Security is in our DNA. We've built products from the ground up for some of the largest fintechs and banks in the world and believe privacy and security are core to delivering on our mission.
Concourse is in the process of obtaining a SOC 2 Type II Attestation and an ISO 27001 compliance certification. When complete, our SOC 2 Type II report and ISO 27001 certificate will be available on our Trust Center.
All databases with customer data, in addition to S3 buckets, are encrypted at rest. Sensitive collections and tables also use row-level encryption.
We use TLS 1.2 or higher everywhere data is transmitted. Server TLS keys and certificates are managed by AWS and deployed via Application Load Balancers.
Encryption keys are managed via AWS Key Management System. Application secrets are encrypted & stored securely via AWS Secrets Manager and Parameter Store.
We engage with one of the best penetration testing consulting firms in the industry at least annually.
All areas of the Concourse product and cloud infrastructure are in-scope for these assessments, and source code is fully available to the testers in order to maximize the effectiveness and coverage.
We make summary penetration test reports available via our Trust Report.
We use a risk-based approach to vendor security. Factors which influence the inherent risk rating of a vendor include:
We use MDM software to enforce secure configuration of endpoints, such as disk encryption, screen lock configuration, and software updates.
We secure remote access to internal resources using Tailscale, a modern VPN platform built on WireGuard.
We provide comprehensive security training to all employees upon onboarding and annually through educational modules within the Vanta platform.
Employees are granted access to applications based on their role, and automatically de-provisioned upon termination of their employment. Further access must be approved according to the policies set for each position.