Is my information secure?

Security is architected into the Seraf platform. Seraf enforces a SSL/TLS encrypted session every time you log on. SSL certificates protect data in transit between users and the websites they are connected to. Clicking on the settings box before the Seraf URL at the top of your screen confirms that your session is secure, and displays more information. Read about our Privacy Policy and Terms of Use for additional information.

For those interested in further security details, read below to better understand how seriously Seraf takes security.

Seraf runs on a secure stack. We start with the Pantheon platform described here - https://pantheon.io/security - and we run Drupal 7 on top of that. Through Pantheon, we contract to subject our version of Drupal to regular security audits and updates. Drupal is used by government agencies and large organizations who depend on its security. Both we and Pantheon monitor security developments, and we implement all security patches, usually the same day they are released. Drupal's architecture implements protections against SQL injection, CSRF attacks, XSS attacks, and similar common problems. We follow best practices for all custom code we write on top of the Drupal 7 platform, including those enumerated here - https://www.drupal.org/docs/7/security/writing-secure-code.

We require HTTPS for all connections to the website, and use an HSTS header so that even the initial visit is encrypted.

Phishing attacks are a problem for everyone. However, our staff members are knowledgeable, and their activities on the website are logged. We keep daily backups, and can roll back the site in the event we are compromised.

Even the most secure websites are vulnerable to attack. Weak credentials of users is a possible issue, so it’s important for users to choose a strong password. We require 8 characters minimum and 2 character types. We also recommend that our clients try to minimize the amount of personal data they load into Seraf. For example, any documents that contain detailed personal information such as social security numbers shouldn’t be uploaded.

In fact, we have a few clients who wish to remain anonymous and have chosen to provide a non-traceable account name and use an email address that is specific to Seraf. This limits a hacker’s ability to track down the individual investor.

Security is a process.  No website is ever 100% secure, and we regularly review our own practices to try to improve where we can.

Updated:
Have more questions? Submit a request

Comments

Powered by Zendesk