Devengo is a cloud-based financial service for companies to instantly make payments via API for themselves or for their clients.
By the very nature of its services, Devengo processes confidential information from its clients and employees about their workers, contracts, salaries, leaves, etc. Therefore, protecting this information is as important to Devengo as transferring money as quickly as possible when an employee needs it.
Devengo is determined to implement and enforce effective controls in its Information Security Management System and to continuously improve it.
In line with this statement of intent, Devengo declares that:
- It systematically protects the confidential data it manages using various means of monitoring and logging access to this information, including encryption of data considered sensitive.
- It has control over the integrity of such confidential data to protect it from any unauthorised access or modification or loss.
- It securely tracks and records all payment transactions to ensure traceability if necessary.
- It has a robust infrastructure to constantly access and manage information.
Devengo controls, restricts, and monitors that only authorised employees and partners access this confidential and sensitive information and that only the minimum necessary set of information is accessed.
Devengo is committed to protecting the personal information of its clients’ employees in accordance with the General Data Protection Regulation (GDPR), lawfully, clearly, and transparently processing the information it receives at all times.
Devengo’s commitment to security and privacy is such that all its designs and developments are always made with a set of methodologies and techniques that put them first.
Fernando Cabello-Astolfi CEO
Objectives
- Achieve and maintain the optimum level of security to adequately guarantee business continuity, even in adverse situations.
- Increase the integration and mutual support of the physical and logical aspects of security.
- Collaborate in the management of other safety disciplines, including labour and environmental aspects, taking into account the criteria that promote Corporate Social Responsibility.
- Establish the corporate security structure defined by Devengo’s decision-making bodies and create the appropriate communication channels between all those involved.
- Comply with official safety regulations and other requirements.
- Establish and implement Security Training and Dissemination Plans among Devengo employees to improve awareness of all aspects related to security.
- Set an express commitment to continuous improvement.
- Integrate the different company departments in a safety management system that, under common criteria, takes advantage of synergies and achieves consistency in resources and actions.
People
- The ultimate responsibility for security lies with the management team, which analyses security risks and vulnerabilities that may affect the smooth running of the business and is directly responsible for managing the development and implementation of measures to mitigate them.
- All employees sign a confidentiality agreement and their commitment to follow the internal digital security policy as part of the internal management process.
- The entire team is trained in security and data protection issues relevant to their tasks and takes responsibility for maintaining the security of the assets in their care.
- There is an on-boarding procedure for new employees that does not grant access permissions to information by default and an off-boarding procedure that removes accesses acquired during their stay in the company.
Assets and equipment
- Centralised management with global inventory, monitoring, and alerts.
- Comprehensive remote device security policy with locked devices, password management, software installation restriction, malware protection, firewall, disk encryption, updates, and remote blocking.
- Access to source code restricted and managed by private keys.
- Development process that includes registration of all changes, review process for each change, and testing process systematically executed before accepting any modification.
- Centralised process of selection, recruitment, and management of software-as-a-service providers.
Data
- All data, including backups, are stored in the European Union.
- All sensitive data is stored in a database with a BCrypt protection system.
- Sensitive information is not transmitted to sub-processors (e.g. payment processors) beyond what is strictly necessary and in such cases it is always done through secure connection means.
- All communication is done with encryption of all data transmitted over the Internet (using SSL RSA-2048 certificate and HTTPS secure connection) or through a VPN.
- Only the on-boarding, support, and technical teams have access to employee data, with a restriction proportional to the reasons for such access, always logging such access.
- Data integrity is ensured by means of an extensive testing process that prevent code errors from modifying the data.
- We follow good design and development practices to prevent the sending of any protected information through unsecured channels.
Legal
- We have a team of advisers who help us to keep our service always in line with the law across all areas of application: labour, tax, accounting, data protection, and financial services.
- Any changes made to the platform are carefully tested to ensure that the platform remains operational.
- We are directly or indirectly authorised to offer the financial services we provide.
- Protecting the privacy of our clients and their employees who use our services is something we take very seriously and we always act within the scope of the GDPR with a data processor-only model.
Technology platform
- Devengo’s entire platform is hosted on Amazon Web Services in its data centres in the European Union, following ISO27001, HIPAA, and SOC2 type II guidelines and controls among other security certifications that are regularly audited.
- All data transmitted over the Internet is encrypted (by means of an SSL RSA-2048 certificate and secure HTTPS connection).
- The different development, demo, and production environments are strictly separated at all levels to reduce errors and ensure maximum availability.
- The entire platform is permanently monitored 24×7 to ensure its health and availability.
- Access to the platform is properly secured with AWS and Heroku access policies, protected with two-factor authentication (2FA).
Audit and registration
- We use a general log for all platform usage as well as access and modification of data.
- We also record all kinds of technical events, such as errors or load peaks, separately to ensure the smooth operation of the platform.
- Access to these records is duly restricted to those who need it and always with two-factor authentication (2FA).
- Audit records are kept for one year except for those aspects that by law may require a longer period, such as money movements.
- Alerts have been defined on these logs to be able to detect errors, security risks, changes or monitoring of the activity on the platform.
No data considered particularly sensitive that could be a subsequent security risk, such as passwords used by users when authenticating, are recorded in the logs.
Availability
- The entire Devengo platform deployment process is automated so that in the event of an incident it is possible to start up a full new platform instance in less than five minutes.
- Devengo has a write-back system in which every change made to the data is written to write-ahead logs, which are sent to highly resilient storage in several data centres. In the unlikely event of an unrecoverable hardware failure, these records can be automatically ‘replayed’ to recover the database to within seconds of its last known state.
- We also keep the main database replicated as a master-slave to ensure data availability in case of an incident.
- Devengo maintains a backup policy that performs incremental and full backups that are tested regularly.
- We also maintain a site with information about our service to which clients can subscribe if they wish to do so.
Incident and continuity management
- Devengo has a security incident management procedure and trained its team to respond to them.
- When a security incident is detected, the team on duty at the time is immediately notified and a plan is defined to respond as quickly as possible to mitigate its consequences.
- After the initial measures, actions for a permanent solution are defined and a post-mortem analysis with corrective measures is carried out and shared with the rest of the company in order to prevent future reoccurrence.
Contact information and enquiries
If you have any questions or need further information, please do not hesitate to contact us:
Alberto Molpeceres, Devengo co-founder