Trust Center
At FinQuery, we realize that security and reliability are very important to our clients.
Our clients trust us with their data and we take this responsibility very seriously. Ensuring the security of our clients’ data, and the systems and applications that store this data, is a top priority for us.
FinQuery welcomes any and all security community support to further protect our systems and customers. Please use the following form to register a security-related question or concern.
Trust Center
At FinQuery, we realize that security and reliability are very important to our clients.
Our clients trust us with their data and we take this responsibility very seriously. Ensuring the security of our clients’ data, and the systems and applications that store this data, is a top priority for us.
LeaseQuery welcomes any and all security community support to further protect our systems and customers. Please use the following form to register a security-related question or concern.
CATEGORY: Accessibility
TOPIC: Accessibility
DETAILS:
FinQuery is committed to making our software applications and websites accessible to people with all levels of ability.
We undertake commercially reasonable efforts towards improving our user experience to ensure we provide equal access to all of our users. As such, our efforts are guided by the Web Content Accessibility Guidelines (WCAG), which defines requirements for designers and developers to improve accessibility for people with disabilities.
FinQuery is committed to making our software applications and websites accessible to people with all levels of ability.
We undertake commercially reasonable efforts towards improving our user experience to ensure we provide equal access to all of our users. As such, our efforts are guided by the Web Content Accessibility Guidelines (WCAG), which defines requirements for designers and developers to improve accessibility for people with disabilities.
If you have any questions regarding our applications, contact us at
1-800-880-7270 or support@leasequery.com for assistance and feedback.
CATEGORY: Artificial Intelligence/Machine Learning
TOPIC: AI/ML
DETAILS:
FinQuery leverages an AI/ML technology to aid our customers in entering the details of their leases as easily, quickly, and accurately as possible.
With permission from select customers, we trained our model to recognize various types of leases to better detect where information is located in an individual lease. The output of the AI/ML system consists of predictions for each relevant field, which are then verified by the customer’s end users. All data is handled using the same security standards for all FinQuery solutions.
FinQuery leverages an AI/ML technology to aid our customers in entering the details of their leases as easily, quickly, and accurately as possible.
With permission from select customers, we trained our model to recognize various types of leases to better detect where information is located in an individual lease. The output of the AI/ML system consists of predictions for each relevant field, which are then verified by the customer’s end users. All data is handled using the same security standards for all FinQuery solutions.
CATEGORY: Asset Security
TOPIC: Baselines
DETAILS:
FinQuery leverages baselines to ensure compliance, stability, and security. This includes code repositories and version control, hardened/golden images, enforced user and system policies, performance and stability metrics/reporting, and more–with logging and alerting to capture changes.
FinQuery leverages baselines to ensure compliance, stability, and security. This includes code repositories and version control, hardened/golden images, enforced user and system policies, performance and stability metrics/reporting, and more–with logging and alerting to capture changes.
CATEGORY: Asset Security
TOPIC: Hardening Standards
DETAILS:
Servers and client systems are hardened from deployment and maintained afterwards with sophisticated practices, security fixes, firewalls, and antimalware tooling. Each server is restricted to only the ports and services required to run the application. Only essential applications are permitted to execute on servers. Access to these servers is highly restricted with least-privileged-based permissions and only authorized systems are allowed non-https access via access controls and firewall restrictions.
Servers and client systems are hardened from deployment and maintained afterwards with sophisticated practices, security fixes, firewalls, and antimalware tooling. Each server is restricted to only the ports and services required to run the application. Only essential applications are permitted to execute on servers. Access to these servers is highly restricted with least-privileged-based permissions and only authorized systems are allowed non-https access via access controls and firewall restrictions.
CATEGORY: Availability and Reliability
TOPIC: Change Management
DETAILS:
FinQuery has developed a written change control standard to mitigate the risk that the security, availability and integrity of system software, systems and information are compromised when there are changes to the Solution. No software is permitted to be installed in the production environment for the Solution unless it has been tested, reviewed and approved in accordance with these requirements. These requirements govern the entire change control process, through ticket creation, ticket prioritization, development, quality assurance, communication plans, approval, deployment and hotfixes.
FinQuery has developed a written change control standard to mitigate the risk that the security, availability and integrity of system software, systems and information are compromised when there are changes to the Solution. No software is permitted to be installed in the production environment for the Solution unless it has been tested, reviewed and approved in accordance with these requirements. These requirements govern the entire change control process, through ticket creation, ticket prioritization, development, quality assurance, communication plans, approval, deployment and hotfixes.
CATEGORY: Availability and Reliability
TOPIC: Code Review
DETAILS:
FinQuery uses both manual and automated tooling to scan developed code for security, stability, and efficiency.
FinQuery uses both manual and automated tooling to scan developed code for security, stability, and efficiency.
CATEGORY: Availability and Reliability
TOPIC: Segregation of Environments
DETAILS:
FinQuery separates development and production environments to reduce the risk of unfinished or malfunctioning software being used in production. To accomplish this, FinQuery utilizes web application firewalls, stateful packet inspection firewalls, and access control lists to separate and protect computing environments. Firewall policies and rules are in place and are reviewed periodically to ensure only approved access is allowed.
FinQuery separates development and production environments to reduce the risk of unfinished or malfunctioning software being used in production. To accomplish this, FinQuery utilizes web application firewalls, stateful packet inspection firewalls, and access control lists to separate and protect computing environments. Firewall policies and rules are in place and are reviewed periodically to ensure only approved access is allowed.
CATEGORY: Business Continuity
TOPIC: Backups
DETAILS:
FinQuery leverages periodic data backups to protect customer information, which is encrypted at-rest and replicated across multiple Amazon Web Services (AWS) availability zones. Backup restores are tested regularly.
FinQuery leverages periodic data backups to protect customer information, which is encrypted at-rest and replicated across multiple Amazon Web Services (AWS) availability zones. Backup restores are tested regularly.
CATEGORY: Business Continuity
TOPIC: Business Continuity
DETAILS:
FinQuery’s solutions, including all data stored, are hosted in at least two different locations in the United States.
FinQuery’s solutions, including all data stored, are hosted in at least two different locations in the United States.
CATEGORY: Business Continuity
TOPIC: Disaster Recovery
DETAILS:
FinQuery has developed a written Disaster Recovery plan for business continuity purposes, which is managed by the Company’s Chief Operating Officer and is designed to facilitate the resumption of business operations efficiently following a disaster (which results in the inability of FinQuery or its personnel to perform all or some of their services, regular roles and responsibilities for a period of time). A disaster is not necessarily related to a security event, but depending on the circumstances, both the Security Incident Response Plan and the Disaster Recovery plan could be initiated simultaneously in connection with the same event. FinQuery’s Disaster Recovery plan is assessed, at minimum, annually.
FinQuery has developed a written Disaster Recovery plan for business continuity purposes, which is managed by the Company’s Chief Operating Officer and is designed to facilitate the resumption of business operations efficiently following a disaster (which results in the inability of FinQuery or its personnel to perform all or some of their services, regular roles and responsibilities for a period of time). A disaster is not necessarily related to a security event, but depending on the circumstances, both the Security Incident Response Plan and the Disaster Recovery plan could be initiated simultaneously in connection with the same event. FinQuery’s Disaster Recovery plan is assessed, at minimum, annually.
CATEGORY: Compliance
TOPIC: Hardware
DETAILS:
FinQuery complies with NDAA Sec. 889 and does not leverage technologies manufactured by the following entities (or any subsidiary or affiliate of such entities):
FinQuery complies with NDAA Sec. 889 and does not leverage technologies manufactured by the following entities (or any subsidiary or affiliate of such entities):
- Huawei Technologies Company
- ZTE Corporation
- Hytera Communications Corporation
- Hangzhou Hikvision Digital Technology Company
- Dahua Technology Company
CATEGORY: Compliance
TOPIC: HIPAA
DETAILS:
FinQuery is not subject to Health Insurance Portability and Accountability Act (HIPAA) because FinQuery’s service does not involve any protected health information.
FinQuery is not subject to Health Insurance Portability and Accountability Act (HIPAA) because FinQuery’s service does not involve any protected health information.
CATEGORY: Compliance
TOPIC: SOC
DETAILS:
FinQuery is audited and receives a SOC I Type II report annually, as defined by the American Institute of Certified Public Accountants. FinQuery’s SOC reports are available to all customers and by request for prospective customers. More information can be provided by contacting: complianceinfo@finquery.com
FinQuery is audited and receives a SOC I Type II report annually, as defined by the American Institute of Certified Public Accountants. FinQuery’s SOC reports are available to all customers and by request for prospective customers. More information can be provided by contacting: complianceinfo@finquery.com
CATEGORY: Data Security
TOPIC: Data Classification
DETAILS:
FinQuery leverages multiple classifications to govern the storage and handling of information—both electronic and physical—based on the information’s sensitivity. Information access and disclosure is restricted to authorized parties. All customer data is treated as “highly sensitive confidential information”, the highest level of confidentiality under FinQuery’s Information Security Policy.
FinQuery leverages multiple classifications to govern the storage and handling of information—both electronic and physical—based on the information’s sensitivity. Information access and disclosure is restricted to authorized parties. All customer data is treated as “highly sensitive confidential information”, the highest level of confidentiality under FinQuery’s Information Security Policy.
CATEGORY: Data Security
TOPIC: Data Encryption At-Rest
DETAILS:
Data stored in FinQuery solutions or in backup systems are encrypted with 256-bit AES encryption. This includes full database encryption.
Data stored in FinQuery solutions or in backup systems are encrypted with 256-bit AES encryption. This includes full database encryption.
CATEGORY: Data Security
TOPIC: Data Privacy
DETAILS:
Please refer to FinQuery’s data privacy statement for more information.
Please refer to FinQuery’s data privacy statement for more information.
CATEGORY: Data Security
TOPIC: Data Retention and Disposition
DETAILS:
FinQuery maintains a written document and data retention standard, which is incorporated into the Information Security Policy, governing the retention, destruction and return of confidential information, including, without limitation, Client Data. FinQuery will retain Client Data consistent with the periods set forth in our Data Retention Standard, provided that if a customer requests earlier deleting in writing, FinQuery will comply with such request. We generally retain customer data for at least 60 days after the termination or expiration of a customer’s subscription (coinciding with quarterly reporting cycles) to ensure customers have sufficient opportunity to retrieve their data; however, customers can also always request the exportation of their data during the term of the subscription or within 60 days thereafter.
FinQuery maintains a written document and data retention standard, which is incorporated into the Information Security Policy, governing the retention, destruction and return of confidential information, including, without limitation, Client Data. FinQuery will retain Client Data consistent with the periods set forth in our Data Retention Standard, provided that if a customer requests earlier deleting in writing, FinQuery will comply with such request. We generally retain customer data for at least 60 days after the termination or expiration of a customer’s subscription (coinciding with quarterly reporting cycles) to ensure customers have sufficient opportunity to retrieve their data; however, customers can also always request the exportation of their data during the term of the subscription or within 60 days thereafter.
CATEGORY: Data Security
TOPIC: Digital Certificates
DETAILS:
FinQuery leverages industry-recognized Certificate Authorities to provide full lifecycle management of FinQuery certificates, including enrollment, distribution, validation, revocation, and renewals.
FinQuery leverages industry-recognized Certificate Authorities to provide full lifecycle management of FinQuery certificates, including enrollment, distribution, validation, revocation, and renewals.
CATEGORY: Data Security
TOPIC: Data Encryption In-Transit
DETAILS:
All interchanges of client lease data to and from the Solution are encrypted using at least an SSL certificate (TLS 1.2) with 2048-bit RSA encryption, which is renewed yearly.
All interchanges of client lease data to and from the Solution are encrypted using at least an SSL certificate (TLS 1.2) with 2048-bit RSA encryption, which is renewed yearly.
CATEGORY: Data Security
TOPIC: Non-disclosure agreements
DETAILS:
All FinQuery employees, customers, vendors, and contractors with access to customer data are required to sign agreements with confidentiality obligations.
All FinQuery employees, customers, vendors, and contractors with access to customer data are required to sign agreements with confidentiality obligations.
CATEGORY: Data Security
TOPIC: Secrets Management
DETAILS:
FinQuery leverages sophisticated encryption technology, methodologies, and best practices for secrets management throughout our solution.
FinQuery leverages sophisticated encryption technology, methodologies, and best practices for secrets management throughout our solution.
CATEGORY: Data Security
TOPIC: Password
DETAILS:
Passwords are salted and leverage Secure Hash Algorithm (SHA) one-way hashing.
Passwords are salted and leverage Secure Hash Algorithm (SHA) one-way hashing.
CATEGORY: Identification, Authentication, Authorization, Auditing, and Accountability
TOPIC: Access Control
DETAILS:
Internally, FinQuery leverages Role-Based Access Controls (RBAC)/methodologies with an approved matrix governing administrative access. FinQuery employees are subject to need-to-know and least-privileged basis access controls wherever it is practicable to do so, based upon the security requirements and business requirements of individual business applications. FinQuery does not allow for shared accounts.
For customer-facing solutions, FinQuery maintains formally defined external user types, with varying access rights and privileges based on the role of the user.
Internally, FinQuery leverages Role-Based Access Controls (RBAC)/methodologies with an approved matrix governing administrative access. FinQuery employees are subject to need-to-know and least-privileged basis access controls wherever it is practicable to do so, based upon the security requirements and business requirements of individual business applications. FinQuery does not allow for shared accounts.
For customer-facing solutions, FinQuery maintains formally defined external user types, with varying access rights and privileges based on the role of the user.
CATEGORY: Identification, Authentication, Authorization, Auditing, and Accountability
TOPIC: Identification
DETAILS:
All FinQuery personnel and contracted agencies are uniquely identified and issued unique accounts for identification, authentication, authorization, and accountability. All employees and contracted agencies also require uniquely identifying badges to access FinQuery facilities.
All FinQuery personnel and contracted agencies are uniquely identified and issued unique accounts for identification, authentication, authorization, and accountability. All employees and contracted agencies also require uniquely identifying badges to access FinQuery facilities.
CATEGORY: Identification, Authentication, Authorization, Auditing, and Accountability
TOPIC: Job Roles
DETAILS:
Responsibilities of staff regarding information security are formally addressed in FinQuery’s Information Security policy.
Responsibilities of staff regarding information security are formally addressed in FinQuery’s Information Security policy.
CATEGORY: Identification, Authentication, Authorization, Auditing, and Accountability
TOPIC: Passwords
DETAILS:
All FinQuery personnel are subject to written policies regarding secure storage of passwords, minimum password strength requirements, mandatory periodic password change requirements, and automatic lockouts after multiple failed login attempts. In addition, FinQuery employs credential management/rotation systems to rotate credentials periodically.
All FinQuery personnel are subject to written policies regarding secure storage of passwords, minimum password strength requirements, mandatory periodic password change requirements, and automatic lockouts after multiple failed login attempts. In addition, FinQuery employs credential management/rotation systems to rotate credentials periodically.
CATEGORY: Identification, Authentication, Authorization, Auditing, and Accountability
TOPIC: Single-Sign On (SSO)
DETAILS:
FinQuery supports the following SSO options:
FinQuery supports the following SSO options:
- Secure.finquery.com: Integrates with any single sign-on (SSO) system that supports Security Assertion Markup Language (SAML) 2.0
- FinQuery Software Management: Integrates with Google Oauth 2.0
CATEGORY: Incident Management and Response
TOPIC: Incident Response Plan
DETAILS:
FinQuery has developed an integrated Security Incident Response Plan which establishes a cross-functional response team comprised of professionals from all appropriate business functions, including information technology, legal, human resources, public relations, operations, as well as executive management representation. The Security Incident Response Plan contains written procedures for escalating and containing the incident, as well as documenting the response. Following the initial response, the Security Incident Response Plan includes additional procedures regarding after-the-fact analysis, investigation, mitigation and correction, and third-party notification.
FinQuery has developed an integrated Security Incident Response Plan which establishes a cross-functional response team comprised of professionals from all appropriate business functions, including information technology, legal, human resources, public relations, operations, as well as executive management representation. The Security Incident Response Plan contains written procedures for escalating and containing the incident, as well as documenting the response. Following the initial response, the Security Incident Response Plan includes additional procedures regarding after-the-fact analysis, investigation, mitigation and correction, and third-party notification.
CATEGORY: Incident Management and Response
TOPIC: Monitoring and Logging
DETAILS:
FinQuery logs are centrally managed and retained according to FinQuery’s Data Retention Policy. FinQuery utilizes network logging to ensure that no unauthorized users access the system, which provides monitoring, alerting and reporting. The security logs include a log of all users that log in to the system along with their IP address, as well as standard windows logs of any user who logs into the servers. FinQuery also leverages endpoint monitoring and logs user actions. While FinQuery cannot disclose the exact retention duration, logs are centrally managed and retained according to FinQuery’s Data Retention Policy.
FinQuery logs are centrally managed and retained according to FinQuery’s Data Retention Policy. FinQuery utilizes network logging to ensure that no unauthorized users access the system, which provides monitoring, alerting and reporting. The security logs include a log of all users that log in to the system along with their IP address, as well as standard windows logs of any user who logs into the servers. FinQuery also leverages endpoint monitoring and logs user actions. While FinQuery cannot disclose the exact retention duration, logs are centrally managed and retained according to FinQuery’s Data Retention Policy.
CATEGORY: Infrastructure
TOPIC: Data Center
DETAILS:
All FinQuery web-based solutions run within Amazon Web Service’s (AWS) cloud infrastructure:
All FinQuery web-based solutions run within Amazon Web Service’s (AWS) cloud infrastructure:
- AWS datacenter compliance controls: https://aws.amazon.com/compliance/data-center/controls/
- AWS datacenter SOC reports: https://aws.amazon.com/compliance/soc-faqs
CATEGORY: Infrastructure
TOPIC: Physical Security
DETAILS:
Physical security controls, designed under the supervision of the Chief Information Security Officer, are used to restrict entry into FinQuery facilities and all areas within FinQuery’s facilities where tangible highly sensitive confidential information is physically stored. Visitors to FinQuery facilities are allowed in only for authorized purposes. Employees are instructed to question unfamiliar people who are unescorted or not showing visible identification and are prohibited from facilitating the entry by such unfamiliar people.
Physical security controls, designed under the supervision of the Chief Information Security Officer, are used to restrict entry into FinQuery facilities and all areas within FinQuery’s facilities where tangible highly sensitive confidential information is physically stored. Visitors to FinQuery facilities are allowed in only for authorized purposes. Employees are instructed to question unfamiliar people who are unescorted or not showing visible identification and are prohibited from facilitating the entry by such unfamiliar people.
CATEGORY: Infrastructure
TOPIC: Cloud Hosting
DETAILS:
FinQuery solutions are hosted within Amazon Web Service’s (AWS) data centers and only leverage US-based regions/data centers. For more detail regarding AWS data center security, see: https://aws.amazon.com/compliance/data-center/data-centers/
FinQuery solutions are hosted within Amazon Web Service’s (AWS) data centers and only leverage US-based regions/data centers. For more detail regarding AWS data center security, see: https://aws.amazon.com/compliance/data-center/data-centers/
CATEGORY: Organizational Security
TOPIC: Acceptable Use
DETAILS:
FinQuery has developed written requirements regarding the handling and storage of information assets, acceptable access to FinQuery systems and networks, and the secure and acceptable use of FinQuery-issued equipment.
FinQuery has developed written requirements regarding the handling and storage of information assets, acceptable access to FinQuery systems and networks, and the secure and acceptable use of FinQuery-issued equipment.
CATEGORY: Organizational Security
TOPIC: Central Contact
DETAILS:
FinQuery’s Chief Information Security Officer (CISO) is responsible for developing and enforcing information security policies.
FinQuery’s Chief Information Security Officer (CISO) is responsible for developing and enforcing information security policies.
CATEGORY: Organizational Security
TOPIC: Contractor Usage
DETAILS:
FinQuery’s potential third-party agencies are required to undergo a thorough information security and legal review before engagement. This includes signing agreements with confidentiality obligations, only accessing FinQuery’s systems and data through approved and monitored means, and restricting access and rights to limit risk exposure. FinQuery performs periodic contractor access reviews to limit exposure risk to data and systems.
FinQuery’s potential third-party agencies are required to undergo a thorough information security and legal review before engagement. This includes signing agreements with confidentiality obligations, only accessing FinQuery’s systems and data through approved and monitored means, and restricting access and rights to limit risk exposure. FinQuery performs periodic contractor access reviews to limit exposure risk to data and systems.
CATEGORY: Organizational Security
TOPIC: Employee Background Checks
DETAILS:
FinQuery conducts background checks on all new employees prior to commencing work.
FinQuery conducts background checks on all new employees prior to commencing work.
CATEGORY: Organizational Security
TOPIC: Employee Status Change
DETAILS:
Disablement of access for separated employees is conducted promptly following notice from FinQuery’s Human Resources department. A written User Access Form is completed to identify any access level changes or terminations. When an employee separates from FinQuery, the Human Resources department submits tickets to the Information Technology department requesting the date and time to terminate access. At that time, associated accounts are deactivated, access rights blocked, and all hardware reclaimed. FinQuery performs periodic access reviews to ensure only active full-time employees and contractors have access to the systems.
Disablement of access for separated employees is conducted promptly following notice from FinQuery’s Human Resources department. A written User Access Form is completed to identify any access level changes or terminations. When an employee separates from FinQuery, the Human Resources department submits tickets to the Information Technology department requesting the date and time to terminate access. At that time, associated accounts are deactivated, access rights blocked, and all hardware reclaimed. FinQuery performs periodic access reviews to ensure only active full-time employees and contractors have access to the systems.
CATEGORY: Organizational Security
TOPIC: Personnel Security
DETAILS:
Each new employee (as a condition of employment) is required to agree to (1) a protective covenants agreement that includes non-disclosure obligations and (2) the Employee Handbook, which incorporates FinQuery’s documented Information Security Policy.
Each new employee (as a condition of employment) is required to agree to (1) a protective covenants agreement that includes non-disclosure obligations and (2) the Employee Handbook, which incorporates FinQuery’s documented Information Security Policy.
CATEGORY: Organizational Security
TOPIC: Security Program
DETAILS:
FinQuery maintains an information security program, which includes policies, standards and practices. The information security program is informed by several industry guidelines and was developed in close consultation with all internal stakeholders as well as third-party security experts. FinQuery’s board meets periodically to review and update applicable policies and convenes more frequently as needed for emergency policy adjustments.
FinQuery maintains an information security program, which includes policies, standards and practices. The information security program is informed by several industry guidelines and was developed in close consultation with all internal stakeholders as well as third-party security experts. FinQuery’s board meets periodically to review and update applicable policies and convenes more frequently as needed for emergency policy adjustments.
CATEGORY: Organizational Security
TOPIC: Secure Remote Access
DETAILS:
FinQuery personnel leverage end-to-end encryption providing a private and secure connection to FinQuery’s network and systems. Virtual Private Network (VPN) connections are monitored and access is audited regularly.
FinQuery personnel leverage end-to-end encryption providing a private and secure connection to FinQuery’s network and systems. Virtual Private Network (VPN) connections are monitored and access is audited regularly.
CATEGORY: Organizational Security
TOPIC: Separation of Duties
DETAILS:
For incompatible or sensitive functions, FinQuery enforces separation of duties both statically (e.g. role-based permissions) and dynamically (e.g. controlling access at time of access). FinQuery also enforces the principle of least privilege, restricting access and rights to introduce changes to only those necessary.
For incompatible or sensitive functions, FinQuery enforces separation of duties both statically (e.g. role-based permissions) and dynamically (e.g. controlling access at time of access). FinQuery also enforces the principle of least privilege, restricting access and rights to introduce changes to only those necessary.
CATEGORY: Organizational Security
TOPIC: Training and Awareness
DETAILS:
All new hires complete an information security training program and submit a written acknowledgment of receipt of the Company’s Information Security Policy. In addition, FinQuery’s Chief Information Security Officer oversees the provision of recurring periodic training/refreshers on current threats, as well as material changes to policy.
All new hires complete an information security training program and submit a written acknowledgment of receipt of the Company’s Information Security Policy. In addition, FinQuery’s Chief Information Security Officer oversees the provision of recurring periodic training/refreshers on current threats, as well as material changes to policy.
CATEGORY: Organizational Security
TOPIC: Asset Management
DETAILS:
All equipment issued by FinQuery to its personnel must be requested, issued, inventoried and returned using a predefined procedure.
All equipment issued by FinQuery to its personnel must be requested, issued, inventoried and returned using a predefined procedure.
CATEGORY: Organizational Security
TOPIC: Procurement
DETAILS:
All personnel are instructed to consult with the Chief Information Security Officer before procuring any new systems or forming new vendor relationships that involve (or changing existing vendor relationships so that they involve) any access by the vendor to any FinQuery system or any sharing with the vendor of (including sharing of access to) any confidential information.
All personnel are instructed to consult with the Chief Information Security Officer before procuring any new systems or forming new vendor relationships that involve (or changing existing vendor relationships so that they involve) any access by the vendor to any FinQuery system or any sharing with the vendor of (including sharing of access to) any confidential information.
CATEGORY: Threat and Vulnerability Management
TOPIC: Antivirus Antimalware
DETAILS:
FinQuery deploys sophisticated antivirus/antimalware on all systems, including heuristic and behavioral-based detection methodologies. Full scans run at least weekly on all systems.
FinQuery deploys sophisticated antivirus/antimalware on all systems, including heuristic and behavioral-based detection methodologies. Full scans run at least weekly on all systems.
CATEGORY: Threat and Vulnerability Management
TOPIC: Intrusion Detection/Prevention
DETAILS:
FinQuery leverages multiple intrusion detection and prevention methodologies and tooling–including AWS GuardDuty and Inspector. Logging and alerting is centralized and monitored for potential intrusion attempts.
FinQuery leverages multiple intrusion detection and prevention methodologies and tooling–including AWS GuardDuty and Inspector. Logging and alerting is centralized and monitored for potential intrusion attempts.
CATEGORY: Threat and Vulnerability Management
TOPIC: Penetration Testing
DETAILS:
FinQuery actively performs periodic penetration testing using external partners. When vulnerabilities are detected, FinQuery prioritizes remediation based on threat potential, deploys changes to test environments to validate remediation, then uses automated deployments to production–with Quality Assurance testing throughout. FinQuery’s goal is to detect and mitigate all risks as quickly as possible to ensure a high bar of security for our customers. In order to protect our customers, FinQuery cannot disclose the findings of these penetration tests as that information could be used to compromise FinQuery’s systems.
FinQuery actively performs periodic penetration testing using external partners. When vulnerabilities are detected, FinQuery prioritizes remediation based on threat potential, deploys changes to test environments to validate remediation, then uses automated deployments to production–with Quality Assurance testing throughout. FinQuery’s goal is to detect and mitigate all risks as quickly as possible to ensure a high bar of security for our customers. In order to protect our customers, FinQuery cannot disclose the findings of these penetration tests as that information could be used to compromise FinQuery’s systems.
CATEGORY: Threat and Vulnerability Management
TOPIC: Responsible Disclosure
DETAILS:
FinQuery understands that the disclosure of vulnerabilities helps ensure protection and privacy across the internet. FinQuery maintains policies and procedures governing the responsible disclosure of known vulnerabilities which present material risk to FinQuery customers or partners.
FinQuery understands that the disclosure of vulnerabilities helps ensure protection and privacy across the internet. FinQuery maintains policies and procedures governing the responsible disclosure of known vulnerabilities which present material risk to FinQuery customers or partners.
CATEGORY: Threat and Vulnerability Management
TOPIC: Risk Mitigation
DETAILS:
FinQuery engages in ongoing risk analysis and reporting primarily through a cadence of frequent and regularly scheduled meetings with the Chief Information Security Officer and executive management, including the Chief Executive Officer. The Chief Information Security Officer also maintains contact with security forums and other notification agencies to help identify threats and vulnerabilities.
FinQuery engages in ongoing risk analysis and reporting primarily through a cadence of frequent and regularly scheduled meetings with the Chief Information Security Officer and executive management, including the Chief Executive Officer. The Chief Information Security Officer also maintains contact with security forums and other notification agencies to help identify threats and vulnerabilities.
CATEGORY: Threat and Vulnerability Management
TOPIC: Vulnerability Management
DETAILS:
FinQuery actively performs full-stack vulnerability scans using industry-leading tooling. When vulnerabilities are detected or reported, FinQuery prioritizes remediation based on threat potential, deploys changes to test environments to validate remediation, then uses automated deployments to production–with Quality Assurance testing throughout. FinQuery’s goal is to detect and mitigate all risks as quickly as possible to ensure a high bar of security for our customers.
FinQuery actively performs full-stack vulnerability scans using industry-leading tooling. When vulnerabilities are detected or reported, FinQuery prioritizes remediation based on threat potential, deploys changes to test environments to validate remediation, then uses automated deployments to production–with Quality Assurance testing throughout. FinQuery’s goal is to detect and mitigate all risks as quickly as possible to ensure a high bar of security for our customers.
CATEGORY
TOPIC
DETAILS
Accessibility
Accessibility
FinQuery is committed to making our software applications and websites accessible to people with all levels of ability.
We undertake commercially reasonable efforts towards improving our user experience to ensure we provide equal access to all of our users. As such, our efforts are guided by the Web Content Accessibility Guidelines (WCAG), which defines requirements for designers and developers to improve accessibility for people with disabilities.
If you have any questions regarding our applications, contact us at
1-800-880-7270 or support@leasequery.com for assistance and feedback.
Artificial Intelligence/Machine Learning
AI/ML
FinQuery leverages an AI/ML technology to aid our customers in entering the details of their leases as easily, quickly, and accurately as possible.
With permission from select customers, we trained our model to recognize various types of leases to better detect where information is located in an individual lease. The output of the AI/ML system consists of predictions for each relevant field, which are then verified by the customer’s end users. All data is handled using the same security standards for all FinQuery solutions.
Asset Security
Baselines
FinQuery leverages baselines to ensure compliance, stability, and security. This includes code repositories and version control, hardened/golden images, enforced user and system policies, performance and stability metrics/reporting, and more–with logging and alerting to capture changes.
Asset Security
Hardening Standards
Servers and client systems are hardened from deployment and maintained afterwards with sophisticated practices, security fixes, firewalls, and antimalware tooling. Each server is restricted to only the ports and services required to run the application. Only essential applications are permitted to execute on servers. Access to these servers is highly restricted with least-privileged-based permissions and only authorized systems are allowed non-https access via access controls and firewall restrictions.
Availability and Reliability
Change Management
FinQuery has developed a written change control standard to mitigate the risk that the security, availability and integrity of system software, systems and information are compromised when there are changes to the Solution. No software is permitted to be installed in the production environment for the Solution unless it has been tested, reviewed and approved in accordance with these requirements. These requirements govern the entire change control process, through ticket creation, ticket prioritization, development, quality assurance, communication plans, approval, deployment and hotfixes.
Availability and Reliability
Code Review
FinQuery uses both manual and automated tooling to scan developed code for security, stability, and efficiency.
Availability and Reliability
Segregation of Environments
FinQuery separates development and production environments to reduce the risk of unfinished or malfunctioning software being used in production. To accomplish this, FinQuery utilizes web application firewalls, stateful packet inspection firewalls, and access control lists to separate and protect computing environments. Firewall policies and rules are in place and are reviewed periodically to ensure only approved access is allowed.
Business Continuity
Backups
FinQuery leverages periodic data backups to protect customer information, which is encrypted at-rest and replicated across multiple Amazon Web Services (AWS) availability zones. Backup restores are tested regularly.
Business Continuity
Business Continuity
FinQuery’s solutions, including all data stored, are hosted in at least two different locations in the United States.
Business Continuity
Disaster Recovery
FinQuery has developed a written Disaster Recovery plan for business continuity purposes, which is managed by the Company’s Chief Operating Officer and is designed to facilitate the resumption of business operations efficiently following a disaster (which results in the inability of FinQuery or its personnel to perform all or some of their services, regular roles and responsibilities for a period of time). A disaster is not necessarily related to a security event, but depending on the circumstances, both the Security Incident Response Plan and the Disaster Recovery plan could be initiated simultaneously in connection with the same event. FinQuery’s Disaster Recovery plan is assessed, at minimum, annually.
Compliance
Hardware
FinQuery complies with NDAA Sec. 889 and does not leverage technologies manufactured by the following entities (or any subsidiary or affiliate of such entities):
- Huawei Technologies Company
- ZTE Corporation
- Hytera Communications Corporation
- Hangzhou Hikvision Digital Technology Company
- Dahua Technology Company
Compliance
HIPAA
FinQuery is not subject to Health Insurance Portability and Accountability Act (HIPAA) because FinQuery’s service does not involve any protected health information.
Compliance
SOC
FinQuery is audited and receives a SOC I Type II report annually, as defined by the American Institute of Certified Public Accountants. FinQuery’s SOC reports are available to all customers and by request for prospective customers. More information can be provided by contacting: complianceinfo@finquery.com
Data Security
Data Classification
FinQuery leverages multiple classifications to govern the storage and handling of information—both electronic and physical—based on the information’s sensitivity. Information access and disclosure is restricted to authorized parties. All customer data is treated as “highly sensitive confidential information”, the highest level of confidentiality under FinQuery’s Information Security Policy.
Data Security
Data Encryption At-Rest
Data stored in FinQuery solutions or in backup systems are encrypted with 256-bit AES encryption. This includes full database encryption.
Data Security
Data Retention and Disposition
FinQuery maintains a written document and data retention standard, which is incorporated into the Information Security Policy, governing the retention, destruction and return of confidential information, including, without limitation, Client Data. FinQuery will retain Client Data consistent with the periods set forth in our Data Retention Standard, provided that if a customer requests earlier deleting in writing, FinQuery will comply with such request. We generally retain customer data for at least 60 days after the termination or expiration of a customer’s subscription (coinciding with quarterly reporting cycles) to ensure customers have sufficient opportunity to retrieve their data; however, customers can also always request the exportation of their data during the term of the subscription or within 60 days thereafter.
Data Security
Digital Certificates
FinQuery leverages industry-recognized Certificate Authorities to provide full lifecycle management of FinQuery certificates, including enrollment, distribution, validation, revocation, and renewals.
Data Security
Data Encryption In-Transit
All interchanges of client lease data to and from the Solution are encrypted using at least an SSL certificate (TLS 1.2) with 2048-bit RSA encryption, which is renewed yearly.
Data Security
Non-disclosure agreements
All FinQuery employees, customers, vendors, and contractors with access to customer data are required to sign agreements with confidentiality obligations.
Data Security
Secrets Management
FinQuery leverages sophisticated encryption technology, methodologies, and best practices for secrets management throughout our solution.
Data Security
Password
Passwords are salted and leverage Secure Hash Algorithm (SHA) one-way hashing.
Identification, Authentication, Authorization, Auditing, and Accountability
Access Control
Internally, FinQuery leverages Role-Based Access Controls (RBAC)/methodologies with an approved matrix governing administrative access. FinQuery employees are subject to need-to-know and least-privileged basis access controls wherever it is practicable to do so, based upon the security requirements and business requirements of individual business applications. FinQuery does not allow for shared accounts.
For customer-facing solutions, FinQuery maintains formally defined external user types, with varying access rights and privileges based on the role of the user.
Identification, Authentication, Authorization, Auditing, and Accountability
Identification
All FinQuery personnel and contracted agencies are uniquely identified and issued unique accounts for identification, authentication, authorization, and accountability. All employees and contracted agencies also require uniquely identifying badges to access FinQuery facilities.
Identification, Authentication, Authorization, Auditing, and Accountability
Job Roles
Responsibilities of staff regarding information security are formally addressed in FinQuery’s Information Security policy.
Identification, Authentication, Authorization, Auditing, and Accountability
Passwords
All FinQuery personnel are subject to written policies regarding secure storage of passwords, minimum password strength requirements, mandatory periodic password change requirements, and automatic lockouts after multiple failed login attempts. In addition, FinQuery employs credential management/rotation systems to rotate credentials periodically.
Identification, Authentication, Authorization, Auditing, and Accountability
Single-Sign On (SSO)
FinQuery supports the following SSO options:
- Secure.finquery.com: Integrates with any single sign-on (SSO) system that supports Security Assertion Markup Language (SAML) 2.0
- FinQuery Software Management: Integrates with Google Oauth 2.0
Incident Management and Response
Incident Response Plan
FinQuery has developed an integrated Security Incident Response Plan which establishes a cross-functional response team comprised of professionals from all appropriate business functions, including information technology, legal, human resources, public relations, operations, as well as executive management representation. The Security Incident Response Plan contains written procedures for escalating and containing the incident, as well as documenting the response. Following the initial response, the Security Incident Response Plan includes additional procedures regarding after-the-fact analysis, investigation, mitigation and correction, and third-party notification.
Incident Management and Response
Monitoring and Logging
FinQuery logs are centrally managed and retained according to FinQuery’s Data Retention Policy. FinQuery utilizes network logging to ensure that no unauthorized users access the system, which provides monitoring, alerting and reporting. The security logs include a log of all users that log in to the system along with their IP address, as well as standard windows logs of any user who logs into the servers. FinQuery also leverages endpoint monitoring and logs user actions. While FinQuery cannot disclose the exact retention duration, logs are centrally managed and retained according to FinQuery’s Data Retention Policy.
Infrastructure
Data Center
All FinQuery web-based solutions run within Amazon Web Service’s (AWS) cloud infrastructure:
- AWS datacenter compliance controls: https://aws.amazon.com/compliance/data-center/controls/
- AWS datacenter SOC reports: https://aws.amazon.com/compliance/soc-faqs
Infrastructure
Physical Security
Physical security controls, designed under the supervision of the Chief Information Security Officer, are used to restrict entry into FinQuery facilities and all areas within FinQuery’s facilities where tangible highly sensitive confidential information is physically stored. Visitors to FinQuery facilities are allowed in only for authorized purposes. Employees are instructed to question unfamiliar people who are unescorted or not showing visible identification and are prohibited from facilitating the entry by such unfamiliar people.
Infrastructure
Cloud Hosting
FinQuery solutions are hosted within Amazon Web Service’s (AWS) data centers and only leverage US-based regions/data centers. For more detail regarding AWS data center security, see: https://aws.amazon.com/compliance/data-center/data-centers/
Organizational Security
Acceptable Use
FinQuery has developed written requirements regarding the handling and storage of information assets, acceptable access to FinQuery systems and networks, and the secure and acceptable use of FinQuery-issued equipment.
Organizational Security
Central Contact
FinQuery’s Chief Information Security Officer (CISO) is responsible for developing and enforcing information security policies.
Organizational Security
Contractor Usage
FinQuery’s potential third-party agencies are required to undergo a thorough information security and legal review before engagement. This includes signing agreements with confidentiality obligations, only accessing FinQuery’s systems and data through approved and monitored means, and restricting access and rights to limit risk exposure. FinQuery performs periodic contractor access reviews to limit exposure risk to data and systems.
Organizational Security
Employee Background Checks
FinQuery conducts background checks on all new employees prior to commencing work.
Organizational Security
Employee Status Change
Disablement of access for separated employees is conducted promptly following notice from FinQuery’s Human Resources department. A written User Access Form is completed to identify any access level changes or terminations. When an employee separates from FinQuery, the Human Resources department submits tickets to the Information Technology department requesting the date and time to terminate access. At that time, associated accounts are deactivated, access rights blocked, and all hardware reclaimed. FinQuery performs periodic access reviews to ensure only active full-time employees and contractors have access to the systems.
Organizational Security
Personnel Security
Each new employee (as a condition of employment) is required to agree to (1) a protective covenants agreement that includes non-disclosure obligations and (2) the Employee Handbook, which incorporates FinQuery’s documented Information Security Policy.
Organizational Security
Security Program
FinQuery maintains an information security program, which includes policies, standards and practices. The information security program is informed by several industry guidelines and was developed in close consultation with all internal stakeholders as well as third-party security experts. FinQuery’s board meets periodically to review and update applicable policies and convenes more frequently as needed for emergency policy adjustments.
Organizational Security
Secure Remote Access
FinQuery personnel leverage end-to-end encryption providing a private and secure connection to FinQuery’s network and systems. Virtual Private Network (VPN) connections are monitored and access is audited regularly.
Organizational Security
Separation of Duties
For incompatible or sensitive functions, FinQuery enforces separation of duties both statically (e.g. role-based permissions) and dynamically (e.g. controlling access at time of access). FinQuery also enforces the principle of least privilege, restricting access and rights to introduce changes to only those necessary.
Organizational Security
Training and Awareness
All new hires complete an information security training program and submit a written acknowledgment of receipt of the Company’s Information Security Policy. In addition, FinQuery’s Chief Information Security Officer oversees the provision of recurring periodic training/refreshers on current threats, as well as material changes to policy.
Operational Security
Asset Management
All equipment issued by FinQuery to its personnel must be requested, issued, inventoried and returned using a predefined procedure.
Operational Security
Procurement
All personnel are instructed to consult with the Chief Information Security Officer before procuring any new systems or forming new vendor relationships that involve (or changing existing vendor relationships so that they involve) any access by the vendor to any FinQuery system or any sharing with the vendor of (including sharing of access to) any confidential information.
Threat and Vulnerability Management
Antivirus Antimalware
FinQuery deploys sophisticated antivirus/antimalware on all systems, including heuristic and behavioral-based detection methodologies. Full scans run at least weekly on all systems.
Threat and Vulnerability Management
Intrusion Detection/Prevention
FinQuery leverages multiple intrusion detection and prevention methodologies and tooling–including AWS GuardDuty and Inspector. Logging and alerting is centralized and monitored for potential intrusion attempts.
Threat and Vulnerability Management
Penetration Testing
FinQuery actively performs periodic penetration testing using external partners. When vulnerabilities are detected, FinQuery prioritizes remediation based on threat potential, deploys changes to test environments to validate remediation, then uses automated deployments to production–with Quality Assurance testing throughout. FinQuery’s goal is to detect and mitigate all risks as quickly as possible to ensure a high bar of security for our customers. In order to protect our customers, FinQuery cannot disclose the findings of these penetration tests as that information could be used to compromise FinQuery’s systems.
Threat and Vulnerability Management
Responsible Disclosure
FinQuery understands that the disclosure of vulnerabilities helps ensure protection and privacy across the internet. FinQuery maintains policies and procedures governing the responsible disclosure of known vulnerabilities which present material risk to FinQuery customers or partners.
Threat and Vulnerability Management
Risk Mitigation
FinQuery engages in ongoing risk analysis and reporting primarily through a cadence of frequent and regularly scheduled meetings with the Chief Information Security Officer and executive management, including the Chief Executive Officer. The Chief Information Security Officer also maintains contact with security forums and other notification agencies to help identify threats and vulnerabilities.
Threat and Vulnerability Management
Vulnerability Management
FinQuery actively performs full-stack vulnerability scans using industry-leading tooling. When vulnerabilities are detected or reported, FinQuery prioritizes remediation based on threat potential, deploys changes to test environments to validate remediation, then uses automated deployments to production–with Quality Assurance testing throughout. FinQuery’s goal is to detect and mitigate all risks as quickly as possible to ensure a high bar of security for our customers.