Security Best Practices
We recommend that clients implement the following processes to manage access to FundApps’ platform:
- Provisioning processes, to ensure users granted access to the FundApps platform are authorised to do so, and are provided the adequate role and scope.
- De-provisioning processes, to ensure users who are no longer authorised to the FundApps platform have their accesses revoked in a timely fashion.
- Regular access reviews, to ensure there haven’t been any exceptions to the two previous processes, and that all accesses are still required (e.g. all users have logged in to the FundApps platform in a recent time period), and are still adequate in terms of privileges and scope.
The privileges granted to each role in the FundApps platform are listed in our help center article.
Sharing Files & Screenshots
In your e-mail correspondence with FundApps, please do not attach confidential information such as entire upload files used in your FundApps production environment or passwords. If in doubt, please consult us beforehand.
Additionally, in order to protect confidential information, please make sure that you mask sensitive information in screenshots (e.g. ISIN, Quantity held, % holding). Please do not share security identifiers (e.g. instrument names, issuer names,) but instead provide us with IDs. These are more specific and do not expose the security or asset level information.
If you have decided to apply IP restrictions to your FundApps environment, please inform us of any changes to your production and Disaster Recovery IPs. Failing to do so, could impact the availability of the FundApps platform to your users.
Restricted Email domains
As with IP restrictions, please inform us of any changes to the list of email domains your FundApps platform should be restricted to.
All actions in FundApps are logged to the audit trail (Under Admin >Audit Trail).
Users who have been granted Administrator privileges can access this audit trail. In case of abnormal activity in the platform these users can review or export these audit trails in order to identify abnormal behaviours.
Third Party Security Assessment of FundApps
FundApps has selected the Cloud Security Alliance (CSA) STAR Self-Assessment to convey our current security practices. This questionnaire maps each of its 310 questions to 35 different security standards including ISO 27001 and SOC 2 and you can find FundApps self-assessment on the Cloud Security Alliance website.
Furthermore FundApps holds a SOC 2 Type II Report which we can share with our clients.
FundApps recommends clients implementing Single Sign-on to the FundApps platform for enhanced security and for the best user experience to the client’s users.
Instructions on how to set-up Single Sign-On are available in this article on our help center. If Single Sign-On isn’t a viable option, clients should implement FundApps’ two-factor authentication. Instructions on how to do this are available in this article on our help center.