Security

Introduction

Data security is of the utmost importance to Cardinal Financial. We take every step to ensure our data and systems are secure. This document provides information on how we accomplish this.

Standards

Cardinal Financial uses measures drawn from the Cyber Security Framework from the National Institute of Standards and Technology (NIST CSF) and the Center for Internet Security (CIS) to protect your information.

Physical Security

Cardinal Financial production data is processed and stored within state-of-the-art data centers provided by Amazon Web Services (AWS) and Google Cloud Platform (GCP). The facilities provided by these services provide multilayer security measures including:

  • perimeter fencing,
  • vehicle access barriers,
  • custom-designed electronic access cards,
  • biometric checks,
  • laser beam intrusion detection,
  • continuous external and internal security camera surveillance, and
  • trained security guards on site 24 hours a day, seven days a week.

AWS security details can be found here. GCP security details can be found here.

System Security

Servers and Networking

Cardinal Financial uses infrastructure-as-a-service (IaaS) platforms strengthened by dedicated security professionals. We use both AWS and Google clouds to host services and data.

Our services run within a private cloud that is not accessible to the Internet until it leaves our web servers to satisfy user requests.

Traffic is encrypted in transit between services, and network rules define precisely where data can go to prevent eavesdroppers and man-in-the-middle attacks.

Data

All data is encrypted while stored and while in transit. Encrypted data cannot be deciphered except by authorized parties using restricted security tools.

Operational Security

System Access

Cardinal Financial follows the principle of least privilege for user accounts and processes. Users and processes are granted as few privileges as possible, limiting their ability to access data and perform functions.

All accounts use single sign-on for all applicable services, which centralizes user management and minimizes the risk of a misconfigured user account. All accounts require multi-factor authentication and users are required to verify their identity frequently.

Administrator accounts allow access to resources that present a higher security risk and therefore those accounts have additional restrictions. Administrator accounts are separate from user accounts, require physical security keys, and are only permitted to be used when necessary.

Security Monitoring

Cardinal Financial uses a number of methods to monitor security threats and incidents, such as monitoring security threat notification services for emergent vulnerabilities, maintaining detailed audit trails for all accounts, and using monitoring tools to detect anomalies and security incidents.

Employee Equipment

Employee computers require strong passwords and have encrypted disks, firewalls, and, where applicable, inbound and outbound network traffic monitoring and alerts.

Application Security

Client and Server Hardening

Cardinal Financial regularly tests for vulnerabilities using multiple types of scanning software and manual testing. Cardinal Financial also undergoes extensive third-party testing on an annual basis.

Customer Card Payment Information

We use Stripe for payment processing and do not store any credit card information on our servers. Stripe is a trusted Level 1 PCI Service Provider.  Stripe security details can be found here.

Application Quality

All changes to the application or infrastructure are subject to comprehensive review by qualified subject matter experts. Reviews include security, performance, and potential-for-abuse analysis.

Have concerns or awareness of an incident?

If you have a security concern or are aware of an incident, please email [email protected].