Ledge is committed to maintaining the confidentiality, integrity and security of our customers’ information and related transaction data. This policy specifies our approach to security and the commitments we make to our customers. This policy is designed to meet the standards specified by safeguards rule promulgated under the Financial Services Modernization Act (FSMA)/Gramm-Leach-Bliley Act (GLBA); and the standards for personal data protection of the FFIEC E-Banking guidelines.
Ledge is also PCI DSS Level 1 compliant.
To respect and maintain the privacy of our customers, implements the appropriate administrative, technical and physical controls to ensure that it adheres to all promises and commitments stated within its privacy notice.
Ledge strives to ensure that collection and use of customer information is limited to that which is relevant and appropriate for legitimate business purposes and is consistent with this policy and applicable law. All information obtained from our customers shall be properly maintained to ensure that it is accurate, complete, and current. Information is only shared internally and with third parties as permitted by our agreements with customers and by law.
In order to protect the information provided by our customers, Ledge maintains an information security program that implements the administrative, technical and physical controls necessary to protect the security, confidentiality and integrity of our customer’s personal information. Our security program consists of the following elements:
• Management Ownership: Ledge has a designated information security director who is responsible for the overall management of the information security program and coordinates the implementation of all required security controls.
• Risk Based Approach: For the customer information, business processes and applications that store, transmit, or process information that is proprietary to our customers or our customers’ customers, Ledge identifies and assesses the relevant risks to that information. Based on the risks identified, and taking into consideration the risk probability and risk impact, we then implement, monitor and test security controls to sufficiently mitigate risk. Risk assessments are conducted at least annually to identify changes to our risk posture and our information security controls are updated as required.
To effect our privacy and information security standards, Ledge has been validated as a Level 1 service provider under the Payment Card Industry (PCI) Data Security Standard (DSS). Ledge hosts its servers within data centers that have achieved ISO 27001 certification and have been validated as a Level 1 service provider under the Payment Card Industry (PCI) Data Security Standard (DSS). Our data centers undergo annual SSAE16 SOC 1 and SOC 2 audits.
• Information Security Controls: Ledge has developed a set of overarching security controls based upon the primary risks to our customer’s personal information (PII). These security controls may be enhanced for certain applications to address application-specific risks.
• Identity and Access Management:
– Employee and Administrative Access: Ledge maintains tight control over any workforce member (employee, consultant, contractor, third party) that has access to applications that store or process customer PII. Workforce members are only granted access in accordance with the following principles:
• Least Privilege: Access is granted with an appropriate business justification and with only the minimum access rights necessary to perform the job function.
• Segregation of Duties: Ledge maintains and enforces Segregation of Duties as outlined in Ledge’s Segregation of Duties Policy.
– Remote Access: Remote administrative access to any application that stores or processes personal information is controlled using two-factor authentication where technically feasible.
– User Authentication:
• Users are authenticated using a password, two-factor authentication, and other controls, as defined in Ledge’s Information Security Policy.
• User accounts are temporarily suspended if unsuccessful login attempts were made, as outlined in Ledge’s Information Security Policy.
• Secure Application Architecture and Development:
– Ledge software is developed using commonly accepted security standards and secure code development practices such as those specified by the Open Web Application Security Project (OWASP) and are comply with the standards set in Ledge’s System Development Life Cycle (SDLC) Policy.
• Secure Data Transmission and Storage:
– Ledge software is designed such that all transmission of personal information or financial transaction information is secured using Secure Socket Layer (SSL) technology.
– Personal information and financial transaction information are stored using at least 256-bit AES encryption or an equivalent standard.
• Security Monitoring: Ledge services are actively monitored using anti-virus and intrusion detections software as outlined in Ledge’s Anti-Virus Policy.
• Data Backup and Retention:
– All data is regularly backed up to secure against un-intentional deletion as outlined in Ledge’s Backup Policy.
If you have in questions regarding this, please contact us at firstname.lastname@example.org
Last updated: January 1, 2017