Security at Concourse

Security is in our DNA. We've built products from the ground up for some of the largest fintechs and banks in the world and believe privacy and security are core to delivering on our mission.

Security and Compliance

Concourse is in the process of obtaining a SOC 2 Type II Attestation and an ISO 27001 compliance certification. When complete, our SOC 2 Type II report and ISO 27001 certificate will be available on our Trust Center.

Data Protection & Privacy

All databases with customer data, in addition to S3 buckets, are encrypted at rest. Sensitive collections and tables also use row-level encryption.

We use TLS 1.2 or higher everywhere data is transmitted. Server TLS keys and certificates are managed by AWS and deployed via Application Load Balancers.

Encryption keys are managed via AWS Key Management System. Application secrets are encrypted & stored securely via AWS Secrets Manager and Parameter Store.

Product Security
Penetration Testing & Vulnerability Scanning

We engage with one of the best penetration testing consulting firms in the industry at least annually.

All areas of the Concourse product and cloud infrastructure are in-scope for these assessments, and source code is fully available to the testers in order to maximize the effectiveness and coverage.

We make summary penetration test reports available via our Trust Report.

Vendor Management

We use a risk-based approach to vendor security. Factors which influence the inherent risk rating of a vendor include:

  • Access to customer and corporate data
  • Integration with production environments
  • Potential damage to the Concourse brand
Enterprise Security
Endpoint Management

We use MDM software to enforce secure configuration of endpoints, such as disk encryption, screen lock configuration, and software updates.

Secure Remote Access

We secure remote access to internal resources using Tailscale, a modern VPN platform built on WireGuard.

Security Education

We provide comprehensive security training to all employees upon onboarding and annually through educational modules within the Vanta platform.

Identity & Access Management

Employees are granted access to applications based on their role, and automatically de-provisioned upon termination of their employment. Further access must be approved according to the policies set for each position.