Data Security is Paramount to Good Data Stewardship: How We Protect Data at Archipelago
Protecting your Data: View from the CTO
As an enterprise software company entrusted with storing and managing customer data, we consider data security of utmost importance. To help you formulate your data security practices, I’ll share what we do at Archipelago to keep our data secure—in many cases, we significantly go above and beyond current data security norms.
We put a lot of thought into the design of our platform as we knew we’d have to store sensitive customer data. At the architecture level, we made sure we did everything we could to keep data secure. To minimize legal exposure as much as possible, we store only the required information on the platform, and nothing more.
This philosophy includes PII (Personally Identifiable Information). While the definitions of and regulations around PII are still evolving, our platform is designed to be compliant and up-to date with the various privacy regulation standards.
We’re also in the process of becoming SOC-2 compliant. A nice side benefit of SOC-2 is that it simplifies the vendor risk assessment for large enterprise prospects. Having said that, we have already passed security audits and questionnaires from our customers, some of which are the largest companies in our industry.
How We Designed a Secure System for Sharing SOVs
The current industry practice during the placement process entails SOVs (spreadsheets with portfolio information) being shared with the market. More often than not, these SOVs are shared via email. These files can be so large, Gmail automatically turns them into Google Drive files. On other email clients, a Dropbox or Box folder might be required for sharing. This means these files are now in a folder with default settings, which could be anything, including open to the public.
Also, after the file is sent, the sender has essentially lost any control of that file. The recipient can forward the spreadsheet to others or edit it with any auditing trail. Lastly, there’s not a way for the original sender to see who has opened the file, nor who has access to it.
We’ve eliminated both these problems on Archipelago’s platform. By creating a closed and secure system within our upload portal, the sender shares their information directly with our platform, eliminating any middle man and potential unwanted exposure.
Once the portfolio is shared on the platform, SOVs are no longer forwarded but, rather, permissioned for the platform's intended recipient. Access requires an account, so the sender can see who's accessed the shared stream.
This puts the control back into the hands of the customer and creates an accountability trail; a marked improvement over the current industry mechanisms.
General Platform Security Principles
The Archipelago platform is natively built in the cloud with Amazon Web Services (AWS). AWS itself uses a robust physical security program with multiple certifications, including SSAE 16 and ISO 27001 certification.
We put a lot of effort into both physical and environmental security to protect the service against unauthorized access, use and modification. We encrypt data (including backups) in transit and at rest. As well, communication between the user and the platform is encrypted. Databases can only be accessed using authorized services, and in turn, these authorized services can only be accessed by authorized clients over the internet.
Our platform is a web application, which connects a browser to our application tier. We use state of the art challenge/response authentication. This means that the user needs to have access to the corporate email address they used during sign up. Our authentication is built using Auth0, an incredibly robust framework and standard that prevents bad actors from gaining access and monitors access to detect anomalies.
Personnel / Employee Security
Production access is limited to a small subset of employees, all of whom have been trained in our security processes and have passed a background check. Any changes to the platform require a 2-step sign-off, publish, and approval process. Security Incident Response Archipelago maintains an incident response plan designed to establish a reasonable and consistent response to security incidents, and suspected security incidents involving the accidental or unlawful destruction, loss, theft, alteration, unauthorized disclosure of, or access to proprietary data or personal data transmitted, stored, or otherwise processed by Archipelago.
For More Information
We have a standard security page with more details here.
Of course, there's a lot more to security than what fits on this page. If you have any questions or feedback, please don’t hesitate to reach out to me: roger at onarchipelago.com. Thanks for reading!
Don’t have an invite? Simply ask your broker, underwriter, or colleague if they have a code to share with you. Or, request one here.
More from Thought Leaders
"Now more than ever, it's time to modernize and simplify these dynamics... to create a platform that will make it simpler, clearer and more compelling to convey the critical information needed by underwriters..."
"AI is part of the solution to this semantic mess, but as I’ve learned through the course of investing in multiple analytics, AI and fin/insurtech start-ups, tech alone isn’t sufficient to change a business ecosystem..."
"Does this sound familiar - an enormous undertaking annually to collect property information from disparate reports and asset managers dodging your emails? Being limited to the cells on a spreadsheet for the information used by underwriters to price your risk? Meanwhile vast amounts of new data is available for risk managers..."
All rights reserved. Trademarks are the property of their respective owners.