AdvicePay Security Statement
Last revised January 24th, 2017
AdvicePay is a cloud application platform that allows firms to focus on advising their clients while AdvicePay focuses on facilitating advisor’s access to online-based payment technologies. AdvicePay’s provider Heroku has represented that it applies security best practices and manage platform security so customers can focus on their business.
As part of our commitment to working with security researchers to make our platform safer, AdvicePay’s provider Heroku operates a bug bounty program to reward those who find and report bugs in our platform. That bug bounty program is managed through Bugcrowd. To see the terms of the program and participate, go online to Bugcrowd and sign up as a tester. If you have identified a vulnerability, please report it via Bugcrowd to be eligible for a reward.
It has been represented to AdvicePay that (i) Provider Heroku’s physical infrastructure is hosted and managed within Amazon’s secure data centers and utilizes the Amazon Web Service (AWS) technology, (ii) Amazon continually manages risk and undergoes recurring assessments to ensure compliance with industry standards, and (iii) Amazon’s data center operations have been accredited under:
- ISO 27001
- SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II)
- PCI Level 1
- FISMA Moderate
- Sarbanes-Oxley (SOX)
PCI compliance enquiries regarding encryption and processing of credit card payments may be directed to the credit card payment provider Stripe with whom you opened an account with when registering for AdvicePay system.
Heroku represented to AdvicePay that (i) third party security testing of the Heroku application is performed by independent and reputable security consulting firms, (ii) findings from each assessment are reviewed with the assessors, risk ranked, and assigned to the responsible team, (iii) Heroku undergoes penetration tests, vulnerability assessments, and source code reviews to assess the security of application, architecture, and implementation, (iv) third party security assessments cover all areas of the platform including testing for OWASP Top 10 web application vulnerabilities and customer application isolation, (v) Heroku works closely with external security assessors to review the security of the platform and applications and apply best practices and (vi) issues found in applications are risk ranked, prioritized, assigned to the responsible team for remediation, and Heroku’s security team reviews each remediation plan to ensure proper resolution.
Customer Security Best Practices
- Encrypt Data in Transit
- Enable HTTPS for applications and SSL database connections to protect sensitive data transmitted to and from applications.
To prevent unauthorized account access, use a strong passphrase for your AdvicePay account, store passphrase securely to prevent disclosure and replace passphrase if lost or disclosed.