At MoneyForward i, we take security & compliance seriously and know how important it is in today’s increasingly globalized and digitalized world of SaaS applications. Our customers’ security concerns are of paramount importance to us, which is why we ensure that your data in IT Management Cloud (ITMC) is protected locally and on our servers through our strict security protocols. We follow the industry standard in security & compliance and are constantly applying better protocols to protect you and your data.
MoneyForward i adheres to industry and international standards in cybersecurity protocol.
All user credentials used for integration with SaaS services are encrypted using AES-256 (Advanced Encryption Standard) encryption before getting saved to our database. Credentials for each integration and each organization in our system are encrypted using different encryption keys. The keys are managed by Amazon Web Services Key Management Service (AWS KMS), which has its own hardware-level safety measures to protect encryption keys. We went a step further to isolate the credential database from the rest of the application database, allowing for stricter security control.
ITMC is built with front-end and back-end API separately. API access is restricted through member and admin scopes; the organization administrators can customize permissions for every account registered in ITMC. After a user requests access to the API server, the server will ensure that the authenticated user has the proper scope to invoke the API and grant them access. Only users with admin-level permission are allowed access to the settings and other administrative functions, such as payments.
All SaaS app connections and deprovisioning actions are recorded in the system for auditing purposes. Audit logs for the last three months are stored in the ITMC database, which users can freely access through the application.
ITMC utilizes SAML authentication to allow for the implementation of Single Sign-On (SSO) so that customers can set their own access rules, such as multi-factor authentication (MFA).
ITMC uses AWS to manage all infrastructure resources, including the compute layer, database, and messaging service. Amazon maintains and demonstrates SSAE-16 SOC 1, 2, and 3; ISO 27001; and FedRAMP/FISMA reports and certifications. Our platform’s infrastructure is located on servers in secure data centers.
The ITMC infrastructure is split between the web system and the system that keeps user-sensitive data for stricter control. We allow for no inbound public access to the latter.
All data sent to or from ITMC is encrypted using TLS, and all customer data is encrypted at rest by AWS Aurora and AWS DynamoDB.
The ITMC infrastructure is designed to be fault-tolerant. All databases operate in cluster configurations, with auto-scaling when applicable. This provides additional redundancy and resiliency to customer data.
Access to all ITMC systems is managed through our identity provider Azure AD, which automates user provisioning, enforces two-factor authentication (2FA), and logs all activity. Only limited members have access to the production environment.
Since we’re very serious about security, we’re also currently in the auditing process to obtain SOC 2 certification. If you have any security concerns, please reach out to our team at [[email protected]] so that we can address them promptly.