Trust portal
Welcome to our Trust Portal for Fit2Trade.app services where you can discover our unwavering commitment to data security, privacy, and compliance.
Here, you can access our comprehensive compliance documentation, find answers to frequently asked questions related to security and privacy, and explore our robust security practices. We believe in maintaining transparency and building trust with our customers, and this portal is designed to provide you with the information and assurance you need to feel confident in our ability to protect your data.
Click each box below to learn more.
Product Security
Integrations
• Fit2Trade integrates with different providers via API. API keys are stored in an encrypted database.
Multi-Factor Authentication
• MFA can be enabled for user accounts via an SSO provider.
Role-Based Access Control
• Fit2Trade implements Role-Based Access Control (RBAC) to manage permissions
Reports
Network Diagram
• A high level network diagram is available on request.
Pentest Report
• Pentest is available upon request.
Data Security
Backups Enabled
• We conduct backups on a regular basis in the event of an incident that causes data loss.
Data Deletion
• In line with GDPR data deletion is available upon request.
Encryption-at-rest
• All customer data is encrypted at-rest using AES-256.
Encryption-in-transit
• All customer data is encrypted in-transit using TLS 1.2.
Physical Security
• Physical security of our infrastructure is managed by Azure. For more information, please see this overview of Microsoft Azure premises and facilities
App Security
Responsible Disclosure
• We value the input of ethical hackers acting in good faith to help us maintain a high standard for the security and privacy for our users and technology. This includes encouraging responsible vulnerability research and disclosure.
Code Analysis
• We use tools to identify issues in our code and third party dependencies.
Credential Management
• All user credentials are securely salted, hashed, and stored by Auth0. We use a secure key vault to manage infrastructure secrets.
Secure Development Policy
• Our Secure Development Policy includes peer review, automated testing, and static code analysis prior to deployment into production.
Vulnerability & Patch Management
• We have a formal vulnerability management process and apply patches based on a documented SLA.
Legal
Subprocessors
• SUBPROCESSOR NAME > PURPOSE > LOCATION
• Cloudflare > Content delivery > Worldwide
• Microsoft > Cloud infrastructure > Worldwide
Cyber Insurance
• We have an insurance policy with cyber coverage in the event of a security incident that results in financial damages.
Data Processing Agreement
• https://www.fit2trade.com/dpa/
Master Services Agreement
• Please reach out to our Sales team for a copy of the Master Services Agreement (MSA).
Privacy Policy
• See our Privacy Policy for details on our use of cookies.
Service-Level Agreement
• SLAs are defined in the customer’s MSA.
Terms of Service
• https://www.fit2trade.com/terms/
Data Privacy
Cookies
• See our Cookie Policy for details on our use of cookies.
Data Breach Notifications
• In the event of a data breach involving customer data, notifications will be sent in accordance with the terms of the MSA.
Data Privacy Officer
• Our DPO can be contacted at [email protected]
Employee Privacy Training
• Personnel perform security and privacy awareness training on an annual basis. Topics covered include: Passwords, Mobile devices, Social Engineering, Physical security, Phishing, GDPR and CCPA.
PII Usage
• Our platform requires email and name for account registration.
Access Control
Data Access
• Access to internal systems is granted based on the principle of least privilege and is reviewed on a regular basis.
Logging
• All important security events in our environment are monitored.
Password Security
• We have a strong internal password policy that includes a requirement for MFA for accounts that do not support SSO. Passwords are stored in a company managed password manager.
Infrastructure
Azure
• Our infrastructure is primarily hosted in Azure in multiple regions throughout the United States, Europe and the UK.
BC/DR
• We have a formal Business Continuity and Disaster Recovery plan, which is exercised, reviewed and approved annually.
Infrastructure Security
• We utilize infrastructure-as-code techniques to securely deploy resources in our environment.
Network Time Protocol
• We use standard time servers throughout our infrastructure.
Separate Production Environment
• Customer data is not used in non-production environments.
Endpoint Security
Disk Encryption
• Full-disk encryption is used to protect employee endpoints.
DNS Filtering
• Employee endpoints are protected from malicious web traffic.
Endpoint Detection & Response
• All employee endpoints are protected with an advanced EDR solution.
Mobile Device Management
• All employee endpoints are centrally managed and secured using an MDM solution.
Threat Detection
• Fit2Trade’s Security team proactively monitors for known attacker TTPs, known malicious binaries, and suspicious activity in the environment. They also review anomalous activity and hunt for unknown threats on a regular cadence
Network Security
Data Exfiltration Monitoring
• We restrict removable media on endpoints and have tools to monitor for suspicious activity, including data exfiltration.
DMARC
• Our domain has DMARC enabled to reduce the risk of spoofing attacks.
Firewall
• We use Firewalls to monitor and control traffic in our infrastructure.
IDS
• Network activity is centrally logged and arbitrary detection logic has been defined to identify attackers and other anomalous behavior and generate alerts for further investigation.
Security Information and Event Management
• Important infrastructure logs are centrally stored and monitored.
Corporate Security
Email Protection
• Enterprise-class protection and reliability from Microsoft 365.
Employee Training
• Every 1 Year. Everyone in the Fit2Trade team completes security and privacy awareness training on an annual basis. Topics covered include: Passwords, Mobile devices, Social Engineering, Physical security, Phishing, GDPR and CCPA.
HR Security
• All new employees must pass a background check, sign a non-disclosure agreement, and abide by our company policies and procedures.
Incident Response
• We have a documented Incident Response Plan that is reviewed, tested and approved at least annually.
Internal Assessments
• We conduct an annual risk assessment to identify major gaps in our environment.
Internal SSO
• We use Single Sign-On internally to streamline authentication to internal applications.
Penetration Testing
• We perform annual third party penetration testing.
Policies
Acceptable Use Policy
• Employees are required to agree to our Acceptable Use Policy.
Access Control Policy
• Our Access Control Policy defines how access is provisioned for employees.
Anti-Virus and Malware Policy
• To protect software & data by using of appropriate software, guidelines and security measures
Clean Desk Policy
• The purpose for this policy is to establish the minimum requirements for maintaining a “clean desk” – where sensitive/critical information about our employees, our intellectual property, our customers and our vendors is secure in locked areas and out of site. A Clean Desk policy is not only ISO 27001/17799 compliant, but it is also part of standard basic privacy controls.
Code of Conduct
• Employees are required to agree to our Code of Conduct during onboarding.
Cybersecurity Policy
• The Cyber Security Policy describes the technology and information assets that we must protect and identifies many of the threats to those assets.
Data Management Policy
• All data in our platform is classified based on our Data Management Policy.
email and Instant Messaging Policy
• This policy covers general secure practice for E-mail and Instant Messaging services.
Encryption Standards Policy
• This policy is to outline the company’s standards for use of encryption technology so that it is used securely and managed appropriately.
Incident Response Plan
• We maintain an Incident Response plan in the event of a security related incident.
Incident Management Policy
• The purpose of this policy is twofold: firstly, to ensure that all staff are fully aware and understand the process to be followed if an information security incident occurs; secondly to ensure that all information security incidents are thoroughly documented and recorded.
Information Security Policy
• Our Information Security Policy defines the roles and responsibilities for all employees.
Network Perimeter Security Policy
• This Perimeter Security Policy is designed to protect the data of Fit2Trade and its business partners or any data Fit2Trade is in custody of.
Operations Security Policy
• We have an Operations Security Policy that defines how we log and monitor on our network.
Physical Security Policy
• This policy defines the requirements for establishing physical access controls at Fit2Trade locations.
Risk Management Policy
• We have a Risk Management Policy to ensure that we conduct risk assessments on a regular basis.
Secure Development Policy
• Developers are required to review and accept our Secure Development Policy annually.
Technology & Media Destruction Policy
• The purpose of this policy it to define the guidelines for the disposal of technology equipment and components owned by Fit2Trade.
Third Party Management Policy
• We have a Third Party Management Policy that requires due diligence and NDAs for external parties.
Vulnerability Management Policy
• We have documented Vulnerability Management policies.