Security is the top priority of Marble and Inverite.

Marble and the Inverite platform was designed from the ground up around data security and privacy using the Payment Card Industry Data Security Standard (PCI DSS) as a guideline and has had a AICPA SOC 2 Type 1 report prepared by AuditWerx, a division of Carr, Riggs and Ingram Capital LLC. Our SOC 2 Type 1 report is confidential but available upon request.

SPEAK TO AN EXPERT

Data Security

All data transmitted to clients is done so using strong TLS 1.2+ encrypted channels and private API keys. Client portal access will be restricted with username and password requirements for minimum strength.

All services are segmented in a Virtual Private Cloud (VPC), and all public communication between Marble services uses TLS 1.3 encryption. All instances use encrypted drives and all relational data is also encrypted at rest.

Employee access to servers is only possible through a VPN using multi-factor authentication.

All Marble services are hosted with Amazon Web Service’s Montreal facility. This facility is PCI DSS 3.2 compliant.

No third-party vendors are ever provided access to any systems, software or data.

A variety of internal, external and third party scanning services run at regular intervals. These check for network and software vulnerabilities or weaknesses.

Additional optional Clients security features including API IP whitelisting and multi-factor authentication during login for dashboard users.

Regulatory Compliance and Open Banking

Although currently unregulated, it is our expectation that the Government of Canada will soon be regulating Open Banking / Consumer-directed finance. We are looking forward to this as it will address many of the security issues surrounding screen-scraping and lead to higher levels of consumer confidence and satisfaction. In anticipation of this, Marble is a proud member of Financial Data Exchange and is a founding member of the FDX Canada and active in several working groups and technical task forces. Marble is also a member of FDATA, an open-banking lobbying organisation that was heavily involved in the rollout of Open Banking in the UK.

Policies

Policies are in place to cover all aspects of data security and all new hires are trained on data security and related policies. Our employee security policies and training cover the following topics:

INFORMATION SECURITY

Asset management policies

Data and document classification, handling and retention policies

Mobile device, email and removable media policies

Physical security policy

Encryption, passwords, remote access and VPN policy

Clean desk and screen policy

Third party policy

Security incident response plan

WORKSTATION, MOBILE DEVICE AND SERVER CONFIGURATION

NETWORK SECURITY

Customer access control

Access reviews Malware and virus defense

Encryption algorithms

Change control procedures

Patch management

Server operating systems

Audit logs

Security event escalation

Boundary defense

Firewall management

Data loss prevention

APPLICATION DEVELOPMENT AND SDLC

Environments

Version management

Workflow and code promotion procedures

Change management

Third-party development (not permitted)

FACILITIES

Video surveillance

Visitor log

Emergency evacuation procedures

Fire detection and suppression

Power

DISASTER RECOVERY

Backup procedures

Disaster recovery plan

Review and testing

HUMAN RESOURCES

New hires

Access provisioning and escalation for developers

Termination