Network Diagram
• A high level network diagram is available on request.

Pentest Report
• Pentest is available upon request.

Backups Enabled
• We conduct backups on a regular basis in the event of an incident that causes data loss.

Data Deletion
• In line with GDPR data deletion is available upon request.

Encryption-at-rest
• All customer data is encrypted at-rest using AES-256.

Encryption-in-transit
• All customer data is encrypted in-transit using TLS 1.2.

Physical Security
• Physical security of our infrastructure is managed by Azure. For more information, please see this overview of Microsoft Azure premises and facilities

Responsible Disclosure
• We value the input of ethical hackers acting in good faith to help us maintain a high standard for the security and privacy for our users and technology. This includes encouraging responsible vulnerability research and disclosure.

Code Analysis
• We use tools to identify issues in our code and third party dependencies.

Credential Management
• All user credentials are securely salted, hashed, and stored by Auth0. We use a secure key vault to manage infrastructure secrets.

Secure Development Policy
• Our Secure Development Policy includes peer review, automated testing, and static code analysis prior to deployment into production.

Vulnerability & Patch Management
• We have a formal vulnerability management process and apply patches based on a documented SLA.

Subprocessors
• SUBPROCESSOR NAME > PURPOSE > LOCATION
• Cloudflare > Content delivery > Worldwide
• Microsoft > Cloud infrastructure > Worldwide

Cyber Insurance
• We have an insurance policy with cyber coverage in the event of a security incident that results in financial damages.

Data Processing Agreement
• https://www.fit2trade.com/dpa/

Master Services Agreement
• Please reach out to our Sales team for a copy of the Master Services Agreement (MSA).

Privacy Policy
• See our Privacy Policy for details on our use of cookies.

Service-Level Agreement
• SLAs are defined in the customer’s MSA.

Terms of Service
• https://www.fit2trade.com/terms/

Cookies
• See our Cookie Policy for details on our use of cookies.

Data Breach Notifications
• In the event of a data breach involving customer data, notifications will be sent in accordance with the terms of the MSA.

Data Privacy Officer
• Our DPO can br contacted at [email protected]

Employee Privacy Training
• Personnel perform security and privacy awareness training on an annual basis. Topics covered include: Passwords, Mobile devices, Social Engineering, Physical security, Phishing, GDPR and CCPA.

PII Usage
• Our platform requires email and name for account registration.

Data Access
• Access to internal systems is granted based on the principle of least privilege and is reviewed on a regular basis.

Logging
• All important security events in our environment are monitored.

Password Security
• We have a strong internal password policy that includes a requirement for MFA for accounts that do not support SSO. Passwords are stored in a company managed password manager.

Azure
• Our infrastructure is primarily hosted in Azure in multiple regions throughout the United States, Europe and the UK.

BC/DR
• We have a formal Business Continuity and Disaster Recovery plan, which is exercised, reviewed and approved annually.

Infrastructure Security
• We utilize infrastructure-as-code techniques to securely deploy resources in our environment.

Network Time Protocol
• We use standard time servers throughout our infrastructure.

Separate Production Environment
• Customer data is not used in non-production environments.

Disk Encryption
• Full-disk encryption is used to protect employee endpoints.

DNS Filtering
• Employee endpoints are protected from malicious web traffic.

Endpoint Detection & Response
• All employee endpoints are protected with an advanced EDR solution.

Mobile Device Management
• All employee endpoints are centrally managed and secured using an MDM solution.

Threat Detection
• Fit2Trade’s Security team proactively monitors for known attacker TTPs, known malicious binaries, and suspicious activity in the environment. They also review anomalous activity and hunt for unknown threats on a regular cadence

Data Exfiltration Monitoring
• We restrict removable media on endpoints and have tools to monitor for suspicious activity, including data exfiltration.

DMARC
• Our domain has DMARC enabled to reduce the risk of spoofing attacks.

Firewall
• We use Firewalls to monitor and control traffic in our infrastructure.

IDS
• Network activity is centrally logged and arbitrary detection logic has been defined to identify attackers and other anomalous behavior and generate alerts for further investigation.

Security Information and Event Management
• Important infrastructure logs are centrally stored and monitored.

Email Protection
• Enterprise-class protection and reliability from Microsoft 365.

Employee Training
• Every 1 Year. Everyone in the Fit2Trade team completes security and privacy awareness training on an annual basis. Topics covered include: Passwords, Mobile devices, Social Engineering, Physical security, Phishing, GDPR and CCPA.

HR Security
• All new employees must pass a background check, sign a non-disclosure agreement, and abide by our company policies and procedures.

Incident Response
• We have a documented Incident Response Plan that is reviewed, tested and approved at least annually.

Internal Assessments
• We conduct an annual risk assessment to identify major gaps in our environment.

Internal SSO
• We use Single Sign-On internally to streamline authentication to internal applications.

Penetration Testing
• We perform annual third party penetration testing.

Acceptable Use Policy
• Employees are required to agree to our Acceptable Use Policy.

Access Control Policy
• Our Access Control Policy defines how access is provisioned for employees.

Anti-Virus and Malware Policy
• To protect software & data by using of appropriate software, guidelines and security measures

Clean Desk Policy
• The purpose for this policy is to establish the minimum requirements for maintaining a “clean desk” – where sensitive/critical information about our employees, our intellectual property, our customers and our vendors is secure in locked areas and out of site. A Clean Desk policy is not only ISO 27001/17799 compliant, but it is also part of standard basic privacy controls.

Code of Conduct
• Employees are required to agree to our Code of Conduct during onboarding.

Cybersecurity Policy 
• The Cyber Security Policy describes the technology and information assets that we must protect and identifies many of the threats to those assets.

Data Management Policy
• All data in our platform is classified based on our Data Management Policy.

email and Instant Messaging Policy
• This policy covers general secure practice for E-mail and Instant Messaging services.

Encryption Standards Policy
• This policy is to outline the company’s standards for use of encryption technology so that it is used securely and managed appropriately.

Incident Response Plan
• We maintain an Incident Response plan in the event of a security related incident.

Incident Management Policy
• The purpose of this policy is twofold: firstly, to ensure that all staff are fully aware and understand the process to be followed if an information security incident occurs; secondly to ensure that all information security incidents are thoroughly documented and recorded.

Information Security Policy
• Our Information Security Policy defines the roles and responsibilities for all employees.

Network Perimeter Security Policy
• This Perimeter Security Policy is designed to protect the data of Fit2Trade and its business partners or any data Fit2Trade is in custody of.

Operations Security Policy
• We have an Operations Security Policy that defines how we log and monitor on our network.

Physical Security Policy
• This policy defines the requirements for establishing physical access controls at Fit2Trade locations.

Risk Management Policy
• We have a Risk Management Policy to ensure that we conduct risk assessments on a regular basis.

Secure Development Policy
• Developers are required to review and accept our Secure Development Policy annually.

Technology & Media Destruction Policy
• The purpose of this policy it to define the guidelines for the disposal of technology equipment and components owned by Fit2Trade.

Third Party Management Policy
• We have a Third Party Management Policy that requires due diligence and NDAs for external parties.

Vulnerability Management Policy
• We have documented Vulnerability Management policies.