information security FAQ
What information security certifications do you hold?
We are compliant with ISO 27001 and GDPR standards.
Do you have comprehensive policies in place to address information security, data protection, access control, information classification, and security training?
Yes, our policies encompass information security, data protection, access control, and security training. These policies detail our environment, security teams, tools, data protection measures, access control procedures, data classification criteria, and staff security training requirements.. They are regularly updated to align with industry best practices.
How regularly are your information security policies reviewed and updated?
Our information security policies undergo an annual review to ensure relevance and effectiveness.
Are staff aware of responsibilities and policies relating to information security?
Staff members receive annual security awareness training to understand and fulfill their roles in maintaining information security.
Is there a formal process for managing vendors, suppliers, and third-party agreements?
Vendor and supplier management procedures are part of our policy
Is there a documented data classification and retention program in place?
All information is classified based on its sensitivity, and retention periods are established according to legal requirements and business needs.
Is there a risk assessment program in place that assesses projects and services for risks?
We have a comprehensive risk assessment program to ensure that all risks are identified, addressed and managed. Risk assessments are reviewed on a quarterly basis, or in the event of major company changes, to ensure that they remain current and the applied controls remain valid.
Is there a formal process for reporting and responding to privacy complaints?
This forms part of our incident reporting procedures
How is customer data captured?
The primary method of data capture is via our Behaviour Capture library, a javascript compiled library that can be installed into the Customer interfaces to capture select user interactions.
Will customer data be encrypted? How so?
Yes, customer data is encrypted both at rest and in transit using RSA with a 2048-bit key size. This ensures a high level of security for the data, aligning with best practices and compliance standards including GDPR, ISO 27001, and NIST guidelines. Access to encrypted data is restricted to authorized personnel and is subject to regular auditing for compliance and effectiveness.
How is customer data protected, and how long is that data retained?
Protection includes HTTPS, anonymization upon ingestion, end-to-end encryption (in-transit and at-rest), and secure file repositories. We typically retain personal data for up to 10 years, or in line with the policies of financial institutions. Upon request, we’ll delete your personal data promptly, no later than one month following the request.
Are third parties allowed access to customer data?
Customer data is never shared with third parties
What user information is captured and how is it protected?
User interactions are captured (via our behaviour capture tool), to ensure that a user’s experience is tailored to their interests. This includes meta-data about the interaction itself along with an identifier (which we recommend be anonymised in the customer environment). As well as protecting this data in transit and at rest we also apply additional levels of pseudo-anonymisation and (optional) customer on-premises identify anonymisation.
For more information, read about our Privacy-Centric Identifier Mapping here.
Is there a dedicated team responsible for Information Security or Security Operations?
Information security responsibilities are distributed across the company, to oversee security operations and ensures compliance with policies and standards. The leadership team is committed to developing, implementing, and maintaining information security standards across the company; and Management Review and Risk Assessment committees are assigned to manage security goals and monitor risks.
Are roles and responsibilities defined for security roles?
Yes, clear roles and responsibilities are outlined for all security personnel to ensure accountability and effectiveness.
Is background screening performed for all new staff?
Yes, background screening is conducted for all new staff to mitigate potential security risks.
Is there an annual security awareness training program in place for all staff?
Yes, all staff members participate in an annual security awareness training program to enhance their understanding of security best practices.
Is there a physical security program and controls in place for buildings handling sensitive data?
We operate as a fully remote company, but we maintain policies and procedures for the security of home offices. All data storage and processing is maintained using cloud based infrastructure (Azure).
Is there a change management process requiring approval for high-risk changes?
We follow a change management system for all changes to the organization, business processes, information processing facilities and systems that affect information security
How are Assets Managed?
Our policies cover appropriate handling and usage of assets, and an asset management system is in place to properly manage and classify assets, including the classification of assets based on risk and data sensitivity.
How is system maintenance managed to address vulnerabilities and ensure security?
We have a comprehensive patch management program in place to address vulnerabilities and regularly conduct security assessments. Additionally, annual penetration testing is conducted to identify and address any remaining vulnerabilities.
What measures are in place to protect sensitive data and prevent data loss?
We have policies in place to manage removable media, prohibiting their usage within our organization. Furthermore, Data Loss Prevention (DLP) software is implemented to prevent unauthorized sharing of sensitive data. Additionally, all personal devices, including work laptops, are required to be PIN protected, and our password policy mandates regular updates to enhance security.
How are access rights and permissions managed for users within the organization?
Users are granted unique user IDs and access rights are managed through role-based access control (RBAC) mechanisms, ensuring that users have appropriate access levels based on their roles and responsibilities. These access levels are reviewed regularly to maintain the principle of least privilege and ensure that only authorized individuals have access to sensitive resources.
What measures are in place to secure system access, especially for remote users?
Multi-Factor Authentication (MFA) is enforced for system access, particularly for remote users.
How is software development security ensured within the organization?
We follow a formal software development lifecycle (SDLC) framework that incorporates security best practices at every stage of development, including threat modeling and code reviews.
Are firewalls and anti-malware software implemented on all systems?
Yes, firewalls and anti-malware software are deployed on all systems to protect against external threats and malicious activities.
How is incident management approached within the organization?
Incident management follows a structured approach outlined in our incident management policy to ensure swift response and mitigation of security incidents; investigating, evaluating severity, and identifying follow up actions.
What is the process for notifying stakeholders of security incidents?
Our incident management policy includes procedures for notifying customers, third parties, and dependencies of security incidents. Once assessed, relevant parties are promptly notified through appropriate communication channels, ensuring transparency and timely updates regarding the incident.
How is business continuity and disaster recovery managed?
We have a comprehensive business continuity plan (BCP) and disaster recovery plan (DRP) in place to ensure continuity of operations and minimize disruptions during emergencies.
Are backups regularly conducted for data and critical IT systems?
Yes, backups are regularly performed for data and critical IT systems, and they are tested periodically to ensure reliability and effectiveness in disaster recovery scenarios.
How does PersonaFin’s AI work?
Our AI leverages user behavior, market data, and financial trends to deliver personalized insights and content. We provide these outcomes to enhance your platform without requiring deep technical involvement.
Can we see how your AI model works internally?
While our model is proprietary, we understand the importance of compliance. We’re committed to addressing any regulatory or risk management questions in writing, providing the necessary details without disclosing sensitive IP.
Will we have access to customize the model?
While the model itself remains proprietary, our platform is highly flexible. You can adjust the outputs based on your data and users’ needs, ensuring that our solution fits seamlessly with your existing operations.
How does PersonaFin ensure fairness and avoid bias in AI recommendations?
We actively address AI bias through diverse datasets, anonymous user data, and continuous audits. Our models undergo rigorous testing to ensure fairness across various demographics, and we conduct regular reviews to detect and mitigate potential biases. Learn more about our approach to AI fairness here
What safeguards are in place to ensure the ethical use of AI at PersonaFin?
PersonaFin abides by five core ethical principles: transparency, fairness, accountability, empowerment, and well-being. Our AI provides insights to users, empowering them with personalized recommendations while maintaining full autonomy over decisions. We also comply with global data protection laws to ensure user privacy and security.