Security at Figured
Your security & privacy is our highest priority. Learn more below about how we protect your data and our services.
We have put in place appropriate technical and operational measures to ensure the confidentiality, availability and integrity of your personal data at all times. Below is an overview of our approach to security at Figured. We're constantly improving our services and processes to protect your data and will update this page accordingly.
Figured is currently both SOC 2 Type II, and SOC 3 compliant as of October 31, 2021.
Figured was assessed by A-LIGN and has achieved compliance with the following trust principals - Security, Availability and Confidentiality. Learn more.
If you would like a copy of our SOC 2 Type 2 or SOC 3 report, please drop us an email at firstname.lastname@example.org.
Figured maintains documented SDLC policies and procedures to guide employees in documenting and implementing application and infrastructure changes. This includes secure development training, vulnerability scanning, code reviews as well as automated and manual testing.
Web application and network firewalls are in place to protect the Figured application from attacks that may compromise the availability of the service. Figured also has multiple monitoring systems and alerts in place to detect and manage threats.
Two-factor authentication is required for all users in Figured. Learn more about setting it up here. For staff access to the Figured application and its supporting infrastructure, two-factor authentication is enforced.
Figured uses Amazon Web Services (AWS) for cloud hosting. AWS is an industry leader and provides a highly scalable cloud computing platform with end-to-end security and privacy features built-in. AWS maintains SOC 2 and ISO 27001 certifications, among others. Learn more.
The Figured application and its data are hosted by AWS within the United States of America. For more information on international transfers see our Privacy Notice.
Figured has implemented an encryption policy that conforms to international encryption standards such as Transport Layer Security (TLS) and Advanced Encryption Standard (AES). Encryption keys and certificates are centrally managed and protected via secure management systems.
Data is encrypted both in transit and at rest. Customer passwords are hashed and salted; the salting applied is unique and random.
Figured complies with the data compliance requirements in locations where we operate. These include the New Zealand and Australian Privacy Acts as well as the General Data Protection Regulation (GDPR). See our Privacy Notice for the full registry.
To learn more about Figured's approach to GDPR see our Help Centre.
Figured follows a role-based access control (RBAC) system and follows the principle of least privilege when granting employees access to systems. User access to systems is reviewed on a quarterly basis.
Figured has documented business continuity (BCP) and disaster recovery (DRP) plans which document defined procedures for managing and recover from significant events that could affect our ability to provide the service. These plans are tested and reviewed annually.
An Incident management policy and process are in place to guide employees in reporting and responding to information technology incidents. Processes exist to identify, report and act upon system security and data breaches as well as other serious incidents.
Figured supports the responsible disclosure of security vulnerabilities, as it is one of our top priorities to protect the privacy of our customer's data.
We ask that if external parties find any sensitive information, potential vulnerabilities and/or weaknesses that they please help by disclosing it to us in a responsible manner. Learn more.
Figured leverages 3rd party penetration testing firms to test our application annually. Our penetration testing provider is CREST certified.
Figured carries out internal security checks on a quarterly basis. These checks include backup restoration tests, user access/endpoint protection reviews, password/key rotation, vulnerability scanning and security patching.
In order to maintain our SOC 2 compliance, we also undergo yearly external audits.
Get in touch with Figured to get started