We’ve built Routable according to the highest security standards and offer industry-leading administration and access management tools.
There’s nothing more important to us than providing a secure and protected product. Routable meets ISO 27005 and SOC2 Type I standards and we conduct comprehensive audits of our applications, systems, and networks to ensure that your data is always protected.
Routable offers many security features, including Single Sign-On, role-based access controls (RBAC), and access management across multiple workspaces to ensure best-in-class protection.
Routable supports Google Apps SSO Single Sign-On based on OAuth2.0.
Access to data within the Routable application is governed by role-based access controls (RBAC). Routable has various permission levels for users (Admin, IT Admin, Creator, Approver, Vendor/Customer Manager, Collaborator, Developer).
As an additional measure of security, Routable notifies members with an email who don’t follow their usual sign-in patterns and display unusual login activity. This could include things like signing in from an unusual IP address, or a new device.
Routable enforces a password complexity standard, and stores credentials using industry recognized encryption methods.
Routable’s security and availability architecture is built on SOC 2 Type 2, CIS hardening benchmarks, and other best practice data protection controls.
Routable uses AWS data centers in the United States. The services and data are hosted in Amazon Web Services (AWS) facilities in the USA.
AWS data centers offer leading edge Failover and Disaster Recovery, Virtual Private Cloud, Back Ups and Monitoring.
Routable’s Security Team is on call 24/7 to respond to security alerts and events.
Routable has designed multiple layers of security monitoring to detect anomalous behavior. When incidents and security events exceed predetermined thresholds, our 24/7 on-duty security team acts upon it.
We also conduct annual penetration tests, perform regular vulnerability scanning, and have a detailed security incident response plan.
Access to customer data is limited to authorized privileged employees who require it for their job responsibilities.
Routable forces HTTPS for all services, using Transport Layer Security (TLS), we encrypt sensitive data that is moving between our platform, our partners, financial institutions, and your application. All client communication with the Routable API requires API key authentication and utilizes cryptographically hashed headers and timestamps to verify authenticity.
Routable utilizes 256-bit AES standard encryption, which is also employed by international financial institutions and the U.S. government.
All sensitive data is encrypted in flight and at rest. We prohibit any connection to Routable unless encryption (SSL/TLS) is in place and configured properly. Using sophisticated security controls, we protect data on our servers and in our databases.
Routable practices extensive processes and controls to ensure application security. All Routable engineers utilize common best practices defined by standards like OWASP, NIST and CIS Benchmark.
Routable engineering adheres to industry-standard secure coding practices, such as those recommended by OWASP.
Routable leverages modern and secure open-source frameworks with security controls to limit exposure to OWASP top security risks, and utilizes scanning tools to improve the overall security of our dependencies .
Our Quality Assurance (QA) department reviews and tests our code base. Dedicated application security engineers on staff identify, test, and triage security vulnerabilities in code.
Testing and staging environments are logically separated from the production environment. No service data is used in our development or test environments.
If you believe you've discovered a potential vulnerability, please let us know by emailing us at email@example.com. We will acknowledge your email within 24 hours.
Please provide us with as much information as you can about the vulnerability, so that we can validate and potentially reproduce it. Ideally, please send us the location and potential impact of the vulnerability.
Please provide us with a reasonable amount of time to resolve the issue before disclosing it to the public or a third party. We aim to resolve critical issues within 7 days of disclosure.
Make a good faith effort to avoid violating privacy, destroying data, or interrupting or degrading the Routable service. Please only interact with accounts you own or for which you have explicit, documented permission from the account holder.
We understand the hard work that goes into security research. We'll show our appreciation in the best way we can, based on the effort needed, criticality of the issue, and the responsible disclosure of the potential vulnerability.
Exclusions: While researching, we'd like you to refrain from:
Distributed Denial of Service (DDoS)
Social engineering or phishing of Routable employees or contractors
Any attacks against Routable's physical property or data centers
Test types that are excluded from this scope:
3rd party providers and services
UI & UX bugs and spelling mistakes
If you'd like to encrypt the information you send to us, please download our PGP key.
Thank you for helping to keep Routable and our customers safe!
At Routable we ensure that our employees adhere to the highest security standards by implementing extensive employee background checks and multiple administrative controls.
Every Routable employee receives general security awareness training during onboarding, and annually, while technical and engineering employees receive regular training on secure development practices.
Risk based training campaigns for employees based on scores from initial, annual, or quarterly trainings.
Every employee acknowledges our annual reviewed information security related policies.
Every employee device is equipped with device management software, antivirus protection, and endpoint detection and response capabilities.
Employee devices are centrally managed, configured, and monitored for deviations from the approved configuration settings.
Routable has built its Information Security Management System on top of industry recommended controls to ensure the best practice protection controls are implemented based on industry standards and we are compliant with applicable local, federal and state regulations, as well as industry standards.
Routable is SOC 1 & SOC 2 Type II certified. If you are interested in receiving the report please contact us or visit https://security.routable.com/.
All Routable funding partners are AICPA SOC2 certified and compliant. Our data storage and network architecture was configured to satisfy the requirements of the most security-sensitive organizations. Learn more about SOC2 compliance. Dwolla security documentation. Plaid security documentation.
Security compliance reports, questionnaires, penetration tests reports, and facts about Routable’s security program can be requested through our portal: security.routable.com.
Routable is designated Level 1: Self-Assessment based on Cloud Controls Matrix (CCM) or Common Assessment Initiative Questionnaire (CAIQ)
For information on Routable’s legal and privacy terms, please visit Routable Terms of Service