FTC Safeguards - GLBA (May 2024)

Summary

The Federal Trade Commission (FTC) Standards for Safeguarding Customer Information (the "Safeguards Rule") implement the security requirements of the Gramm-Leach-Bliley Act (GLBA). The Safeguards Rule requires covered financial institutions to develop, implement, and maintain a comprehensive information security program.

FundApps position: Taken together, our ISO 27001 certification, SOC 2 Type II accreditation, privacy posture and comprehensive internal Risk Management Framework fully satisfy the service provider obligations set out in the Safeguards Rule. No additional contractual terms are required to meet these expectations.

Overview of the Safeguards Rule

Financial institutions covered by the Safeguards Rule must protect the security, confidentiality, and integrity of Non-public Personal Information (as defined in the GLBA). The Safeguards Rule requires specific administrative, technical, and physical safeguards.

Key Requirements:

The Safeguards Rule generally requires covered entities to:

• Designate a qualified individual to oversee the information security program.

• Conduct periodic risk assessments.

• Design and implement safeguards to control the risks identified.

• Regularly monitor and test the effectiveness of safeguards.

• Oversee service providers.

• Establish an incident response plan.

How This Applies To FundApps

FundApps’ security and privacy governance framework fully aligns with the requirements set out in the Safeguards Rule. As a service provider, FundApps maintains the following controls to support our clients' GLBA compliance:

1. Governance, Risk Assessment & Reporting

FundApps maintains a rigorous governance structure to ensure accountability and continuous risk evaluation.

• Qualified Leadership: FundApps has designated the Head of Information Security (reporting to the CTO) to manage information security, cyber security, and business continuity risks. The CTO ensures appropriate resources for security and reports to leadership including the Board. Additionally, the Head of Legal oversees privacy and data protection matters, reporting into the CFO who is a member of the Board.

• Risk Assessment: We maintain a comprehensive Risk Management Framework. Risks are identified via monthly security meetings, incident reviews, Secure Development Lifecycle (SDLC), and ongoing operations. Risks are scored by likelihood/impact, assigned owners, tracked in a risk register, and reviewed at least annually. Mitigation strategies include avoidance, reduction, transfer, and acceptance. Additionally, risk assessments are also performed on the privacy side through Data Protection Impact Assessments (DPIAs).

• Reporting: The Information Security Management System (ISMS) Manager and Implementer are required to report annually in a formal management review. This review must cover risk assessment results, audit results, control performance, and any opportunities for improvement. Following this review, the Head of Information Security and the Head of Legal will report to their respective Senior Leadership Team (SLT) members, who will then provide updates to the Board.

2. Technical, Physical, and Administrative Safeguards

FundApps implements specific safeguards based on our risk assessments to protect Non-public Personal Information:

• Identifying and Managing Assets: FundApps maintains an Information Asset Register, an Information Systems Register covering data, systems, and owners (reviewed monthly), and a Processing Activities Register maintained in accordance with data protection laws and updated as required. Inventoried Assets include: data, systems, personnel, and devices.

• Access Controls: We enforce multi-layer access control including both technical and physical controls such as: Multi-Factor Authentication (MFA), Single Sign-on (SSO), role-based authorization, IP restrictions, infrastructure-level segregation, full audit trails, secure facilities, badge access and restricted areas. See our Access Control Policy for further details.

• Encryption: Data in transit is secured using HTTPS with industry-standard ciphers (transport layer security (TLS) 1.2+). Data at rest is encrypted in Amazon Web Services (AWS), utilizing key rotation and encrypted backups. Furthermore, our due diligence process includes assessing vendor security posture and reviewing certifications like SOC 2 and ISO 27001 to ensure comprehensive security and compliance coverage. See our Cryptographic Policy for further detail.

• Secure Development: Our SDLC practices include test-driven development (TDD), code reviews, static and dynamic security testing, Open Source Software (OSS) license scans, and automated deployment pipelines. We perform annual penetration testing and evaluate external applications as part of vendor due diligence, including assessment of their security posture and review of relevant certifications. See our Software Development Policy.

• Data Disposal: We ensure the secure deletion, encryption, and destruction of all client data, aligned with its classification. Our Data Retention Policy provides that client data is only kept for the duration of the contractual relationship and is securely deleted within 30 days of termination. Should we receive an earlier deletion request, we will comply in accordance with our Privacy Policy. Our current disposal methods include wiping, shredding, cryptographic erasure and retention periods pre-set with auto-deletion. See our Data Classification & Protection Standard Policy for further details.

• Personnel Training: FundApps provides security awareness, data handling and incident response training to all staff, conducts phishing tests, and maintains competency assessments for ISMS roles. Knowledge requirements are tested annually. Security personnel undergo external training as needed. Additionally, we have dedicated Supplier Relationship Managers (SRMs) who are trained to securely onboard and manage suppliers.

3. Monitoring and Testing

FundApps continuously validates the effectiveness of its key safeguards:

• Continuous Monitoring: We utilize a SOC 24/7, automated monitoring, security information and event management (SIEM) alerts, and audit logging to detect unauthorized access or tampering.

• Testing: We conduct annual penetration tests and continuous dynamic application security testing (DAST) scanning occurs weekly. Vulnerability management is defined in our Vulnerability Management Policy.

• Program Adjustments: The ISMS is subject to a continuous improvement cycle, which is maintained through annual management reviews and internal audits. This process is adaptable, with adjustments being made based on changes in risk profiles, test outcomes, business operations, and evolving legal requirements. We use Shortcut to track nonconformities, which is integral to this process. All changes are handled through a formal process that includes review, security scanning, peer review, Continuous Integration (CI) validation, staged deployment, and documented authorization. For further details on the change approval workflow, logging, and testing, please consult our Continual Improvement Process Policy.

4. Service Provider Oversight

FundApps applies the same rigor to our own vendors that our clients apply to us:

• Selection & Due Diligence: Our Security and Privacy teams work together to manage a thorough due diligence process for all new vendors and data uses, with the goal of identifying and mitigating potential risks. This process involves performing due diligence reviews, evaluating business continuity and security controls, and utilizing a Third-Party Risk Management System. Additionally, vendors are required to complete a due diligence questionnaire (DDQ) to assess their security, privacy, and compliance practices.

• Contractual Safeguards: Where applicable, we sign Data Processing Agreements (DPAs) with such vendors and include specific data protection provisions in contracts to ensure compliance.

• Ongoing Monitoring: Third-party systems are recorded in our Information Systems Register and reviewed for risk ratings and required controls.

5. Incident Response & Notification

FundApps has established protocols to address security events promptly:

• Response Plan: We maintain an Incident Response Policy which is a key component of the ISMS documentation. This policy defines the requirements for incident reporting and expected escalation procedures. All incidents are logged, reviewed, and linked to root-cause remediation actions tracked in Shortcut. Furthermore, any incidents involving personal data that qualify as a data breach are reported to clients in compliance with relevant data protection legislation.

• Notification Timeline: To ensure compliance with both regulatory mandates and contractual commitments, we have DPAs in place with every client. A key requirement of these DPAs is the timely notification of any personal data breach to the affected client, without undue delay and, at the absolute latest, within 72 hours of discovery. It is important to note that our contractual Service Level Agreements (SLAs) often stipulate even quicker notification for general support issues. Our internal procedures are designed for the rapid assessment of all incidents, and we manage client notifications and coordinate with clients to fulfil all necessary regulatory reporting obligations to bodies such as the FTC, ensuring full legal compliance.

• Regulatory Cooperation: We coordinate notifications with clients to facilitate their reporting obligations to regulatory authorities, such as the FTC.