Security
Security
Amalgam’s SOC2 Type II audit is pending. Amalgam is compliant with the SOC2 compliance framework, and will have an audit report available by early 2025.
Security & Compliance at Amalgam
Amalgam’s management team establishes policies and controls for the handling of sensitive data by Amalgam team members. We monitor compliance with those controls, and prove our security and compliance to third-party auditors.
Our policies ensure the following:
- Privacy is preserved for our users. Data stored by our application is limited to login data and access keys, with financial data never stored unless deliberately shared by users
- Access to sensitive data is limited to only those with a legitimate business need and granted based on the principle of least privilege
- Security controls should be implemented and layered according to the principle of defense-in-depth
- Security policies and procedures are consistently reviewed and iterated upon
Key Polices
Exclusion of Financial Data
Amalgam’s application processes financial data in-memory, but financial data is never stored in our database. This ensures that ownership of financial information remains unchanged, and privacy is enforced at the highest level.
Data Encryption
All datastores with customer data are encrypted at rest. Sensitive data elements such as access tokens are further encrypted by our application.
Amalgam also uses TLS 1.2 or higher everywhere data is transmitted over potentially insecure networks. We also use features such as HSTS (HTTP Strict Transport Security) to maximize the security of our data in transit. Server TLS keys and certificates are managed by AWS and deployed via Application Load Balancers. This means the data is encrypted even before it hits the database so that neither physical access, nor logical access to the database, is enough to read the most sensitive information.
Vulnerability scanning
Amalgam’s codebase undergoes regular vulnerability scanning, with any potential sources of exposure immediately triaged and mitigated.
Endpoint Protection
All corporate devices are centrally managed and are equipped with mobile device management software and anti-malware protection. Endpoint security alerts are monitored with 24/7/365 coverage. We use MDM software to enforce secure configuration of endpoints, such as disk encryption, screen lock configuration, and software updates.
Secure Remote Access
Amalgam secures remote access to internal resources using NordLayer, a modern VPN platform. All administrative access to our Application must pass through verified IP Addresses.
Vendor Security
Amalgam regularly reviews its Vendors and assigns them a score based on their access level, potential for exposure, and potential for business interruption.
Once the inherent risk rating has been determined, the security of the vendor is evaluated in order to determine a residual risk rating and an approval decision for the vendor.
Security Education
Amalgam provides comprehensive security training to all employees upon onboarding and annually through educational modules within Vanta, our security compliance software.
Amalgam provides comprehensive onboarding training to new employees, with our focus on security and compliance being reinforced, and our governance policies reviewed and accepted.
Identity and Access Management
Amalgam employees are granted access to applications based on their role, and automatically deprovisioned upon termination of their employment. Further access must be approved according to the policies set for each application.