FutureFuel.io Security Overview
FutureFuel.io is a FinHealth platform dedicated to crushing student debt. We believe financial health and freedom is intrinsically linked to privacy and security. Therefore, we take as many steps as possible to secure our systems and make sure our customer’s data is safe and sound.
All data transmitted through are systems is secured with TLS 1.1 or above using elliptic curve diffie-hellman keys. These keys have a unique benefit; they can not be used to decrypt previously encrypted traffic.
All web servers sit behind an “Application Load Balancer” and “Web Application Firewall.” This eliminates all direct connections to our servers from the outside world. Only scanned, verified safe traffic is allowed through from client connections to our actual servers.
All client data is stored in databases that are encrypted “at rest.” We are using Amazon Key Management Service to manage our encryption keys for this process. We are encrypting with AES 256 symmetric key encryption.
All user sensitive financial data (such as bank account numbers) are encrypted a second time and someone with direct database access cannot read these values. The data is decrypted on-the-fly and transmitted to the client over an encrypted channel. This means that only the client can view these values under normal site operations.
All user passwords are stored in our database using an irreversible hash function.There is no “key” or process in which these passwords can be reversed. Assuming one thousand guesses per second, It would take an average of 870,000 years to reverse a character password that meets our password requirements. If someone forgets their password we can’t give it to them. They need to reset it.
Other Security Measures
We run an automated vulnerability scan to look for exploits into our systems. Each scan applies the newest set of CVE data to test our servers for issues. We also contract a third-party company to test our systems.
FutureFuel.io infrastructure is hosted and managed within Amazon’s secure data centers and utilize the Amazon Web Service (AWS) technology. Amazon’s data center operations have been accredited under:
ISO 27001, ISO 27017, ISO 27018
SOC 1/SSAE 16/ISAE 3402, SOC 2, SOC 3
PCI DSS Level 1
SEC Rule 17a-4(f)
Certifications or Audits
We have Soc 2 type 1, Soc 2 Type 2 as of October 2019 and are working on Fisma and ISO 27001.
If you have questions or concerns about our security overview, you can email us at firstname.lastname@example.org.