Data and Encryption Policies
Data Centers and Location
Fundwave production services are primarily hosted on Amazon Web Services (“AWS”) EC2 platform. The physical servers are located in AWS EC2 data centers. As of this date, AWS (i) has certifications for compliance with ISO/IEC 27001:2013, 27017:2015 and 27018:2014, (ii) is certified as a PCI DSS 3.2 Level 1 Service Provider, and (iii) undergoes SOC 1, SOC 2 and SOC 3 audits (with semi-annual reports). Additional details about the AWS compliance programs, including FedRAMP compliance, can be found at AWS’ website.
Some Fundwave production services (including Dealflow and Captables) are hosted on the Google Cloud Platform ("GCP"). The physical servers are located in GCP's data centers. As of this date, GCP has certifications for compliance with ISO/IEC 27001, 27017, 27018, 27110, 27701 and undergoes SOC 1, SOC 2 and SOC 3 audits. Additional details about GCPs compliance programs can be found on GCPs website.
User content can also be found in Fundwave backups, stored in AWS EC2, S3, Glacier and GCS. For some products and plans, we offer customers the option of hosting Fundwave from a choice of available locations, or to otherwise use Fundwave on a separate infrastructure. For some products and plans, we offer customers the option of hosting Fundwave in a single tenant environment, with the ability of storing backups in an available location of their choice.
We maintain separate and distinct production, staging, and development environments for Fundwave.
Fundwave uses Cloudflare for DDoS protection. AWS Network ACL and Security Groups are used to restrict access to Fundwave’s systems as appropriate to their role. Active monitoring of these security rules is in place with alerting mechanisms in place for any changes to the configuration. Public access is restricted to port 443 and 80 for public traffic.
If SSO or OAuth is used to access Fundwave, Fundwave will inherit the login security settings in the user's IdP or Google account.
If logging in directly to Fundwave using a username or email and password, Fundwave requires a minimum of 8 characters that must include special characters, numbers and letter of different case. Passwords are stored in a hashed form and will never be sent via email—upon account creation and password reset, Fundwave will send a link to the email associated with the account that will enable the user to create a new password.
Password complexity and session length requirements cannot be customized within the app. However, these can be set within an IdP for an SSO-enforced team.
Fundwave maintains a list of Authorized Personnel with access to the production environment. These members undergo criminal background checks and are approved by Fundwave’s Engineering management. Fundwave also maintain a list of personnel who are permitted to access Fundwave code, as well as the development and staging environments. These lists are reviewed quarterly and upon role change.
Trained members of the Fundwave customer support team also have case-specific, limited access to user data stored in Fundwave through restricted access customer support tools. Customer support team members are not authorized to review non-public user data stored in Fundwave for customer support purposes without explicit permission. When a Fundwave user submits a support ticket, they have the option of authorizing the customer support team to view their data. The Fundwave customer support team will only receive such access to the account if it is granted by the user, either by selecting the "Give Fundwave support staff temporary access to your account" option when submitting a help request, or by clicking a link sent to the user's email by the Fundwave Support team. The account owner can revoke such access at any time.
Upon role change or leaving the company, the production credentials of Authorized Personnel are deactivated, and their sessions are forcibly logged out. Thereafter, all such accounts are removed or changed.
Public Content and Other Permissions
Third Party Access
In some instances our offices share buildings with other companies. For that reason, we require mandatory visitor check-in with the building security team. Additionally, visitors require an escort throughout the building at all times. Employee access to physical facilities is protected by electronic card readers and building security.
Fundwave's production services are hosted on Amazon Web Services’ (“AWS”) EC2 platform. The physical servers are located in AWS’ secure data centers. We require that production critical data is never to be stored by those with privileged access on physical media outside of our data hosting provider's production environments. See above for information on AWS’ compliance programs.
Fundwave uses industry standard Transport Layer Security (“TLS”) to create a secure connection using 128-bit Advanced Encryption Standard (“AES”) encryption. This includes all data sent between the web, desktop, iOS, and Android apps and the Fundwave servers. There is no non-TLS option for connecting to Fundwave. All connections are made securely over HTTPS.
Encryption keys for Fundwave backups, stored in S3, are managed by Amazon. The encryption, key management, and decryption process is inspected and verified internally by Amazon on a regular basis as part of their existing audit process. Encryption keys for Fundwave attachments managed by our team are rotated upon relevant changes of roles or employment status. Encryption keys managed by our team are not stored outside of Fundwave’s production backup environment and are managed by the our SRE team. Fundwave backups are of the entire data set, so they are encrypted using a shared key.
All key production services used by Fundwave to offer its services are protected by Multi factor authentication.
Backup, Business Continuity, and Disaster Recovery Policy
Data entered into Fundwave is backed up regularly (usually every business day). All backups are encrypted and stored on Amazon S3 and rely on on Amazon S3’s internal redundancy mechanism to help ensure that they are available in the unlikely event that a restore is necessary.
For some user data that is stored on a shared infrastructure, it is not possible for us to recover a subset of that information from backups. Read more about it here.
Only authorized members of the Fundwave operations team have access to the backup locations, so that they are able to monitor the performance of the backup processes, and in the very unlikely event that a restore becomes necessary. After 90 days (or 365 days for some plans / products), the encrypted backup files are destroyed.
Fundwave data is available for export by board members in JSON format via the Fundwave REST API. File attachments can be individually retrieved directly from Amazon S3 using the file’s unique hyperlink.
Authorized Personnel usually run Linux as their workstation operating system. Given the lack of prevalence of viruses for that platform, our policy does not require those workstations to run antivirus. Where a non-linux environment is used, we require installation of an antivirus software. All of the existing controls for Authorized Personnel, including restricting access from those workstations to the production environment via ssh terminal connections only and with no replication of user data onto those workstations, still apply.
Security Awareness and Confidentiality
Security awareness and user data access policies are covered during our employee onboarding as appropriate to the role and employees are updated as relevant policies or practices change. Our employees also sign a confidentiality agreement.
All our employees undergo an extensive interview process before hiring.
Due to unforeseen events, we may have to infrequently perform unplanned maintenance on Fundwave infrastructure or software components. This maintenance might cause some or all of the Fundwave services to be inaccessible by our users for a period of time. It is our goal to do this as infrequently as possible. Any unplanned or emergency maintenance that causes Fundwave to be inaccessible for more than a couple of minutes will be announced on our blog, or by email or in-app with as much advance notice as reasonably possible. As with planned maintenance, we do our best to minimize disruption caused by service outages.
For some services and types of maintenance, it is not possible for us to customize the maintenance window, as some data of our users maybe on a shared infrastructure. However, we've used this maintenance window extremely rarely.