Security, Privacy and Compliance

Working with Alterest means working with a secure solution and partner who understands the requirements of banks and financial institutions worldwide.

Introduction

From the very beginning, we’ve built Alterest to treat your data the way we’d want ours treated—private and secure. That means:

  • Your data stays in your control. Period.
  • You can always look under the hood. No black boxes here.

We have established gold standard security posture and commitment to protecting customers' data.

Cloud without compromises

We are SOC 2 complaint and use solutions that abide by the data security and privacy policies defined by SOC 2.

  • We’ve designed our architecture to prioritize isolation of customer data.
  • We encrypt data in transit and rest.

Enterprise grade compliance

AICPA SOC2 LOGO

SOC 2 Compliant

Our SOC 2 report attests to the controls we have in place governing the security of customer data as they map to Trust Service Principles (TSPs) established by the American Institute of Certified Public Accountants (AICPA).

GDPR logo

General Data Protection Regulation

At Alterest, we’ve worked to make our products, processes, and procedures GDPR-compliant.

ISO27001 Logo

ISO 27001

Alterest is ISO 27001 certified by a third party and manages information security risk in such a way as to comply with a robust design, implementation and continuous monitoring framework

Data privacy

Data sharing and processing

  • Alterest follows GDPR and SOC 2 guidelines to ensure data protection obligations to our customers. This includes only collecting, processing, and storing customer data in compliance with these obligations.
  • Alterest provides controls for deleting customer data when it is no longer needed for a legitimate business purpose.

Data disposal

  • Alterest maintain industry standard security practices for ensuring removal of data.

Vendor management

  • Alterest engages with only trusted vendors which are governed by SOC 2

Network testing and vulnerability disclosure

Network Testing

  • In addition to our compliance audits, Alterest engages independent entities to conduct application-level and infrastructure-level network tests frequently.

Vulnerability disclosure

Alterest is committed to working with security experts across the world to stay up to date with the latest security techniques.

    Access management, encryption, and endpoint security

    Access management

    • Alterest adheres to the principles of the least privilege and role-based permissions when provisioning access.

    Encryption

    • Alterest encrypts data using industry standard protocols.
    • Sensitive data is encrypted.

    Endpoint Security

    • Alterest’s default configuration sets up workspaces/workstations to encrypt data at rest, have strong passwords, and lock when idle.

    Network security & system monitoring

    Network security

    • Alterest segments its systems into separate networks with modern, restrictive firewalls between networks to better protect sensitive data.
    • Testing and development systems are hosted in a separate network from production infrastructure systems.
    • Alterest logs, monitors, and audits all system calls, and has alerting in place for calls that indicate a potential intrusion or exfiltration attempt.

    System monitoring, logging, and alerting

    • Alterest monitors the infrastructure of servers to gain a comprehensive view of the security state.
    • Analysis of logs is automated to detect potential issues and alert responsible personnel.

      Disaster recovery & incident response

      Disaster recovery and business continuity plan

      • Alterest adheres to disaster recovery and continuity procedure as per SOC 2.
      • Alterest tests backup and restore capabilities annually to ensure successful disaster recovery.

      Responding to security incidents

      • Alterest has established policies and procedures for responding to potential security incidents.
      • All security incidents are managed by Alterest’s dedicated Incident Response Team. The policies define the types of events that must be managed via the incident response process and classifies them based on severity.