PrecisionLender Security Overview

Provided below is an overview of our technical and organizational measures that are in place to address the security of our offerings.  This includes detail on application security, privacy, business continuity/disaster recovery, and compliance.  If you have additional questions, please see our Compliance and Due Diligence article.

 

 

Application Security

Physical Security

PrecisionLender applications are hosted within Microsoft Azure's cloud of geographically distributed Data Centers. Each facility operates 24x7x365 and is designed to protect operations from power failures, physical intrusions, and network outages. All data centers comply with industry standards (such as ISO 27001) for physical security and availability.

Logical Security

All PrecisionLender clients are provisioned with a unique identifier which is attached to the user during the login process.  All interactions between the user and application flow through the Access Proxy which has two core purposes:

  1. Enforce the client data partition
  2. Enforce  the  rights  granted  to  the user from their associated Security Profile

All operations are client-partitioned and evaluated for authorization, whether they are destined to interact with the database, display information on the screen, or send a welcome email to a new lender. 

Access Control

PrecisionLender applications use role-based access to provide access to system resources and restrict access to users granted permissions to that resource based on job responsibilities. Users must authenticate to PrecisionLender using a valid user ID and associated password. Our security architecture ensures that each request to PrecisionLender is accompanied by user identity credentials to ensure segregation of client data.

PrecisionLender clients can configure custom security policies within the application allowing for:

  • Password length and complexity
  • Password aging and history
  • Account lockout and unlock requirements

Clients have access to an internal security audit trail detailing successful and failed login attempts as well as all changes to settings that may impact security.

PrecisionLender also offers clients the ability to authenticate users via their own SAML 2.0 Identity Providers such as ADFS and Ping Identity.

Network Security

Our network is protected by best-in-class firewall and router technology, TLS encryption, and a network intrusion detection system that monitors and proactively blocks malicious traffic and other undesirables. We retain all log files and perform real-time analysis to proactively monitor network activity.

PrecisionLender enforces the use of HTTPS for all communications and runs regular penetration tests to protect against common and uncommon network exploits. PrecisionLender also has client-configurable IP Restrictions to restrict access to specific IP addresses.

Data Security in Transit and at Rest

All communications between your bank and PrecisionLender are encrypted using industry standard TLS. We also leverage Azure SQL Transparent Data Encryption (TDE) to encrypt all databases at rest.

PrecisionLender follows secure credential storage best practices by storing passwords using the bcrypt (salted) hash function.

Vulnerability Management

PrecisionLender uses industry-recognized, third-party security firms, enterprise-class security scanning solutions, and custom in-house tools to regularly analyze the application and production infrastructure to ensure that vulnerabilities are identified, classified, and remediated appropriately.

Privacy

Data Sovereignty

To support  clients with specific data sovereignty requirements, Microsoft Azure has Data Centers around the globe. PrecisionLender can provide local instances of the application to support each client’s unique data sovereignty requirements.

Law Enforcement Data Requests

If a government or law-enforcement agency requests client data, PrecisionLender will immediately notify the client of the request. We do not provide any government or law-enforcement agency direct or unfettered access to client data except as directed by a client or where required by law. 

We also do not give access to platform encryption keys, nor do we provide any government with our encryption keys or the ability to break our encryption.

Business Continuity/Disaster Recovery

PrecisionLender protects  all databases with Azure’s real-time automated backup system allowing for Point-In-Time (PIT) restore. Additionally, databases are geo-replicated in real-time to a  secondary Microsoft Azure Data Center to allow for fail-over if required.

PrecisionLender offers a high availability system and application status including availability, server response time, and incident updates can be found on our status page at http://status.precisionlender.com. 

Compliance

Security isn’t just about saying you’re secure, it’s proving it.  For this reason, we have several external reviews that occur throughout the year to hold us to the high bar that we’ve set for ourselves including a SOC 2, Type II report for Security and Confidentiality Trust Services Criteria. We also have an annual third-party penetration test.  Please see our Compliance and Due Diligence article for our current reports.