Payitoff is a web-based debt repayment application designed for financial advisors and their firms to evaluate their client's debt burdens. The application also provides free tools for borrowers to gain visibility into their debt, as well as an API for companies to use with their customers. The Payitoff product is designed, developed, operated and owned by Instrumentals Labs, Inc., based in New York City.
Payitoff hosts its application with Amazon Web Services, a leading infrastructure and hosting services provider. We apply security controls at each application layer and isolate web applications and data. We also apply best practices to ensure the security of our customer data.
Payitoff's physical infrastructure is hosted and managed within Amazon’s secure data centers and utilize the Amazon Web Service (AWS) technology. Amazon continually evaluates risk and undergoes recurring assessments to ensure compliance with industry standards and best practices. Amazon’s data center operations have been accredited under:
- ISO 27001, ISO 27017, ISO 27018
- SOC 1/SSAE 16/ISAE 3402, SOC 2, SOC 3
- PCI DSS Level 1
- FISMA Moderate
- Sarbanes-Oxley (SOX)
- SEC Rule 17a-4(f)
For additional information see: AWS Compliance
PCI - Payment Data
Payitoff uses PCI compliant payment processor Stripe for encrypting and processing credit card payments. Stripe has been audited by an independent PCI Qualified Security Assessor (QSA) and is certified as a PCI Level 1 Service Provider. This is the most stringent level of certification available in the payments industry. Credit card numbers are not stored on the Payitoff platform. We are able to provide an SAQ A for customers needing proof of PCI compliance.
Payitoff follows best practices of application development and prevents common web software attacks. Our infrastructure provides DDoS mitigation techniques, such as TCP Syn cookies and connection rate limiting in an effort to maintain multiple backbone connections and internal bandwidth capacity that exceeds the Internet carrier supplied bandwidth.
We use the latest technologies and consistently update of our framework for newly discovered security vulnerabilities. Our development process includes continuous vulnerability scanning and automated testing to ensure our team is maintaining a high level of security for our codebase.
Our application traffic runs entirely over 256-bit encrypted SSL (https). Passwords are hashed before storing using bcrypt and application credentials are kept separate from the database and our code base.
Spoofing and Sniffing Protections
Managed firewalls prevent IP, MAC, and ARP spoofing on the network and between virtual hosts to ensure spoofing is not possible. Packet sniffing is prevented by infrastructure including the hypervisor which will not deliver traffic to an interface which it is not addressed to. Payitoff utilizes application isolation, operating system restrictions, and encrypted connections to further ensure risk is mitigated at all levels.
Port scanning is prohibited and every reported instance is investigated by our infrastructure provider. When port scans are detected, they are stopped and access is blocked.
Firewalls are utilized to restrict access to systems from external networks and between systems internally. By default all access is denied and only explicitly allowed ports and protocols are allowed based on business need. Each system is assigned to a firewall security group based on the system’s function. Security groups restrict access to only the ports and protocols required for a system’s specific function to mitigate risk.
Host-based firewalls restrict customer applications from establishing localhost connections over the loopback network interface to further isolate customer applications. Host-based firewalls also provide the ability to further limit inbound and outbound connections as needed.
Data Reliability and Backup
All user data on Payitoff is backed up nightly to prevent data loss. We have the ability to do point-in-time recovery of our entire database in the event of a system-wide emergency.
Data in Transit
- All data transmission between your computer and our servers is encrypted, using industry-standard HTTPS protocol.
- Our HTTPS implementation is rated A+ by independent Qualys SSL Labs.
- Our SSL certificate uses 2048-bit asymmetric and 256-bit symmetric encryption.
Payitoff utilizes ISO 27001 and FISMA certified data centers managed by Amazon. Amazon has many years of experience in designing, constructing, and operating large-scale data centers. This experience has been applied to the AWS platform and infrastructure. AWS data centers are housed in nondescript facilities, and critical facilities have extensive setback and military grade perimeter control berms as well as other natural boundary protection. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, state of the art intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication no fewer than three times to access data center floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff.
Amazon only provides data center access and information to employees who have a legitimate business need for such privileges. When an employee no longer has a business need for these privileges, his or her access is immediately revoked, even if they continue to be an employee of Amazon or Amazon Web Services. All physical and electronic access to data centers by Amazon employees is logged and audited routinely.
For additional information see: AWS Security
Fire Detection and Suppresion
Automatic fire detection and suppression equipment has been installed to reduce risk at Amazon facilities. The fire detection system utilizes smoke detection sensors in all data center environments, mechanical and electrical infrastructure spaces, chiller rooms and generator equipment rooms. These areas are protected by either wet-pipe, double-interlocked pre-action, or gaseous sprinkler systems.
The data center electrical power systems at Amazon are designed to be fully redundant and maintainable without impact to operations, 24 hours a day, and seven days a week. Uninterruptible Power Supply (UPS) units provide backup power in the event of an electrical failure for critical and essential loads in the facility. Data centers use generators to provide backup power for the entire facility.
Climate and Temperature Control
Climate control is required to maintain a constant operating temperature for servers and other hardware, which prevents overheating and reduces the possibility of service outages. Data centers are conditioned to maintain atmospheric conditions at optimal levels. Monitoring systems and data center personnel ensure temperature and humidity are at the appropriate levels.
Data center staff at Amazon monitor electrical, mechanical and life support systems and equipment so issues are immediately identified. Preventative maintenance is performed to maintain the continued operability of equipment.
We partner with Quovo to provide account aggregation for our planning tools used by financial advisors. All banking credentials are managed by Quovo, and we do not store credentials, social security numbers or answers to security questions on the Payitoff platform.
Payitoff has read-only access to financial accounts through Quovo. No one can move any money in, out or between accounts.
For additional information see: Quovo's Security Page
Access to Client Data
Payitoff staff does not access or interact with client data as part of normal operations. There may be cases where Payitoff team members interact with client data for support purposes or where required by law. Payitoff may also inspect client data to debug and troubleshoot platform issues.
If you have any specific questions regarding our security policies you can always email us at [email protected].