The goal of the Security & Compliance program at Mortgage Coach is to protect the confidentiality, integrity, and availability of information to the organization, employees, customers, and the affiliated information systems. Our Company’s Information Security Program was developed with guidelines from NIST Cybersecurity Framework and ISO 27001. Our program aims to address risk, ensure a culture of security, proactively prevent security incidents, and continuously manage security threats and vulnerabilities.
Culture of Security
All the Company employees are responsible for safeguarding company assets, security, and privacy is a shared employee responsibility. All our employees are screened for expertise, experience, and integrity. Criminal background checks are required upon hire and are verified iteratively throughout employment. All employees are required to adhere to and acknowledge the information security policies and standards.
The security education training and awareness program is seen as a foundational component to our security program. Initial training is carried out for employees at the time of onboarding. Additionally, there are ongoing quarterly security, privacy, and phishing awareness training that occur to maintain competency across our distributed workforce.
The Leadership team of the Company is accountable for and formally approves decisions regarding the Information Security Program.
Attestations
Mortgage Coach is American Institute of CPAs (AICPA) SOC2 compliant, which means the design and operating effectiveness of our controls meet rigorous standards. We have already scheduled our next SOC 2 audit with RKL for 2023 to include our new combined organization. In an effort to constantly improve our security posture, we have also shifted focus into preparing for the ISO 27001 Certification.
Platform Security
We develop and deploy solutions that balance thoughtful security controls and usability. Mortgage Coach provides you with the tools and support you need to ensure that all of your users engage in appropriate and compliant use of our platform. We maintain the platform security as part of our shared security model so that you can focus on your customers.
Regulatory Compliance
While we are not bound to the same regulatory controls required by lenders, we do take extra steps to ensure that we are compliant where appropriate and educate all staff with the relevant regulatory requirements for the benefit of our customers. Common regulatory policies that we review for applicability include: CFPB (Consumer Financial Protection Bureau), CCPA (California Consumer Privacy Act), GLBA (Gramm-Leach-Bliley Act), ADA (content accessibility), WCAG (Web Content Accessibility Guidelines). Our Security & Compliance team in conjunction with our Legal team ensure that applicable regulations and standards are factored into our program.
Physical & Logical Access Control
We are partnered with AWS for production data centers used to store and process data, these data centers meet or exceed industry standards. By leveraging AWS we can use their security infrastructure, logging, identity, and intrusion protection systems and focus on delivering a scalable and secure product.
Our Company has designed internal data access processes and policies to prevent unauthorized persons and/or systems from gaining access to systems. The Company has designed its environment to restrict access and ensure access is relevant, timely, and aligns with the individual’s job responsibilities. Our U.S.-based data centers feature 24 x 7 physical security. These data centers are protected and carry SOC2 and ISO certifications.
Availability
Production data centers are designed to be fully redundant and maintained without impact to operations, 24 hours a day, and seven days a week. The Company has disaster recovery plans in place and performs testing each year to validate effectiveness.
Application Security
All data is encrypted during transmission using up-to-date versions of TLS or other security protocols using strong encryption algorithms and keys. Data at rest and offline backups are encrypted to ensure adequate protection of customer data.
The Company conducts regular periodic scans of its applications, networks, and infrastructure to detect vulnerabilities using commercially available, regularly updated scanning software.
Additionally, we leverage external consultants to perform security assessments and validate our defensive posture.
Software developed follows a Secure Software Development Life Cycle defined in our internal policy and procedure documents.
Audit Requests
The Company, in its role as a Data Processor, will take commercially reasonable measures to assist Clients (Data Controllers) with audits to verify compliance with the controls.
Vulnerability Disclosure
While Mortgage Coach appreciates external security researchers reaching out and disclosing vulnerabilities or misconfigurations within our company’s infrastructure or services, we do not engage with individuals in the event they are testing company-owned infrastructure without appropriate permission.
If you have a question or would like to report something to our security & Compliance team please contact us here → Security@MortgageCoach.com