Holofin

Network segmentation implemented

The company's network is segmented to prevent unauthorized access to customer data. Production, staging, and development environments are fully isolated.

Encryption at rest (AES-256)

All customer data and documents are encrypted at rest using AES-256 encryption via Google Cloud's default encryption layer.

Encryption in transit (TLS 1.2+)

All data transmitted between clients and our servers is encrypted using TLS 1.2 or higher. Internal service-to-service communication is also encrypted.

Remote access encrypted enforced

Production systems can only be remotely accessed by authorized employees via an encrypted VPN connection. No public SSH or management ports are exposed.

Production OS access restricted

Privileged access to production operating systems is restricted to authorized personnel with a business need. Access requires individual SSH key authentication.

Production database access restricted

Privileged access to databases is restricted to authorized personnel with a business need. Databases are not exposed to the public internet.

Production network access restricted

Privileged access to the production network is restricted to authorized personnel via an encrypted private network. All access is authenticated and logged.

Encryption key access restricted

Access to encryption and decryption keys is restricted to authorized personnel with a business need. Key material is never stored alongside encrypted secrets.

Unique account authentication enforced

Authentication to systems and applications requires unique credentials or authorized SSH keys. No shared accounts are used for production access.

Network firewalls utilized

Firewalls are configured to restrict inbound and outbound traffic to only what is required. Firewall rules are reviewed periodically.

MFA enforced for all accounts

Multi-factor authentication is required for all employee accounts and critical infrastructure access. SSO with SAML support is available for enterprise customers.

EDR/SIEM monitoring active

Endpoint detection and response (EDR) and security information and event management (SIEM) systems are deployed across all infrastructure for real-time threat monitoring.

MDM system utilized

The company has a mobile device management (MDM) system in place to centrally manage mobile devices supporting the service.

Role-based access control

We follow the principle of least privilege. Role-based access controls ensure team members only see what they need. All access is logged for audit purposes.

Control self-assessments conducted

The company performs control self-assessments at least annually to gain assurance that controls are in place and operating effectively. Corrective actions are taken based on relevant findings.

Penetration testing performed

The company's penetration testing is performed at least annually. A remediation plan is developed and changes are implemented to remediate vulnerabilities in accordance with SLAs.

Vulnerability and system monitoring procedures established

The company's formal policies outline the requirements for the following functions related to IT / Engineering:
• vulnerability management;
• system monitoring.

SAST/DAST scanning enabled

Static and dynamic application security testing is integrated into our CI/CD pipeline. Every code change is scanned for vulnerabilities before deployment.

Dependency vulnerability scanning

All third-party dependencies are continuously monitored for known vulnerabilities. Critical patches are applied within 24 hours of disclosure.

Encrypted secrets with runtime decryption

All credentials and secrets are encrypted at rest using age encryption and only decrypted at deployment time. Encrypted secrets are version-controlled alongside infrastructure code — no plaintext secrets in source or configuration.

Configuration management system established

Infrastructure and application configurations are managed through version-controlled code. All changes are tracked and auditable, ensuring consistent deployments across environments.

Change management procedures enforced

Changes to software and infrastructure are documented, tested, reviewed, and approved prior to being deployed to production.

Production deployment access restricted

Access to deploy changes to production is restricted to authorized personnel. Deployments follow the change management process.

Incident response plan established

A formal incident response plan is maintained and tested. Security incidents are triaged, contained, and communicated per documented procedures.

Support system available

The company has an external-facing support system in place that allows users to report system information on failures, incidents, concerns, and other complaints to appropriate personnel.

External support resources available

The company provides guidelines and technical support resources relating to system operations to customers.

Service description communicated

The company provides a description of its products and services to internal and external users.

Audit logging enabled

All administrative actions and data access events are logged with immutable audit trails. Logs are retained and available for compliance review.

Backup and disaster recovery

Automated daily backups with multi-region redundancy. Recovery procedures are documented and tested to ensure business continuity.

EU-only data residency

All documents are processed and stored exclusively in EU data centers (Google Cloud Paris and Frankfurt, Hetzner Germany). No data is transferred outside the European Union.

Configurable data retention

Data retention is configurable per organization: Zero Data Retention (ZDR), 30, 60, 90 days, or indefinite. Documents are securely deleted following NIST SP 800-88 standards.

No training on customer data

Customer documents are never used to train AI models. Our AI sub-processors (Google, Anthropic) are contractually bound to the same commitment.

Customer data deleted upon leaving

The company purges or removes customer data containing confidential information from the application environment, in accordance with best practices, when customers leave the service.

Customer data isolation

Each organization's data is logically isolated. API keys are scoped per organization and cannot access other accounts' data.