The environment that hosts our services maintains multiple certifications for its data centers, including ISO 27001 compliance, FedRAMP authorization, PCI Certification, and SOC reports. For more information about their certifications and compliance measures, please visit the Microsoft Azure Trust Center, the AWS Security website and AWS Compliance website.
PCI-DSS: All of our direct payment gateways adhere to PCI-DSS compliance standards, as managed by the PCI Security Standards Council. Where PCI compliance is relevant, we rely on PCI-compliant service providers (PayPal, for example) to process credit card information securely.
Cymax provides ongoing privacy and security training to its staff, and requires employees to read and sign confidentiality and non-disclosure agreements as conditions of their employment.
Confidentiality & Access Controls
Cymax employees and contractors are subject to written confidentiality obligations and are prohibited from accessing customer data unless absolutely necessary. Our security policies include limiting access to systems only where individual roles require it (least privileged).
All customer data processed by Cymax infrastructure is encrypted in transit (with TLS 1.2) and at rest (with AES-256 encryption) using the latest cypher suites and protocols. In addition, we enforce full disk encryption on all corporate devices.
Our infrastructure systems are fault tolerant and our ops team implements and regularly tests measures for the backing up of critical data.
We use firewalls that are configured according to industry best practices and implement multi-factor authentication for all servers across our various environments, including production.
External Security Audits
We conduct audits and penetration tests to ensure security and privacy are sound and to monitor for new vulnerabilities.
Product Security & Privacy by Design
New features, functionality and design changes at Cymax go through a security and privacy review process by our teams. Code is tested and is manually peer-reviewed prior to being deployed to production.
Service Provider Relationships
All third-party services that could potentially impact the security of our or our customers’ information are reviewed by our platform team. Cymax requires all service providers to agree not to retain, use or disclose personal information for any purpose other than for the specific purpose of performing the services specified in their agreements with us.