systems) used in the provision of Finance Active will log information to their respective system log facility and to a centralized syslog server.
- All data access by customers and collaborators is monitored and logged.
- All data changes by customers and collaborators is monitored and stored in a dedicated system (mongodb)
- Records are maintained according to the backup policy
- Records are maintained in a secured zone to avoid falsifications and only system administrators have access rights
- Every exchange between Finance Active solutions and clients is encrypted via HTTPS using SHA-256 and RSA public key(2048-bit), Thawte certified
- Each client and all their data has a unique user id. Every time data is requested, the Finance Active applications systematically verify that the user is the rightful owner of the data
- Each user is assigned a profile that permits or limits reading and writing access rights.
The backup strategy of Finance Active is based on:
- The replication of data on hard backup disks (RAID disks)
- The duplication of data in different data centers
- Frequent backups (daily, weekly, monthly, yearly)
- Backup retention on magnetic tapes:
- Daily backup stored for 2 months
- Weekly backup stored for 2 months
- Monthly backup stored for 2 years
- Yearly backup stored for 10 years
- Backups stored in safety deposit boxes
- The backups are AES-256 encrypted
- Restoration tests on a planned and regular basis
Activity recovery plan
If the main production servers are lost, the system will shift to emergency servers within 1 hour. This process is always functional and is tested daily. The shift is transparent to the user (no change in connection address). If a disaster at the main site involves both the main and emergency servers, Finance Active has a disaster recovery plan at the 2nd data centre. This plan is tested regularly and is operational in less than 2 hours. The shift to this site is equally transparent to the user and has identical performance capabilities.
Protection of personal data
Finance Active is committed to protect your privacy. We are ISO 27001:2013 certified by Bureau Veritas, which means that our confidentiality policy and practices have been reviewed and validated by independent third party. For the protection of personal data, Finance Active disposes of a Data Protection Officer (DPO) which ensures the security of personal data and respects the European regulations (GDPR). All the data collected by Finance Active are mainly used by their services and are under no circumstances transferred to third parties. All the suppliers selected by Finance Active are engaged to respect the European regulation according to the protection of personal data (Privacy Shield GDPR).