Security at Routable

There’s nothing more important to us than providing a secure and protected product. Routable meets ISO 27005 and SOC 2 Type I and II standards and we conduct comprehensive audits of our applications, systems, and networks to ensure that your data is always protected.

Routable offers many security features, including Single Sign-On, role-based access controls (RBAC), and access management across multiple workspaces to ensure best-in-class protection.

Single Sign On

Routable supports SSO (Single Sign-On) for:

• Google Apps SSO using OAuth2.0.
• SSO using Security Assertion Markup Language (SAML) 2.0 compatible identity providers such as:
  • Microsoft Azure
  • Okta / Auth0
  • OneLogin
  • Ping

Role-Based Access Controls

Access to data within the Routable application is governed by role-based access controls (RBAC). Routable has various permission levels for users (Admin, IT Admin, Creator, Approver, Vendor/Customer Manager, Collaborator, Developer).

Alerts for suspicious login activity

As an additional measure of security, Routable notifies members with an email who don’t follow their usual sign-in patterns and display unusual login activity. This could include things like signing in from an unusual IP address, or a new device.

Password and Credential Storage

Routable enforces a password complexity standard, and stores credentials using industry recognized encryption methods.

Routable’s security and availability architecture is built on SOC 2 Type 2, CIS hardening benchmarks, and other best practice data protection controls.

Physical Security & Data Hosting

• Routable uses AWS data centers in the United States. The services and data are hosted in Amazon Web Services (AWS) facilities in the USA.
• AWS data centers offer leading edge Failover and Disaster Recovery, Virtual Private Cloud, Back Ups and Monitoring.

Dedicated Security Team

Routable’s Security Team is on call 24/7 to respond to security alerts and events.

Intrusion Detection and Prevention

Routable has designed multiple layers of security monitoring to detect anomalous behavior. When incidents and security events exceed predetermined thresholds, our 24/7 on-duty security team acts upon it.

We also conduct annual penetration tests, perform regular vulnerability scanning, and have a detailed security incident response plan.

Permissions and Authentication

Access to customer data is limited to authorized privileged employees who require it for their job responsibilities.

Data In Transit

Routable forces HTTPS for all services, using Transport Layer Security (TLS), we encrypt sensitive data that is moving between our platform, our partners, financial institutions, and your application. All client communication with the Routable API requires API key authentication and utilizes cryptographically hashed headers and timestamps to verify authenticity.

Routable utilizes 256-bit AES standard encryption, which is also employed by international financial institutions and the U.S. government.

Data at Rest

All sensitive data is encrypted in flight and at rest. We prohibit any connection to Routable unless encryption (SSL/TLS) is in place and configured properly. Using sophisticated security controls, we protect data on our servers and in our databases.

Routable practices extensive processes and controls to ensure application security. All Routable engineers utilize common best practices defined by standards like OWASP, NIST and CIS Benchmark.

Secure Code Development (SDLC)

Routable engineering adheres to industry-standard secure coding practices, such as those recommended by OWASP.

Framework Security Controls

Routable leverages modern and secure open-source frameworks with security controls to limit exposure to OWASP top security risks, and utilizes scanning tools to improve the overall security of our dependencies .

Quality Assurance

Our Quality Assurance (QA) department reviews and tests our code base. Dedicated application security engineers on staff identify, test, and triage security vulnerabilities in code.

Separate Environments

Testing and staging environments are logically separated from the production environment. No service data is used in our development or test environments.

Routable Responsible Disclosure Policy

If you believe you’ve discovered a potential vulnerability, please let us know by emailing us at security@routable.com. We will acknowledge your email within one(1) business day.

• Please provide us with as much information as possible relating to the vulnerability, so that we may validate and attempt to reproduce it. Ideally this would include a write-up with POC (Proof of Concept) and your approach on how to remedy the vulnerability.
• Please provide us ample time to validate, reproduce, and resolve the issue before disclosing it to the public or a third party. We aim to resolve critical issues within thirty(30) days of disclosure.
• Please make a good faith effort to avoid violating privacy, destroying data, or interrupting or degrading the Routable service. Please only interact with accounts you own or for which you have explicit, documented permission from the account holder.
• If you prefer to encrypt your findings, a PGP (GPG v2) public key can be requested to ensure your submission is safe in transit and at rest.
• Please note, Routable, Inc cooperates with state, federal, and international law-enforcement agencies.

Exclusions: While researching, the following activities are prohibited:

• Denial of Service/Distributed Denial of Service (DoS DDoS)
• Invasive Hijacking (e.g. Domain takeover, MITM attack)
• Spamming (e.g. Attempting to flood our endpoints with UCE)
• Social engineering or phishing of Routable employees, contractors, clients, or vendors
• Any attacks against Routable’s physical property or data centers

Test types that are excluded from this scope:

• 3rd party providers and services
• UI & UX bugs and spelling mistakes

Thank you for helping to keep Routable and our clients safe!

At Routable we ensure that our employees adhere to the highest security standards by implementing extensive employee background checks and multiple administrative controls.

New Hire & Annual Security Training

Every Routable employee receives general security awareness training during onboarding, and annually, while technical and engineering employees receive regular training on secure development practices.

Phishing Specific Training

Risk based training campaigns for employees based on scores from initial, annual, or quarterly trainings.

Information Security Policies and Procedures

Every employee acknowledges our annual reviewed information security related policies.

Employee Endpoint Protection and Anti-virus

Every employee device is equipped with device management software, antivirus protection, and endpoint detection and response capabilities.

Enforced Standards for Employee Device Configuration

Employee devices are centrally managed, configured, and monitored for deviations from the approved configuration settings.

When funds are posted to your account, the regulated payment and e-money institutions with whom we work safeguard customer funds in accordance with applicable regulatory requirements. Customer funds held in payment accounts or e-wallets are maintained with reputable financial institutions and/or safeguarded through applicable protection mechanisms required by law.

These safeguarding measures are designed to protect customer funds in the event of the insolvency of a relevant payment or e-money institution or Routable, subject to applicable laws and regulatory requirements. Safeguarding obligations generally cease once funds have been successfully paid out to a beneficiary’s account.

If you would like additional information regarding the safeguarding of your funds, including the institutions involved at a particular point in time, please contact us.

Routable has built its Information Security Management System on top of industry recommended controls to ensure the best practice protection controls are implemented based on industry standards and we are compliant with applicable local, federal and state regulations, as well as industry standards.

SOC 1 & SOC 2 Type 2

Routable is SOC 1 & SOC 2 Type II certified. If you are interested in receiving the report please contact us or visit https://security.routable.com/.

All Routable funding partners are AICPA SOC2 certified and compliant. Our data storage and network architecture was configured to satisfy the requirements of the most security-sensitive organizations. Learn more about SOC2 compliance. Dwolla security documentation. Plaid security documentation.

Security and Compliance Status Dashboard

Security compliance reports, questionnaires, penetration tests reports, and facts about Routable’s security program can be requested through our portal: security.routable.com.

CSA Star Registry

Routable is designated Level 1: Self-Assessment based on Cloud Controls Matrix (CCM) or Common Assessment Initiative Questionnaire (CAIQ)

Privacy Policies

• Privacy at Routable
• Data Protection Agreement
• Publicly Listed Sub-processors

Legal Resources

For information on Routable’s legal and privacy terms, please visit Routable Terms of Service