Describe Ledgersync's Security?
- At Ledgersync, we prioritize security with robust measures to protect our clients' data. Here’s an overview of our security protocols:
-
- 1. User/Password Security: Ledgersync does not store user/password information when using the MasterCard API. The MasterCard API handles most of the bank statement fetching, ensuring that Ledgersync never sees or stores passwords. For checks and statements fetched by Ledgersync (e.g., from Chase), we use bank-level AES 256 encryption, which is one of the most secure encryption standards used by financial institutions.
- 2. MasterCard Widget Security: All data transmission through the MasterCard fetcher is managed by the secure and fixed MasterCard Widget, similar to the screen seen on Venmo from Plaid. This ensures that user/password information never passes through our infrastructure, as it is handled entirely by MasterCard’s highly secure systems.
- 3. Rigorous User Authentication: Our sign-up process includes strict validation and authentication:
- Blocking non-corporate emails (e.g., Gmail, Yahoo).
- Validating the company’s domain.
- Utilizing software to score email validity.
- Enforcing multi-factor authentication (MFA) during registration.
- 4. Manual Verification: Even after registration, users cannot access the MasterCard widget until they undergo manual verification, ensuring an additional layer of security.
- 5. Google Cloud Infrastructure: Ledgersync's infrastructure is hosted on Google Cloud, leveraging Google’s extensive security measures. We have enabled advanced security settings within Google Cloud, ensuring our system is highly secure. Any unauthorized access to Ledgersync would first require breaching Google's security, which is an immense challenge.
- 6. Database Encryption: Our database employs multiple layers of encryption. All communication between Ledgersync’s front end and back end is encrypted with 256-bit encryption. Each bank statement fetched is also encrypted, adding another layer of protection.
- 7. Credit Card Processing: Ledgersync uses Stripe for credit card processing and Zoho Subscription for invoicing. We do not store credit card information on our system, relying on Stripe’s secure handling.
- 8. SOC2 Compliance: We are currently in the final stages of SOC2 compliance, with approximately 70% completed. The remaining steps involve completing necessary paperwork. Our commitment to achieving full SOC2 compliance demonstrates our dedication to maintaining high security standards.
- 9. Continuous Security Reviews: We conduct ongoing security reviews to ensure our system remains secure, implementing constant upgrades and improvements to address emerging threats.
- 10. Secure Internal Connections: All internal connections to Ledgersync are made via a secure VPN, providing additional protection for our internal data flows.
- 11. Google Security Center Implementation: We are in the process of implementing Google Security Center, which will provide comprehensive oversight of all Ledgersync traffic. This includes multiple logs and automated reporting, adding another layer of security.
- 12. Access Controls: Access to Ledgersync’s stored passwords and backend infrastructure is tightly controlled, with multiple layers of encryption and only a very limited number of authorized personnel having access.
MasterCard’s security protocols are among the most stringent in the industry, ensuring bank credentials are highly secure. Combined with Ledgersync’s multiple layers of encryption and firewall protections, we provide a secure environment for our clients’ financial data.
13. Incident Response Plan: Ledgersync has a detailed incident response plan to address any security breaches or vulnerabilities promptly. We regularly conduct drills to ensure our team is prepared for any incidents.
14. Employee Training: All employees undergo regular security training to stay updated on the latest security best practices and emerging threats.
15. Data Anonymization: When applicable, we employ data anonymization techniques to further protect user privacy.