FutureFuel.io Security Overview
FutureFuel.io is a FinHealth platform dedicated to crushing student debt. We believe financial health and freedom is intrinsically linked to privacy and security. Therefore, we take as many steps as possible to secure our systems and make sure our customer’s data is safe and sound.
All data transmitted through are systems is secured with TLS 1.1 or above using elliptic-curve Diffie–Hellman keys. These keys have a unique benefit: they can not be used to decrypt previously encrypted traffic.
All web servers sit behind an application load balancer and web application firewall. This eliminates all direct connections to our servers from the outside world. Only scanned, verified, safe traffic is allowed through from client connections to our actual servers.
All client data is stored in databases that are encrypted at rest. We are using Amazon Key Management Service to manage our encryption keys for this process. We are encrypting with AES 256 symmetric key encryption.
All user sensitive financial data, such as bank account numbers, are encrypted a second time so that someone with direct database access cannot read these values. The data is decrypted on the fly, and transmitted to the client over an encrypted channel. This means that only the client can view these values under normal site operations.
All user passwords are stored in our database using an irreversible hash function. There is no process by which these passwords can be revealed. Assuming one thousand guesses per second, it would take an average of 870,000 years to correctly guess a user’s password that meets our password requirements. If someone forgets their password we can’t give it to them they need to reset it.
We run an automated vulnerability scan to look for exploits into our systems. Each scan uses the latest Common Vulnerabilities and Exposures (CVE) list to test our systems for potential issues. We also contract a third-party company to further test our systems.
FutureFuel.io infrastructure is hosted and managed within Amazon’s secure data centers and utilize the Amazon Web Service (AWS) technology. Amazon’s data center operations have been accredited under:
ISO 27001, ISO 27017, ISO 27018
SOC 1/SSAE 16/ISAE 3402, SOC 2, SOC 3
PCI DSS Level 1
SEC Rule 17a-4(f)
Certifications and Audits
October 2019 – SOC 2 Type 1 and SOC 2 Type 2
Pending – FISMA and ISO 27001
If you have questions about our security overview, you can email us at firstname.lastname@example.org.