We take security seriously.
Your information security is our priority. Learn more about the numerous International Organisation for Standardization (ISO) certifications we have received, and rest assured that your data is in safe hands.
Security Certifications
Accredify achieved certifications by establishing and implementing a comprehensive information security management programme which includes cloud security, data protection, and business continuity controls. These controls ensure confidentiality, integrity, and availability of information and information systems of Accredify are maintained and upheld.
Cloud Security
Procedures and technology that secure cloud computing environments against external and insider cybersecurity threats.
Facilities
Accredify hosts Service Data primarily in AWS data centres that have been certified as ISO 27001, PCI DSS Service Provider Level 1, and/or SOC 2 compliant. Learn more about Compliance at AWS.
AWS infrastructure services include backup power, HVAC systems, and fire suppression equipment to help protect servers and ultimately your data. Learn more about Data Center Controls at AWS.
On-Site Security
AWS on-site security includes a number of features such as security guards, fencing, security feeds, intrusion detection technology, and other security measures. Learn more about AWS physical security.
Data Hosting Location
Accredify leverages AWS data centres in Singapore or Australia where applicable.
Security Reviews
Accredify minimises risks associated with third-party vendors by performing security reviews on its vendors with any level of access to our systems or Service Data.
Protection
Our network is protected through the use of key AWS security services, with a Web Application Firewall (WAF) placed in front of every end point, regular audits, and network intelligence technologies, which monitor and/or block known malicious traffic and network attacks.
Architecture
Our network security architecture consists of multiple security zones. More sensitive systems, like database servers, are protected in our most trusted zones. Other systems are housed in zones commensurate with their sensitivity, depending on function, information classification, and risk. Depending on the zone, additional security monitoring and access controls will apply.
Network Vulnerability Scanning
Network security scanning gives us deep insight for quick identification of out-of-compliance or potentially vulnerable systems.
Third-Party Penetration Tests
In addition to our extensive internal scanning and testing programme, Accredify employs third-party security experts to perform a broad penetration test across the Accredify Production Network each year.
Intrusion Detection and Prevention
Service ingress and egress points are instrumented and monitored to detect anomalous behaviour. These systems are configured to generate alerts when incidents and values exceed predetermined thresholds and use regularly updated signatures based on new threats.
DDoS Mitigation
Accredify has architected a multi-layer approach to DDoS mitigation and have placed a Web Application Firewall (WAF) in front of every end point. The use of AWS scaling and protection tools provide deeper protection along with our use of AWS DDoS specific services.
Logical Access
Access to the Accredify Production Network is restricted by an explicit need-to-know basis, utilises least privilege, is frequently audited and monitored, and is controlled by our Engineering Team. Employees accessing the Accredify Production Network are required to use multiple factors of authentication.
Security Incident Response
Employees are trained on security incident response processes, including communication channels and escalation paths.
Encryption in Transit
All communications with Accredify UI and APIs are encrypted via industry standard HTTPS/TLS (TLS 1.2 or higher) over public networks. This ensures that all traffic between you and Accredify is secure during transit.
Encryption at Rest
Service Data is encrypted at rest in AWS using AES-256 key encryption.
Uptime
Accredify maintains a publicly available system-status webpage.
Redundancy
Accredify employs service clustering and network redundancies to eliminate single points of failure. Our strict backup regime allows us to deliver a high level of service availability, as Service Data is replicated across availability zones.
Business Continuity
For all Accredify critical business functions on both departmental and organisational level, Accredify has developed and implemented its business continuity and disaster recovery plans accordingly. Accredify’s Business Continuity Management System (BCMS) have been externally audited and certified for ISO 22301:2019.
Disaster Recovery
Our Disaster Recovery (DR) programme ensures that our services remain available and are easily recoverable in the case of a disaster. This is accomplished through building a robust technical environment, creating Disaster Recovery plans, and testing activities.
Application Security
Accredify’s processes and measures to make our application more secure by finding, fixing and enhancing the security of applications.
Framework Security Controls
Accredify leverages modern and secure open-source frameworks with security controls to limit exposure to OWASP Top 10 security risks. These inherent controls reduce our exposure to SQL Injection (SQLi), Cross Site Scripting (XSS), and Cross Site Request Forgery (CSRF), among others.
Code Review
All changes to source code undergoes automated unit testing, code coverage review, and manual peer code review before being deployed to the Production environment.
Quality Assurance
Builds are put through functionality tests, integration tests, and user experience tests before being deployed to the Production environment.
Version Control
Source code is centrally managed with version controls to ensure that all changes to the source code are tracked.
Separate Environments
Testing and staging environments are separated from the Production environment. No Service Data is used in our development or test environments.
Dynamic Vulnerability Scanning
We employ third-party security tooling to continuously and dynamically scan our core applications against common web application security risks, including but not limited to the OWASP Top 10 security risks.
Static Code Analysis
The source code repositories are scanned for security issues via our integrated static analysis tooling.
Third-Party Penetration Testing
In addition to our extensive internal scanning and testing program, Accredify employs third-party security experts to perform detailed penetration tests on different applications within our family of products.
Product Security
Product security encompasses our people, processes, tools, and training to ensure products are secure by design.
Password Policy
Accredify native authentication for products provide the following password policy: at least 12 characters, at least 1 lowercase character, at least 1 uppercase character, at least 1 special character, and at least 1 digit.
2-Factor Authentication (2FA)
Accredify native authentication for products offers 2-factor (2FA) via an authenticator app or SingPass.
Service Credential Storage
Accredify follows secure credential storage best practices by never storing passwords in human readable format, and only as the result of a secure, salted, one-way hash.
PCI DSS
Accredify is PCI compliant through our use of Stripe. PCI DSS, which stands for Payment Card Industry Data Security Standard, is the global security standard for all entities that store, process, or transmit cardholder data and/or sensitive authentication data. PCI DSS sets a baseline level of protection for consumers and helps reduce fraud and data breaches across the entire payment ecosystem.
Human Resource Security
Accredify’s human resource security are key controls that are applied before, during and after the hiring of employees.
Policies
Accredify has developed a comprehensive set of security policies covering a range of topics. These policies are shared with and made available to all employees. Accredify sends out an awareness announcement relating to information security and data protection to all employees every week.
Training
All employees participate a Security Awareness Training, which is given upon hire and annually thereafter. The Security team provides additional security awareness updates on a regular basis.
Background Checks
Accredify performs background checks on all new employees. These background checks are also required for contractors. The background check includes criminal, education, and employment verification.
Confidentiality Agreements
All new hires are required to sign Non-Disclosure and Confidentiality agreements.
What Can We Do For You Today?
For any suspected incidents on your Accredify portal, kindly contact incident@accredify.io.