Citadel is a way for consumers to complete income and employment verifications easily and with their consent by leveraging their payroll accounts.
Our commitment to security and privacy at Citadel
Security is the cornerstone of Citadel; we design everything to ensure the safety of consumer’s data: from SOC2 Type II certification to encryption to regular pen-testing.
Data security has never been more important, but it's an often overlooked aspect of selecting a software provider. In this week's blog, we'll dive into how Citadel thinks of security and privacy, as well as how we access, store, and manage data.
SOC2 Type II Certification
SOC2 Type II Certification is an auditing procedure put in place to ensure service providers are securely managing your data so your organization can be protected and privacy is maintained. It’s become a necessity when considering software providers and at Citadel, we make it a priority.
SOC2 Type II Compliance has become an industry-standard because there are sets of standards, or rules, that you have to follow to be considered compliant. It will include a slew of standard items such as having MFA setup for all of your critical systems and having all basic encryption enabled for all pieces of your infrastructure.
There are also some non-technical controls like, who is reporting who? How are changes managed in the codebase? Who is reviewing what? All of which is included in the SOC2 auditor review. From the beginning of Citadel, we saw how important security and compliance would be, so we started pursuing SOC-2 certification immediately and within six months completed certification and will get renewed annually.
Even prior to SOC2 Type II Compliance, we passed very thorough reviews from some of our larger enterprise clients. The process can be tedious and involves going deep on organizational practices, security practices, infrastructure to see how exactly Citadel operates. You can see our SOC2 Type II Certification announcement here.
Continuous monitoring and testing
In order to ensure we’re monitoring everything, Citadel uses Vanta (a software that helps automate and simplify your data monitoring and compliance) to help keep an eye on, and track, all of our controls. Vanta not only operates as a ledger but also makes sure to maintain and track all of our employees, their onboarding and offboarding materials, training, and so forth so that, if at any point something goes wrong, we can fix it immediately.
Penetration testing needs to be performed regularly and we follow that guideline rigorously. We have a dedicated, official email address (email@example.com) where people can report vulnerabilities or anything they found in our system and Citadel takes all of those items into full consideration.
One of our main goals is to always be ahead of the curve. On top of standard practices, we introduced an additional layer of encryption in all of our systems for sensitive data and only allow access to sensitive information on a need-to-know basis.
That means: only the employees that really need to see the data and get approved to do so can see it. This is an integral step in making sure all of our customer data is as secure as possible.
It’s a simple way we can ensure we’re remaining grounded and proactive in our security precautions. So, how accessible is the data?
We connect to a lot of external providers at any given moment. If the connection breaks, we need to look and understand what happened. As we’re dealing with very sensitive data, we want to give access to particular information only to people that really need to peek inside and know.
As a result, we have strict procedures in place for who can gain access or be approved for access, and we log everything along the way. We can see who has access to what data and when, who approved the request, and what the outcome was. Except in exceptional cases where access is truly required, no one can access data.
Data access is granted for 24 hours at a time and is revoked automatically.
Citadel’s data resides in the cloud in multiple zones and we do backups in multiple regions so that, if there’s a failure within one zone, we won’t see an impact. For example, if the whole region were to fail due to natural disaster it would take Citadel no longer than twenty-four hours to resume operation and restore in a different region.
All data is stored in the cloud in the United States. Citadel uses Amazon Web Services predominantly for infrastructure and storage. All data is encrypted and Citadel applies additional application-based encryption for the most sensitive pieces of data.
When it comes to storing data in the data warehouse, data is processed automatically and stored in an aggregated form. No personal information or identifiable information is available; just aggregates of non-sensitive fields for analysis and improvements of quality.
Citadel offers customer retention policies for enterprise clients where data can be deleted automatically. Clients are able to specify the amount of time they want us to store data for them or can request deletion of data via an API.
If you you decide to learn more about our security or want to request our SOC2 Type II report, we'd be happy to connect.