Refi.com performs appropriate due diligence in selecting service providers to ensure that they meet Company needs and expectations and that they have adequate security controls to safeguard our customer information.
Refi.com uses hosting services at Liquid Web. They are a highly secure tier 1 provider. Liquid Web is SOC, SSAE 16, and SAS 70 compliant. These are very stringent security requirements and provide the level of security confidence required. Liquid Web compliance will be reviewed annually to ensure their SOC security certification has not been revoked. As of June 15, 2011, SAS 70 reports are no longer valid. The SAS 70 was replaced by the SSAE 16, SOC (Service Organization Control) report. Created and maintained by the American Institute of Certified Public Accountants (AICPA), the SSAE 16 SOC report verifies, with an independent party, that our operations meet professional standards. Vendors are required to be tier 1 providers with SOX compliant security measures, redundancy and disaster recovery in place. To ensure the highest level of security protection, exact security equipment and process is not released by Liquid Web. This policy from Liquid Web is to firewall knowledge of the internal architecture to potential hackers. Liquid Web’s certification by independent 3rd party auditor ensures there infrastructure and process meets or exceeds certification requirements.
Liquid Web has redundant firewalls, malware scanning and DDoS protection. The core updates with the latest security patches are automatically applied to Refi.com’s website. The Liquid Web security team is on the job 24/7, monitoring our site for suspicious activity and protecting it against brute force and DDoS attacks.
All consumer data is encrypted from the browser to the server. This traffic uses SSL Certificates (Secure Socket Layer) to validate Refi.com website’s identity, and encrypt the information visitors send to, or receive from, our site. This keeps thieves from spying on any exchange between Refi.com and our customers. An SSL Cert protects our customers’ sensitive information such as their name, address, etc. by encrypting the data during transmission from their computer to the Liquid Web hosted web server. SSL is the standard for web security. Refi.com site’s SSL certificate enables the browser and Web server to build a secure, encrypted connection. The SSL “handshake” process, which establishes the secure session, takes place discreetly behind the scene without interrupting the consumer’s web experience. A “padlock” icon in the browser’s status bar and the “https://” prefix in the URL are the only visible indications of a secure session in progress. All SSL-protected sites display the https:// prefix in the URL address bar.
Refi.com’s current Safeguard Policy statement includes requirements for strict
adherence for user access controls, such as secure password policy and limited badge access to server room. Data encryption is protected by Transport Layer Security (TLS) to include Secure Sockets Layer (SSL) communications. Software patch updates are handled as needed. Server security is addressed in THREE separate locations via encrypted SSL communications. Penetration testing may be handled by a third party vendor/consultant on a reasonable basis. Malicious code prevention and intrusion detection systems are part of the services provided by Microsoft, Ellie Mae, and Velocify.