Trust Center

At FinQuery, we realize that security and reliability are very important to our clients.

Our clients trust us with their data and we take this responsibility very seriously. Ensuring the security of our clients’ data, and the systems and applications that store this data, is a top priority for us.

FinQuery welcomes any and all security community support to further protect our systems and customers. Please use the following form to register a security-related question or concern.

REGISTER A QUESTION OR CONCERN

Trust Center

At FinQuery, we realize that security and reliability are very important to our clients.

Our clients trust us with their data and we take this responsibility very seriously. Ensuring the security of our clients’ data, and the systems and applications that store this data, is a top priority for us.

LeaseQuery welcomes any and all security community support to further protect our systems and customers. Please use the following form to register a security-related question or concern.

REGISTER A QUESTION OR CONCERN

CATEGORY

TOPIC

DETAILS

Accessibility

Accessibility

FinQuery is committed to making our software applications and websites accessible to people with all levels of ability.

We undertake commercially reasonable efforts towards improving our user experience to ensure we provide equal access to all of our users. As such, our efforts are guided by the Web Content Accessibility Guidelines (WCAG), which defines requirements for designers and developers to improve accessibility for people with disabilities.

If you have any questions regarding our applications, contact us at
1-800-880-7270 or support@leasequery.com for assistance and feedback.

Artificial Intelligence/Machine Learning

AI/ML

FinQuery leverages an internal, proprietary AI/ML technology to aid our customers in entering the details of their leases as easily, quickly, and accurately as possible. FinQuery’s AI-assisted lease entry only uses artificial intelligence and models developed and hosted in-house.

With permission from select customers, we trained our model to recognize various types of leases to better detect where information is located in an individual lease. The output of the AI/ML system consists of predictions for each relevant field, which are then verified by the customer’s end users. All data is handled to the same security standards for all FinQuery solutions.

Asset Security

Baselines

FinQuery leverages baselines to ensure compliance, stability, and security. This includes code repositories and version control, hardened/golden images, enforced user and system policies, performance and stability metrics/reporting, and more–with logging and alerting to capture changes.
Asset Security

Hardening Standards

Servers and client systems are hardened from deployment and maintained afterwards with sophisticated practices, security fixes, firewalls, and antimalware tooling. Each server is restricted to only the ports and services required to run the application. Only essential applications are permitted to execute on servers. Access to these servers is highly restricted with least-privileged-based permissions and only authorized systems are allowed non-https access via access controls and firewall restrictions.

Availability and Reliability

Change Management

FinQuery has developed a written change control standard to mitigate the risk that the security, availability and integrity of system software, systems and information are compromised when there are changes to the Solution. No software is permitted to be installed in the production environment for the Solution unless it has been tested, reviewed and approved in accordance with these requirements. These requirements govern the entire change control process, through ticket creation, ticket prioritization, development, quality assurance, communication plans, approval, deployment and hotfixes.

Availability and Reliability

Code Review

FinQuery uses both manual and automated tooling to scan developed code for security, stability, and efficiency.

Availability and Reliability

Segregation of Environments

FinQuery separates development and production environments to reduce the risk of unfinished or malfunctioning software being used in production. To accomplish this, FinQuery utilizes web application firewalls, stateful packet inspection firewalls, and access control lists to separate and protect computing environments. Firewall policies and rules are in place and are reviewed periodically to ensure only approved access is allowed.

Business Continuity

Backups

FinQuery leverages periodic data backups to protect customer information, which is encrypted at-rest and replicated across multiple Amazon Web Services (AWS) availability zones. Backup restores are tested regularly.

Business Continuity

Business Continuity

FinQuery’s solutions, including all data stored, are hosted in at least two different locations in the United States.

Business Continuity

Disaster Recovery

FinQuery has developed a written Disaster Recovery plan for business continuity purposes, which is managed by the Company’s Chief Operating Officer and is designed to facilitate the resumption of business operations efficiently following a disaster (which results in the inability of FinQuery or its personnel to perform all or some of their services, regular roles and responsibilities for a period of time). A disaster is not necessarily related to a security event, but depending on the circumstances, both the Security Incident Response Plan and the Disaster Recovery plan could be initiated simultaneously in connection with the same event. FinQuery’s Disaster Recovery plan is assessed, at minimum, annually.

Compliance

Hardware

FinQuery complies with NDAA Sec. 889 and does not leverage technologies manufactured by the following entities (or any subsidiary or affiliate of such entities):

  • Huawei Technologies Company
  • ZTE Corporation
  • Hytera Communications Corporation
  • Hangzhou Hikvision Digital Technology Company
  • Dahua Technology Company

Compliance

HIPAA

FinQuery is not subject to Health Insurance Portability and Accountability Act (HIPAA) because FinQuery’s service does not involve any protected health information.

Compliance

SOC

FinQuery is audited and receives a SOC I Type II report, as defined by the American Institute of Certified Public Accountants, twice per year. FinQuery’s SOC reports are available to all customers and by request for prospective customers. More information can be provided by contacting: complianceinfo@finquery.com

Data Security

Data Classification

FinQuery leverages multiple classifications to govern the storage and handling of information—both electronic and physical—based on the information’s sensitivity. Information access and disclosure is restricted to authorized parties. All customer data is treated as “highly sensitive confidential information”, the highest level of confidentiality under FinQuery’s Information Security Policy.

Data Security

Data Encryption At-Rest

Data stored in FinQuery solutions or in backup systems are encrypted with 256-bit AES encryption. This includes full database encryption.

Data Security

Data Privacy

Please refer to FinQuery’s data privacy statement for more information.

Data Security

Data Retention and Disposition

FinQuery maintains a written document and data retention standard, which is incorporated into the Information Security Policy, governing the retention, destruction and return of confidential information, including, without limitation, client data. Our subscription agreement requires us to retain your data for at least 60 days after the termination or expiration of your subscription agreement (coinciding with your quarterly reporting cycle) to ensure you have sufficient opportunity to retrieve your data; however, you can also always request the exportation of your data during the term of the subscription or within 60 days thereafter.

Data Security

Digital Certificates

FinQuery leverages industry-recognized Certificate Authorities to provide full lifecycle management of FinQuery certificates, including enrollment, distribution, validation, revocation, and renewals.

Data Security

Data Encryption In-Transit

All interchanges of client lease data to and from the Solution are encrypted using at least an SSL certificate (TLS 1.2) with 2048-bit RSA encryption, which is renewed yearly.

Data Security

Non-disclosure agreements

All FinQuery employees, customers, vendors, and contractors with access to customer data are required to sign agreements with confidentiality obligations.

Data Security

Secrets Management

FinQuery leverages sophisticated encryption technology, methodologies, and best practices for secrets management throughout our solution.

Data Security

Password

Passwords are salted and leverage Secure Hash Algorithm (SHA) one-way hashing.

Identification, Authentication, Authorization, Auditing, and Accountability

Access Control

Internally, FinQuery leverages Role-Based Access Controls (RBAC)/methodologies with an approved matrix governing administrative access. FinQuery employees are subject to need-to-know and least-privileged basis access controls wherever it is practicable to do so, based upon the security requirements and business requirements of individual business applications. FinQuery does not allow for shared accounts.

For customer-facing solutions, FinQuery maintains formally defined external user types, with varying access rights and privileges based on the role of the user.

Identification, Authentication, Authorization, Auditing, and Accountability

Identification

All FinQuery personnel and contracted agencies are uniquely identified and issued unique accounts for identification, authentication, authorization, and accountability. All employees and contracted agencies also require uniquely identifying badges to access FinQuery facilities.

Identification, Authentication, Authorization, Auditing, and Accountability

Job Roles

Responsibilities of staff regarding information security are formally addressed in FinQuery’s Information Security policy.

Identification, Authentication, Authorization, Auditing, and Accountability

Passwords

All FinQuery personnel are subject to written policies regarding secure storage of passwords, minimum password strength requirements, mandatory periodic password change requirements, and automatic lockouts after multiple failed login attempts. In addition, FinQuery employs credential management/rotation systems to rotate credentials periodically.

Identification, Authentication, Authorization, Auditing, and Accountability

Single-Sign On (SSO)

FinQuery supports the following SSO options:

  • Secure.finquery.com: Integrates with any single sign-on (SSO) system that supports Security Assertion Markup Language (SAML) 2.0
  • FinQuery Software Management: Integrates with Google Oauth 2.0

Incident Management and Response

Incident Response Plan

FinQuery has developed an integrated Security Incident Response Plan which establishes a cross-functional response team comprised of professionals from all appropriate business functions, including information technology, legal, human resources, public relations, operations, as well as executive management representation. The Security Incident Response Plan contains written procedures for escalating and containing the incident, as well as documenting the response. Following the initial response, the Security Incident Response Plan includes additional procedures regarding after-the-fact analysis, investigation, mitigation and correction, and third-party notification.

Incident Management and Response

Monitoring and Logging

FinQuery logs are centrally managed and retained according to FinQuery’s Data Retention Policy. FinQuery utilizes network logging to ensure that no unauthorized users access the system, which provides monitoring, alerting and reporting. The security logs include a log of all users that log in to the system along with their IP address, as well as standard windows logs of any user who logs into the servers. FinQuery also leverages endpoint monitoring and logs user actions. While FinQuery cannot disclose the exact retention duration, logs are centrally managed and retained according to FinQuery’s Data Retention Policy.

Infrastructure

Data Center

All FinQuery web-based solutions run within Amazon Web Service’s (AWS) cloud infrastructure:

Infrastructure

Physical Security

Physical security controls, designed under the supervision of the Chief Information Security Officer, are used to restrict entry into FinQuery facilities and all areas within FinQuery’s facilities where tangible highly sensitive confidential information is physically stored. Visitors to FinQuery facilities are allowed in only for authorized purposes. Employees are instructed to question unfamiliar people who are unescorted or not showing visible identification and are prohibited from facilitating the entry by such unfamiliar people.

Infrastructure

Cloud Hosting

FinQuery solutions are hosted within Amazon Web Service’s (AWS) data centers and only leverage US-based regions/data centers. For more detail regarding AWS data center security, see: https://aws.amazon.com/compliance/data-center/data-centers/

Organizational Security

Acceptable Use

FinQuery has developed written requirements regarding the handling and storage of information assets, acceptable access to FinQuery systems and networks, and the secure and acceptable use of FinQuery-issued equipment.

Organizational Security

Central Contact

FinQuery’s Chief Information Security Officer (CISO) is responsible for developing and enforcing information security policies.

Organizational Security

Contractor Usage

FinQuery’s potential third-party agencies are required to undergo a thorough information security and legal review before engagement. This includes signing agreements with confidentiality obligations, only accessing FinQuery’s systems and data through approved and monitored means, and restricting access and rights to limit risk exposure. FinQuery performs periodic contractor access reviews to limit exposure risk to data and systems.

Organizational Security

Employee Background Checks

FinQuery conducts background checks on all new employees prior to commencing work.

Organizational Security

Employee Status Change

Disablement of access for separated employees is conducted promptly following notice from FinQuery’s Human Resources department. A written User Access Form is completed to identify any access level changes or terminations. When an employee separates from FinQuery, the Human Resources department submits tickets to the Information Technology department requesting the date and time to terminate access. At that time, associated accounts are deactivated, access rights blocked, and all hardware reclaimed. FinQuery performs periodic access reviews to ensure only active full-time employees and contractors have access to the systems.

Organizational Security

Personnel Security

Each new employee (as a condition of employment) is required to agree to (1) a protective covenants agreement that includes non-disclosure obligations and (2) the Employee Handbook, which incorporates FinQuery’s documented Information Security Policy.

Organizational Security

Security Program

FinQuery maintains an information security program, which includes policies, standards and practices. The information security program is informed by several industry guidelines and was developed in close consultation with all internal stakeholders as well as third-party security experts. FinQuery’s board meets periodically to review and update applicable policies and convenes more frequently as needed for emergency policy adjustments.

Organizational Security

Secure Remote Access

FinQuery personnel leverage end-to-end encryption providing a private and secure connection to FinQuery’s network and systems. Virtual Private Network (VPN) connections are monitored and access is audited regularly.

Organizational Security

Separation of Duties

For incompatible or sensitive functions, FinQuery enforces separation of duties both statically (e.g. role-based permissions) and dynamically (e.g. controlling access at time of access). FinQuery also enforces the principle of least privilege, restricting access and rights to introduce changes to only those necessary.

Organizational Security

Training and Awareness

All new hires complete an information security training program and submit a written acknowledgment of receipt of the Company’s Information Security Policy. In addition, FinQuery’s Chief Information Security Officer oversees the provision of recurring periodic training/refreshers on current threats, as well as material changes to policy.

Operational Security

Asset Management

All equipment issued by FinQuery to its personnel must be requested, issued, inventoried and returned using a predefined procedure.

Operational Security

Procurement

All personnel are instructed to consult with the Chief Information Security Officer before procuring any new systems or forming new vendor relationships that involve (or changing existing vendor relationships so that they involve) any access by the vendor to any FinQuery system or any sharing with the vendor of (including sharing of access to) any confidential information.

Threat and Vulnerability Management

Antivirus Antimalware

FinQuery deploys sophisticated antivirus/antimalware on all systems, including heuristic and behavioral-based detection methodologies. Full scans run at least weekly on all systems.

Threat and Vulnerability Management

Intrusion Detection/Prevention
FinQuery leverages multiple intrusion detection and prevention methodologies and tooling–including AWS GuardDuty and Inspector. Logging and alerting is centralized and monitored for potential intrusion attempts.

Threat and Vulnerability Management

Penetration Testing

FinQuery actively performs periodic penetration testing using external partners. When vulnerabilities are detected, FinQuery prioritizes remediation based on threat potential, deploys changes to test environments to validate remediation, then uses automated deployments to production–with Quality Assurance testing throughout. FinQuery’s goal is to detect and mitigate all risks as quickly as possible to ensure a high bar of security for our customers. In order to protect our customers, FinQuery cannot disclose the findings of these penetration tests as that information could be used to compromise FinQuery’s systems.

Threat and Vulnerability Management

Responsible Disclosure

FinQuery understands that the disclosure of vulnerabilities helps ensure protection and privacy across the internet. FinQuery maintains policies and procedures governing the responsible disclosure of known vulnerabilities which present material risk to FinQuery customers or partners.

Threat and Vulnerability Management

Risk Mitigation

FinQuery engages in ongoing risk analysis and reporting primarily through a cadence of frequent and regularly scheduled meetings with the Chief Information Security Officer and executive management, including the Chief Executive Officer. The Chief Information Security Officer also maintains contact with security forums and other notification agencies to help identify threats and vulnerabilities.

Threat and Vulnerability Management

Vulnerability Management

FinQuery actively performs full-stack vulnerability scans using industry-leading tooling. When vulnerabilities are detected or reported, FinQuery prioritizes remediation based on threat potential, deploys changes to test environments to validate remediation, then uses automated deployments to production–with Quality Assurance testing throughout. FinQuery’s goal is to detect and mitigate all risks as quickly as possible to ensure a high bar of security for our customers.