Notified is committed to protecting its customers, partners, and employees from unauthorized access to, alteration, disclosure, or destruction of data and information systems whether intentional or unintentional. Notified believes that effective security requires leadership from the top and a team effort involving the participation and support of every Notified user who interacts with data and information systems.
Notified follows a comprehensive framework for:
Protecting the confidentiality, integrity, and availability of Notified data and information systems.
Protecting Notified, its employees, and its clients from illicit use of Notified information systems and data.
Ensuring the effectiveness of security controls over data and information systems that support Notified’s operations.
Recognizing the highly networked nature of the current computing environment and provide effective company-wide management and oversight of those related Information Security risks.
Providing for development, review, and maintenance of minimum security controls required to protect Notified’s data and information systems.
Educating employees, contractors, and consultants with the required ways to protect the information resources of Notified;
Clarifying employee, contractor, and consultant responsibilities and duties with respect to the protection of information resources; and
Coordinating the efforts of different groups within Notified so information resources are properly and consistently protected, regardless of their location, form, or supporting technologies.
The lynchpin for Notified’s information security protocols is our Enterprise Information Security Policy Manual and our SOC 2 assessment. Subject to confidentiality requirements, Customers may request a copy of Notified’s Enterprise Information Security Policy Manual and SOC 2 Assessment by contacting your Notified Account Manager or Sales Representative.
Enterprise Information Security Policy Manual
Data Security and Privacy
Physical and Environmental Security
SOC 2 and Penetration Testing
Annual SOC Type 2 Assessment
Annual Pen Testing
Internal Testing and Auditing
Network Security and Server Hardening
We ensure robust network and application security through firewalls that enforce access control policies, deep packet inspection, and real-time tracking of network communications. Our measures protect against unauthorized access both from external sources and within our organization.
Intrusion Detection Security is deployed to identify and counteract malicious activities attempting to penetrate the firewalls.
Email security appliances prevent advanced threats, block spam and viruses, and employ standard email authentication technology for reliable delivery.
Automated scanning detects vulnerabilities from both internal and external sources, including our web application security testing that automates vulnerability assessments (OWASP) and malware scanning to prevent unwanted online activities.
The development release process includes code scanning and addresses any issues before promotion to production.
Annual penetration test conducted by Infosec using an independent third-party testing service.
All Notified issued workstations are configured by Notified to comply with all our security standards. These standards encompass workstation configuration, regular updates, tracking, and monitoring through our endpoint management solutions.
Our default workstation settings include:
Encrypted data storage
Strong password enforcement according to Notified's policy
Automatic locking during periods of inactivity
All Notified workstations are equipped with up-to-date monitoring software that actively detects and reports potential malware or unauthorized software. Client data is strictly prohibited from being stored on any laptop, desktop, mobile device, or unauthorized repositories.
Notified encrypts all stored data in our production systems using industry standards, including disks, volumes, and database backups. Encryption keys are kept secure on a restricted-access server. We have a robust set of safeguards in place to protect the creation, storage, retrieval, and destruction of sensitive information. Additionally, Notified utilizes strong encryption protocols to secure all data in transit including transmissions between Notified and our customers.
Provisioning: Notified follows a principle of least privilege and role-based permissions when granting access. Employee access is tailored to their job responsibilities, ensuring they can only access data necessary for their roles. Notified maintains a central record of all rights granted and all access is reviewed regularly.
Authentication: To ensure the mitigation of unauthorized access, Notified employs multi-factor authentication for all system access, including our production environment. Additionally, private keys are used where appropriate, combined with multi-factor authentication.
Password Management: Notified maintains a strict password policy. The password policy is designed to create unique, complex passwords that deter reuse, mitigate phishing risks, and address other password-related vulnerabilities.
System Monitoring, Logging, and Alerting: Notified actively monitors the security status of our corporate and production environments recording user activities, exceptions, faults, and information security events. All servers, workstations, and Notified devices are under constant observation by our comprehensive suite of security monitoring platforms which alert our 24x7x365 security operations center of any potential malicious activity. Administrative access and activities on production servers are logged, monitored, and retained. In addition to automatic notifications, we review logs and security events for all system components to identify anomalies or suspicious activity daily.
Responding to Security Incidents
Notified’s Security Incident Management Policy governs security incidents within Notified and provides an organized and consistent approach for security incident response, investigation, and communications. The policy's main objectives include immediately reporting potential security incidents to our Information Security Operations team, assessment of and decisions on the event, timely and accurate communication to stakeholders about each event, and minimizing the adverse impact of incidents on business operations and service quality. A multi-layered team structure with defined roles and escalation protocols is used to handle incidents.
Business Continuity and Disaster Recovery
Business impact analysis is used to assess the potential criticality and impact of a crisis or disaster on Notified’s business products and processes. The result of the business impact analysis supports Notified in the development of recovery strategies and business continuity planning. Notified's policies for Business Continuity Management and Disaster Recovery are crafted to provide effective response strategies that enhance the organization's resilience and ensure consistent service to clients. These policies offer overall guidance for creating customized response plans at the business level. Each business is responsible for developing, maintaining, and testing its specific business continuity plan annually.
Data Retention and Disposal
Maintaining records and managing data storage is a crucial aspect of our operations at Notified. We handle information related to general operations, clients, and financials as part of our day-to-day functions.
To ensure adherence to legal requirements across jurisdictions, Notified has established a comprehensive standard for data retention. This standard aligns with various laws and regulations, including the EU General Data Protection Regulation (GDPR), U.S. state privacy laws like the California Consumer Privacy Act (CCPA), international privacy legislation, and the Federal Trade Commission’s guidelines on consumer privacy protection. This standard applies universally to all Notified computer systems, employees, and facilities.
As part of our commitment to data security, we implement thorough measures for data disposal. Both digital and non-digital information system assets undergo sanitization processes. Before disposal, we perform a DoD/3 pass wipe on digital assets, and magnetic media is degaussed to ensure complete data erasure.
Vendor Management at Notified is a shared function with Notified’s Sourcing (Procurement) team, Legal department, Product team, and Information Security Department. These groups work together to conduct thorough due diligence for vendors during initial selection and throughout the vendor relationship.
The Sourcing team oversees the policy and process for procuring goods and services for Notified.
The Legal department handles legal reviews of contracts for Notified companies.
The Information Security department assesses vendors processing Notified data or accessing its systems, working with the Legal department office to establish and negotiate appropriate contractual safeguards related to information security.
Our Commitment to You
Safeguarding your data is our mission at Notified. Security is ingrained in our business, reinforcing the trust between Notified and our clients.
For any inquiries or concerns, please contact your dedicated account representative or our support team. We are here to assist you at every step.
SOC 2 Compliant
Notified commitment to security is further exemplified by our third party assessment of our security controls and SOC 2 compliance. The SOC 2 - Type II audit provides clients with the assurance that we have established continuous security monitoring and best practices throughout our operations. These comprehensive measures ensure that our clients can trust the security of their investment communications.
What is SOC 2?
SOC (Service Organization Controls) report is an audit by a third party of the internal data protection controls implemented by service organizations. SOC 2 - Type II reports are the most comprehensive compliance standards in this category. By achieving SOC 2 - Type II compliance, NOTIFIED demonstrates its proactive approach and investment in keeping clients' data secure. This assessment is particularly critical for service providers working with cloud and IT services, as it assures regulators, examiners, and auditors that stringent security measures are in place.