Information Security

The following are levels of security and processes that we use to ensure the proper and secure protection of information through our secure computer systems.

1. Secure User Login and Password: All users are issued their own login name and password. These can only be issued by the system administrator or client administrator. Each user login name is unique to the system. A user picks his or her own password, which is known only to themselves. Even a system or client administrator does not have access to individual user passwords.
   
   Passwords automatically expire every 90 days. Each user is required to choose a new password that is different from the previous password prior to the password's expiration. If a password expires, only a system or client administrator can reset the password. This requires the associated user to choose a new password. Administrators can suspend a password at anytime.
    
2. Secure Connection: When an authorized user connects to our system through the internet, the connection is secured using 128 bit SSL (secure socket layer). This is verified by a GeoTrust digital certificate. GeoTrust's Identity Verification Services ensures the identity of business entities and/or individuals in online transactions.
    
3. Server and Database Configuration: Our data resides on servers on private networks protected from the Internet by several layers of firewalls.  All suspicious activity is prevented and logged by the firewalls.  We segregate the data and the application servers and ensure secure communications between all facets of the request/response.                                                                                                                                               
4. Data Availability: Data is accessible on the system for 60 days and is only available to authorized individual users from the requesting client. After 60 days the data is archived and stored on separate media and is not accessible by a client user through the Internet. This archived data can only be retrieved by a special request as a historical view of the original request and must be approved on a case-by-case basis by an administrator. No data is stored for any length of time on the application server.
    
5. Physical Security of the Servers: The servers are located at an Internet Service Provider (ISP) facility that provides 24 hour a day monitoring. This facility utilizes a card access and CCTV monitoring system to control access to the facility. Personnel requiring access to the data center must be on a pre-authorization list and surrender their valid driver’s license prior to being able to proceed into the raised floor area. The servers are located in locked cabinets that can only be accessed by authorized technology support personnel. Once inside the cabinets, the server console can only be accessed by authorized technical personnel, using IDs that have strong type passwords. ISP personnel do not have access to data.
    
6. System Code and Data: When code and data backups are required, the medium is stored with Iron Mountain, a leader in records and data protection. The medium is stored in a secured lockbox that cannot be accessed without specific authorization.
    
7. Independent Security Certification and Audits: Our technology has been certified by Secure Works of Atlanta, Georgia. Secure Works is an approved third party certification agency of the major credit bureaus. Our technology processes and infrastructure are subject to audit and review at a minimum of every six months and without notice. These independent findings are reported to the credit bureaus to ensure security compliance.