Versions Compared

Old Version 9

changes.mady.by.user TurnKey Lender

Saved on

compared with

New Version Current

changes.mady.by.user TurnKey Lender

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Cybersecurity serves as a foundational pillar in TurnKey Lender's global success across the business sector. Our innovative solutions manage substantial financial transactions for clients in over 50 countries, underscoring the significant trust placed in our capabilities. Acknowledging this trust's value, we prioritize maintaining the highest security standards for our products. From inception, we have dedicated considerable research and development resources to safeguard our products against unauthorized access, ensuring robust protection against hackers, scams, phishing, and fraud attempts.

Below, we present an overview of TurnKey Lender's security measures and accolades, highlighting our commitment to cybersecurity (within the bounds of what we are permitted to disclose). These initiatives are designed to provide peace of mind regarding the safety and integrity of our solutions:

General Security Measures

  • API Clients: For integrations with third-party products and services, TurnKey Lender generates unique secret keys for each connection. This ensures granular control over data access and enables quick disconnection from risky integrations.

  • Software Architecture Compliance: Our software architecture adheres to the National Institute of Standards and Technology (NIST) guidelines for secure web services, ensuring robust and reliable security measures are in place.

  • Sanction Screening: Utilization of OpenSanctions (OFAC) lists aids in preventing business interactions with sanctioned or blacklisted individuals and entities worldwide.

General security measures

  • API Clients - when integrating with third-party products and services, TurnKey Lender generates unique secret keys for each case. This helps make sure that you're always in control of who gets access to what data and can cut the cord on a risky integration in a matter of seconds. 

  • ISO 27001 - TurnKey Lender is an ISO 27001:2013 certified company (see attachment). This certificate confirms that all the development, testing and customer data processing processes comply with the policies and procedures of ISO 27001:2013. 

  • TurnKey Lender employs a certified ISO 27001 auditor (Ph.D. in Cyber Security). He constantly supervises our operation and guarantees that our new features and releases are fully compliant with ISO 27001.
  • PCI DSS compliant - TurnKey Lender has received a PCI certification. It signifies that the company maintains rigorous data security standards to ensure that its customer's credit card information remains safe and secure. The recurring scans take place every year. 

  • NIST - Our software architecture is built in compliance with the NIST (National Institute of Standards and Technology) guidelines (Guide to Secure Web Services)

  • OWASP - TurnKey Lender products comply with OWASP Application Security Verification Standards. The software meets the requirements for identification, authentication, authorization, integrity, non-repudiation, confidentiality, and privacy. 

  • OpenSanctions (OFAC) - TurnKey Lender uses the OpenSanctions (OFAC) lists to help lenders avoid doing business with sanctioned and blacklisted people and companies around the globe.

  • User permissions' - user permissions' management in TurnKey Lender allows you to grant users access rights only to the workplaces and data they need in their day-to-day work. This helps minimize risks of compromising operation's security no matter how many employees you may have. 

  • GDPR-compliance - Default Privacy Notice comes built-in with the System and is drafted exclusively for TurnKey Lender Clients. All end-user rights are implemented to adhere to the GDPR rules (e.g. opt-in consent system and the right to be forgotten).

  • Adjustable password strength - you can set your own requirements for required password strength. It is set via the configuration file and is not available from back-office. Please, get in touch with your TurnKey Lender manager to change these settings. 

  • Two-factor authentication - two-factor authentication is enabled and set up via the configuration file and is not available from back-office. Please, get in touch with your TurnKey Lender manager to change these settings. 

Technical security measures

  • The web application is protected against XSS, scripts, SQL injections, and other common cyberattack types.

  • Sensitive information is only sent to the servers via the HTTPS protocol as per the best practices accepted on the web. 

  • Sensitive information is processed on the server-side only.

  • All passwords are encrypted and then stored in the database as Salted Hash (cryptographic security measure).

  • Two-factor authentication support comes built-in in the System and is encouraged.

  • Password management policies can be flexibly adjusted to your operation's needs and are fully customizable.

  • The System supports temporary user lockout. It takes place after multiple consequent failed authentication attempts.

  • The System is enhanced with anti-DDoS throttling protection. 

  • The System comes with a wide array of fraud-prevention rules built-in.

The certificate (attached below) is to confirm that all processes of development, testing, and customer data processing comply with the policies and procedures of ISO 27001:2013.

...

Table of Contents
stylenone

Guidelines and Standards Compliance

Adhering to global guidelines and standards is not just a regulatory requirement but a commitment to excellence and trustworthiness. These are some of the common standards and guidelines important for TurnKey Lender products and services.

ISO 27001 Certification

ISO 27001 is an international standard for information security management systems (ISMS), first published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) in 2005. It guides establishing, implementing, maintaining, and continually improving an information security management system and outlines a framework for organizations to manage the security of assets such as financial information, intellectual property, employee details, and information entrusted by third parties.

Achieving ISO 27001 certification demonstrates TurnKey Lender’s systematic approach to managing sensitive company and customer information, ensuring it remains secure. It covers aspects from physical security and data encryption to access controls and policy implementation, signifying a gold standard in information security.

Considering the importance of these guidelines for the company’s activity, TurnKey Lender employs an ISO 27001-certified auditor with a Ph.D. in Cyber Security, ensuring our continuous alignment therewith.

PCI DSS Compliance

The Payment Card Industry Data Security Standard (PCI DSS) was introduced in 2004 by PCI Security Standards Council major credit card companies as a unified approach to safeguarding cardholder data for all types of transactions. In particular, it provides guidelines on the safe and proven ways to build and maintain a secure network and systems, protect cardholder data, maintain a vulnerability management program, implement strong access-control measures, regularly monitor and test networks, and maintain an information security policy.

Compliance with PCI DSS is crucial for any entity that handles credit card transactions, ensuring that customer payment information is kept secure from fraud and breaches. TurnKey Lender’s adherence to this standard underscores our dedication to protecting sensitive financial information and running annual scans to verify ongoing compliance.

SOC 1 & SOC 2 Compliance

System and Organization Controls (also known as Service Organization Controls) defined by the American Institute of Certified Public Accountants are frameworks that help to ensure service providers manage data securely to protect the interests of the organization and the privacy of the clients. SOC 1 focuses on internal control over financial reporting, while SOC 2 is designed to address the management of customer data based on five "trust service principles”: security, availability, processing integrity, confidentiality, and privacy. Originating in the USA, they are recognized globally.

Compliance with SOC 1 and SOC 2 standards signifies that TurnKey Lender adheres to the rigorous audit processes for internal controls relevant to financial reporting and management of customer data, ensuring the highest levels of security and privacy. Supporting our commitment to operational excellence and reliability it provides our clients and partners with assurance that we manage data with integrity and following industry best practices.

NIST Compliance

The National Institute of Standards and Technology, part of the U.S. Department of Commerce, issues guidelines for various aspects of information technology, including cybersecurity. One of the key documents, the NIST Cybersecurity Framework, was first published in 2014, offering a policy framework of computer security guidance mitigating organization cybersecurity risks.

While being primarily aimed at organizations in the United States and worldwide, it is also used globally as a best practice framework to ensure the organizational understanding of cybersecurity risk management, provide appropriate safeguards to ensure the delivery of critical infrastructure services, develop and implement appropriate activities to identify the occurrence of a cybersecurity event, take action regarding a detected cybersecurity incident, maintain plans for resilience and to restore any capabilities or services that were impaired due to the incident.

By aligning the software architecture with NIST guidelines, TurnKey Lender proactively mitigates cyber risks and enhances the cybersecurity posture in line with globally recognized practices.

OWASP Compliance

The Open Web Application Security Project ( OWASP) is an international non-profit organization dedicated to web application security. One of its most well-known contributions is the OWASP Top 10, a regularly updated report outlining the most critical web application security risks, and the OWASP Application Security Verification Standard (ASVS) Project that provides a basis for testing web application technical security controls and also provides developers with a list of requirements for secure development. The standard provides a basis for testing application technical security controls as well as any technical security controls in the environment, that are relied on to protect against vulnerabilities such as Cross-Site Scripting (XSS) and SQL injection.

Adhering to the standard in every aspect of identification, authentication, authorization, integrity, non-repudiation, confidentiality, and privacy, TurnKey Lender can secure its products against the most prevalent threats, once again committing to safeguarding client data.

Global Data Protection Compliance

TurnKey Lender ensures compliance with the General Data Protection Regulation (GDPR) in the European Union and aligns with various international data protection laws that embody similar principles to the GDPR. This includes the UK's Data Protection Act (DPA), the California Consumer Privacy Act (CCPA) in the United States, Singapore's Personal Data Protection Act (PDPA), Australia's Privacy Act 1988, which encompasses the Australian Privacy Principles (APPs), and New Zealand's Privacy Act 2020. TurnKey Lender procedures and flows ensure the protection of essential user rights as mandated by these regulations, such as opt-in consent, the right for data portability, and the right to be forgotten, safeguarding personal information across all jurisdictions we operate in.

General Security Measures

TurnKey Lender implements multiple measures integral to our operational framework and ensuring that every interaction and transaction is secured to the highest standards. These are some of the key security practices used:

  • API Clients: For integrations with third-party products and services TurnKey Lender generates unique secret keys for each connection. This ensures granular control over data access and enables quick disconnection from risky integrations.

  • Secure Transmission: Sensitive information is transmitted exclusively via HTTPS protocol, adhering to the best practices for secure web communications.

  • Server-Side Processing: All sensitive information is processed on the server side, minimizing the risk of unauthorized access during data transit.

  • Anti-DDoS Measures: The system is equipped with anti-DDoS throttling protection to mitigate the risk of denial-of-service attacks.

  • Enhanced Password Security: Passwords are encrypted and stored in the database as salted hashes, a cryptographic measure that significantly enhances security.

  • Security Features Configuration: TurnKey Lender provides customizable password strength and two-factor authentication settings to meet the specific security requirements of each client. This flexibility extends to password management policies and CAPTCHA settings, which are fully customizable to suit your operation's needs.

  • User Permissions Management: Tailored user permissions ensure individuals access only the necessary data and systems for their roles, enhancing operational security across the organization.

  • Web Application Protection: The web application is fortified against XSS, scripts, SQL injections, and other common cyberattack types, ensuring a robust defense against digital threats.

  • Temporary User Lockout: To protect against unauthorized access attempts, the system supports temporary user lockout after multiple consecutive failed authentication attempts.

  • Fraud Prevention: A comprehensive set of fraud-prevention rules is integrated into the system, offering advanced protection against fraudulent activities.

  • Sanction Screening: Utilization of OpenSanctions (OFAC) lists aids in preventing business interactions with sanctioned or blacklisted individuals and entities worldwide.