Security & Compliance

At Optimus, safeguarding customer information is paramount to us. We recognize that protecting information diligently is the only way to earn trust. Hence, we prioritize security as a top concern and have established a comprehensive security program to earn and maintain the trust of our customers.

PCI DSS 4.0

In order to comply with PCI DSS standards, we have followed multiple security measures, such as: Implementation of secure development practices for applications; Conducting routine security tests and vulnerability scans; Implementing access controls to safeguard sensitive data; Utilizing robust encryption for payment card information; Providing comprehensive employee training on security protocols.
Optimus holds PCI DSS 4.0 certification, ensuring compliance with the globally recognized Payment Card Industry Data Security Standard (PCI DSS). Version 4.0 represents the latest and most stringent iteration of this standard, underscoring our commitment to safeguarding sensitive payment card information.

SOC 1 Type I and SOC 2 Type I Compliant

We comply with SOC 1 Type 1 standards, ensuring our system controls align with control objectives to provide security assurance to our customers. Additionally, our SOC 2 Type 1 compliance verifies our internal control structure and implementation process, adhering to rigorous security, availability, processing integrity, confidentiality, and privacy standards.

DPA Complying with GDPR

We recognize the intricate landscape of data processing regulations, and the critical role compliance plays for our finance industry clients. Through provisions like the Data Processing Addendum (DPA), we assist our clients in navigating their compliance duties under regulations such as the General Data Protection Regulation (GDPR).

Compliance involves implementing measures and practices to ensure that personal data is collected, processed, and stored lawfully, transparently, and securely. This includes obtaining consent, providing data subjects with control over their information, implementing data protection policies, and ensuring data security measures are in place.

Crafted to aid customers in fulfilling their compliance duties under pertinent data processing regulations, our DPA intricately outlines the roles and duties of each party involved. This comprehensive document encompasses details on safeguards by Optimus for personal data, our implemented security protocols, contingency plans in case of data breaches, and additional relevant information. Furthermore, it offers lucid insights into data processing procedures and the involvement of any sub-processors.

Access Regulation

Segmenting Dataset for Security

Customer data is logically segmented, with each piece, whether it's a file or a database row, tagged with metadata defining its context. This context determines ownership and authorization whenever the data is accessed, making data segmentation a cornerstone of our application's design.

Our clients can also request dedicated and segmented computing and storage resources reserved exclusively for their use. This ensures optimal performance, reliability, and heightened security for their operations.

Refined User Roles

Ensuring data control is our top priority. We've introduced detailed user roles, empowering customers to finely tune access levels and mitigate risks associated with errors and malicious intent. Administrators can effortlessly assign and oversee access permissions, safeguarding critical information from unauthorized access or modifications. This heightened security measure not only shields user data but also ensures that information remains exclusively accessible to relevant parties.

SCIM and MFA Support

We facilitate SCIM (System for Cross-domain Identity Management specification), a protocol for directory synchronization, streamlining user lifecycle management for IT administrators by centralizing user information. Through their identity provider, customers automate processes like employee onboarding, offboarding, and role provisioning, ensuring streamlined and centralized access control.

Additionally, with MFA (Multi-factor Authentication), our customers enhance their account security with an extra layer of protection. Users must provide a second form of authentication, like a time-based one-time password (OTP) or text message code, alongside their password, mitigating unauthorized access attempts.

Comprehensive Audit Logging Process

When dealing with financial data, accountability and transparency are vital. Our thorough audit logs are crafted to offer a precise and inclusive account of all activities conducted within the platform, enabling traceability back to individual users and API keys.

This functionality empowers customers to swiftly pinpoint the source of any issues and take necessary action. Moreover, it provides customers with comprehensive oversight of their team's activities.

Our dashboard enables customers to effortlessly access and export their audit logs in large volume, streamlining data analysis and insight generation. Moreover, our enterprise clients can seamlessly integrate audit logs into their log management systems and Security Information and Event Management (SIEM) systems, ensuring smooth operation.

Data Scrambling and Verification

• Robust Encryption

Optimus employs sturdy encryption protocols for data both in transit and at rest across the entire platform.

Utilizing Transport Layer Security (TLS) version 1.2 or higher, the industry standard for secure communications, all data in transit is encrypted. This encryption spans all transmissions between our customers and servers, as well as between our servers and those of our bank partners, safeguarding against eavesdropping, tampering, and impersonation.

Additionally, we implement the Advanced Encryption Standard (AES) 256-GCM, recognized as the most secure encryption method available, to encrypt all sensitive data at rest. This ensures that all sensitive data stored on our servers remains encrypted, guarding against unauthorized access.

Our encryption procedures are painstakingly designed to exceed the strictest industry requirements for data both in transit and at rest.

• Authentication with API Key

We provide integration options such as API key authentication and authorization. API keys offer customers a secure means to access our platform through a unique identifier and secret key. With these choices, customers can select the method that aligns best with their security requirements and seamlessly integrate with our platform

API Security

Secured Data Transmission

Our API traffic exclusively utilizes HTTPS, the industry standard for secure data transfer. Paired with industry standard ciphers, this ensures end-to-end security, encrypting data during transmission to thwart interception and unauthorized access.

Customized Permissions and Layered Encryption for API keys

We provide API keys with customizable permissions, empowering our customers to precisely regulate the actions permissible with each key. Additionally, our API keys are securely stored with multiple layers of encryption, fortifying protection against unauthorized access. Moreover, we furnish our customers with a comprehensive user interface and API interface, facilitating effortless auditing and disabling of any compromised keys.

IP Allowlisting and Traffic Rate Limiting

To deter API misuse, our customers have the flexibility to configure IP allowlists per API key, granting them control over data access permissions. Furthermore, we enforce traffic rate limiting to prevent excessive or improper API usage. This capability maintains API usage within predefined thresholds, preventing any individual or system from inundating the API with excessive requests.

Together, these protections protect against malicious, unintentional, or unauthorized use while guaranteeing our API's availability and responsiveness to valid requests.

Secure Software Development Lifecycle (SDLC)

Best Coding Practices with Rigorous Change Management

To uphold code quality and accountability throughout the development process, we've instituted a rigorous change management system. This system fosters coding best practices and imposes stringent guidelines for code review and approval.

As part of our change management protocol, all modifications to the codebase undergo meticulous review and testing before implementation. This proactive approach enables us to detect potential issues early and guarantees that only top-notch code is deployed to production.

Moreover, our system incorporates a division of responsibilities, assigning distinct team members to various stages of the development process. This practice not only facilitates comprehensive code review but also mitigates the risk associated with one individual exerting excessive control over the codebase.

Our change management system undergoes regular audits, and we continuously seek avenues for enhancement.

Thorough Inspections

We at Optimus conduct detailed scanning throughout our application development process to identify any vulnerabilities in our products. Our testing incorporates a blend of static application security testing (SAST), dynamic application security testing (DAST), and software composition analysis (SCA).

SAST scrutinizes the application's source code to pinpoint potential vulnerabilities preemptively. Conversely, DAST emulates real-world attacks on the running application to uncover vulnerabilities that may elude static testing. Meanwhile, SCA examines all third-party components within the application for known vulnerabilities.

We can identify and fix vulnerabilities early in the development process thanks to this combination of testing approaches.

At Optimus, we actively test our systems to ensure their security. A key part of this is regular third-party penetration testing, where experts simulate real-world attacks to uncover vulnerabilities. We partner with industry-leading testing providers who have the expertise and tools to conduct thorough assessments.

Our team collaborates closely with these professionals to cover all attack surfaces, including external application penetration testing on our web dashboard and API, and internal penetration testing on our network segmentation and cloud infrastructure. By regularly conducting these tests, we stay vigilant in addressing potential vulnerabilities before they can be exploited.

Network Security

• Firewall

Our Next Generation Firewall offers enhanced security and visibility into network traffic. It combines the capabilities of traditional firewalls with advanced features such as deep packet inspection, intrusion prevention systems (IPS), application awareness, and SSL/SSH inspection, making them a valuable component of a comprehensive cybersecurity strategy.

• Intrusion Prevention System (IPS)

For real-time threat detection and prevention, we deploy an Intrusion Prevention System (IPS) across our entire cloud infrastructure footprint.

The IPS continuously monitors a network for malicious activity and takes action to prevent it, including reporting, blocking, or dropping it, when it does occur. This proactive approach enables immediate investigation and remediation of security incidents. Continuously updated with the latest threat intelligence and security updates, our IPS remains vigilant against emerging threats. Any flagged events prompt our team for timely response.

• DDoS based Protection

A distributed denial-of-service (DDoS) attack aims to disrupt the regular flow of traffic to a targeted server, service, or network by inundating it or its surrounding infrastructure with an excessive volume of internet traffic.

We harness cutting-edge cloud technologies to fortify our defenses against DDoS attacks, ensuring uninterrupted service delivery and maintaining high availability even when under such assaults.

Routine Data Backups

Ensuring data availability and operational continuity is paramount to us. We maintain a robust data backup and recovery system to guarantee the safety and accessibility of our customers' data at all times. Our data backups are regularly stored across multiple cloud data centers situated in diverse regions, mitigating risks associated with issues in any single data center. This strategy not only facilitates uninterrupted data access but also minimizes the likelihood of data loss during unforeseen events such as natural disasters or power outages.

We test our data backup and recovery system on a regular basis to confirm its functionality and to ensure quick data restoration in an emergency. To further protect sensitive data, encryption is applied to every backup.

Data security with Static IPs

Static IP addresses remain constant and unchanging. To facilitate our customers' firewall management, static IPv4 addresses have been integrated for both inbound and outbound traffic. This enables customers to effortlessly whitelist and authorize access to their resources while simplifying access log tracking and monitoring.

Dynamic Scaling 

Ensuring exceptional availability and performance, and upholding the high SLA promised to our customers, is central to our mission. To achieve this, we dynamically scale computational resources within our infrastructure, guaranteeing uninterrupted service even during peak-hour traffic. Autoscaling is integrated across various layers of our infrastructure, spanning from databases and computing resources to CDN and DNS services.

Industry Standard System Hardening and Security Guidelines

We bolster our systems by implementing industry-standard system-hardening practices and adhering to top security guidelines such as CIS AWS Level 1. These guidelines are esteemed as best practices for securing cloud-based systems, aiding us in configuring our systems securely and mitigating the risk of misconfiguration and weak security settings. Our team consistently monitors and audits our systems to verify correct configurations and promptly address any newly identified vulnerabilities.

POLP Compliance

The Principle of Least Privilege (POLP) governs employee access, ensuring they only possess the minimum access essential for their job duties. Our access provisioning system operates on role-based parameters, regularly audited to uphold POLP compliance. This strategy not only safeguards customer data but also mitigates security breaches stemming from human error.

Security Insights

In the dynamic landscape of cybersecurity, where new threats continually emerge, our team remains vigilant by consistently monitoring and analyzing threat intelligence data from diverse sources such as industry reports, government agencies, and trusted partners. This proactive approach enables us to stay abreast of the latest threats and vulnerabilities, empowering us to take preemptive actions to safeguard our systems and data.

Audit Trail

Every activity within our cloud infrastructure undergoes meticulous monitoring and recording, granting us oversight over storage, analysis, and remedial actions. This comprehensive approach ensures impeccable visibility and accountability. Additionally, we safeguard our audit trail by storing and backing it up in a highly secure location, deterring unauthorized access and thwarting malicious tampering.

Regular Infrastructure Checks

We conduct routine assessments and audits on our infrastructure, covering customer-facing and backend systems, as well as internal tooling and resources. Utilizing infrastructure configuration scanning, we ensure the security and correct configuration of our infrastructure.

The scanning process is tailored to pinpoint and flag security vulnerabilities, misconfigurations, and compliance discrepancies. This enables swift identification and remediation of any issues within our infrastructure. Our security team diligently oversees and audits scan results, collaborating closely with the development team to promptly and effectively address any vulnerabilities.

Customer Support

We maintain a specialized team of information security experts who are readily available to safeguard customer information round the clock, ensuring its continual safety and security.

Training in Security and Background Investigations

At the core of our security measures are our people. We initiate comprehensive background checks and administer annual security training to all employees, ensuring they stay abreast of the latest security protocols and can adeptly address security risks. Moreover, our developers undergo annual security coding training, emphasizing secure coding practices to mitigate potential vulnerabilities in our systems and applications.

Multi-Factor Authentication (MFA) and Role-Based Access Control (RBAC)

Through MFA, our employees must present two or more forms of identification to access our systems, fortifying security by permitting only authorized personnel to reach the company’s digital assets. Additionally, we enforce Role-Based Access Control (RBAC), restricting employees to systems and information pertinent to their roles. This safeguards against unauthorized access to sensitive data, even if an attacker compromises an employee's credentials.

Endpoint Detection and Response (EDR)

We equip our employees with cutting-edge antivirus and endpoint detection and response (EDR) software on their workstations. These systems utilize advanced algorithms and artificial intelligence to swiftly identify and thwart cyber threats. Additionally, they offer real-time monitoring and protection for enhanced security.