We take security seriously.

Your information security is our priority. Learn more about the numerous International Organisation for Standardization (ISO) certifications we have received, and rest assured that your data is in safe hands.

Security Certifications

Accredify achieved certifications by establishing and implementing a comprehensive information security management programme which includes cloud security, data protection, and business continuity controls. These controls ensure confidentiality, integrity, and availability of information and information systems of Accredify are maintained and upheld.

Cloud Security

Procedures and technology that secure cloud computing environments against external and insider cybersecurity threats.

Facilities

Accredify hosts Service Data primarily in AWS data centres that have been certified as ISO 27001, PCI DSS Service Provider Level 1, and/or SOC 2 compliant. Learn more about Compliance at AWS.

AWS infrastructure services include backup power, HVAC systems, and fire suppression equipment to help protect servers and ultimately your data. Learn more about Data Center Controls at AWS.

On-Site Security

AWS on-site security includes a number of features such as security guards, fencing, security feeds, intrusion detection technology, and other security measures. Learn more about AWS physical security.

Data Hosting Location

Accredify leverages AWS data centres in Singapore.

Security Reviews

Accredify minimises risks associated with third-party vendors by performing security reviews on its vendors with any level of access to our systems or Service Data.

Protection

Our network is protected through the use of key AWS security services, with a Web Application Firewall (WAF) placed in front of every end point, regular audits, and network intelligence technologies, which monitor and/or block known malicious traffic and network attacks.

Architecture

Our network security architecture consists of multiple security zones. More sensitive systems, like database servers, are protected in our most trusted zones. Other systems are housed in zones commensurate with their sensitivity, depending on function, information classification, and risk. Depending on the zone, additional security monitoring and access controls will apply.

Network Vulnerability Scanning

Network security scanning gives us deep insight for quick identification of out-of-compliance or potentially vulnerable systems.

Third-Party Penetration Tests

In addition to our extensive internal scanning and testing programme, Accredify employs third-party security experts to perform a broad penetration test across the Accredify Production Network each year.

Intrusion Detection and Prevention

Service ingress and egress points are instrumented and monitored to detect anomalous behaviour. These systems are configured to generate alerts when incidents and values exceed predetermined thresholds and use regularly updated signatures based on new threats.

DDoS Mitigation

Accredify has architected a multi-layer approach to DDoS mitigation and have placed a Web Application Firewall (WAF) in front of every end point. The use of AWS scaling and protection tools provide deeper protection along with our use of AWS DDoS specific services.

Logical Access

Access to the Accredify Production Network is restricted by an explicit need-to-know basis, utilises least privilege, is frequently audited and monitored, and is controlled by our Engineering Team. Employees accessing the Accredify Production Network are required to use multiple factors of authentication.

Security Incident Response

Employees are trained on security incident response processes, including communication channels and escalation paths. 

Encryption in Transit

All communications with Accredify UI and APIs are encrypted via industry standard HTTPS/TLS (TLS 1.2 or higher) over public networks. This ensures that all traffic between you and Accredify is secure during transit. 

Encryption at Rest

Service Data is encrypted at rest in AWS using AES-256 key encryption.

Uptime

Accredify maintains a publicly available system-status webpage.

Redundancy

Accredify employs service clustering and network redundancies to eliminate single points of failure. Our strict backup regime allows us to deliver a high level of service availability, as Service Data is replicated across availability zones.

Business Continuity 

For all Accredify critical business functions on both departmental and organisational level, Accredify has developed and implemented its business continuity and disaster recovery plans accordingly. Accredify’s Business Continuity Management System (BCMS) have been externally audited and certified for ISO 22301:2019. 

Disaster Recovery 

Our Disaster Recovery (DR) programme ensures that our services remain available and are easily recoverable in the case of a disaster. This is accomplished through building a robust technical environment, creating Disaster Recovery plans, and testing activities. 

Application Security

Accredify’s processes and measures to make our application more secure by finding, fixing and enhancing the security of applications.

Framework Security Controls

Accredify leverages modern and secure open-source frameworks with security controls to limit exposure to OWASP Top 10 security risks. These inherent controls reduce our exposure to SQL Injection (SQLi), Cross Site Scripting (XSS), and Cross Site Request Forgery (CSRF), among others.

Code Review 

All changes to source code undergoes automated unit testing, code coverage review, and manual peer code review before being deployed to the Production environment. 

Quality Assurance

Builds are put through functionality tests, integration tests, and user experience tests before being deployed to the Production environment. 

Version Control 

Source code is centrally managed with version controls to ensure that all changes to the source code are tracked.  

Separate Environments

Testing and staging environments are separated from the Production environment. No Service Data is used in our development or test environments.

Dynamic Vulnerability Scanning

We employ third-party security tooling to continuously and dynamically scan our core applications against common web application security risks, including but not limited to the OWASP Top 10 security risks.

Static Code Analysis

The source code repositories are scanned for security issues via our integrated static analysis tooling.

Third-Party Penetration Testing

In addition to our extensive internal scanning and testing program, Accredify employs third-party security experts to perform detailed penetration tests on different applications within our family of products.

Product Security

Product security encompasses our people, processes, tools, and training to ensure products are secure by design.

Password Policy 

Accredify native authentication for products provide the following password policy: at least 12 characters, at least 1 lowercase character, at least 1 uppercase character, at least 1 special character, and at least 1 digit. 

2-Factor Authentication (2FA)

Accredify native authentication for products offers 2-factor (2FA) via an authenticator app or SingPass.

Service Credential Storage

Accredify follows secure credential storage best practices by never storing passwords in human readable format, and only as the result of a secure, salted, one-way hash.

PCI DSS

Accredify is PCI compliant through our use of Stripe. PCI DSS, which stands for Payment Card Industry Data Security Standard, is the global security standard for all entities that store, process, or transmit cardholder data and/or sensitive authentication data. PCI DSS sets a baseline level of protection for consumers and helps reduce fraud and data breaches across the entire payment ecosystem.

Human Resource Security

Accredify’s human resource security are key controls that are applied before, during and after the hiring of employees.

Policies

Accredify has developed a comprehensive set of security policies covering a range of topics. These policies are shared with and made available to all employees. Accredify sends out an awareness announcement relating to information security and data protection to all employees every week. 

Training

All employees participate a Security Awareness Training, which is given upon hire and annually thereafter. The Security team provides additional security awareness updates on a regular basis.

Background Checks

Accredify performs background checks on all new employees. These background checks are also required for contractors. The background check includes criminal, education, and employment verification. 

Confidentiality Agreements

All new hires are required to sign Non-Disclosure and Confidentiality agreements.

What Can We Do For You Today?

For any suspected incidents on your Accredify portal, kindly contact incident@accredify.io.