Organizational Security

Date of Last Revision: December 11, 2021

The CirculateBLACK security program is aligned to the NIST Cybersecurity Framework Functions and a combination of controls from NIST 800-53, CIS CSC Top 20, and the PCI Data Security Standard.

Audits and 3rd party assessments for compliance

Audits: Annually, CirculateBLACK engages external Assessors to audit its compliance with PCI requirements.

Continuous Testing: CirculateBLACK engages external Scanning and Penetration Testers to conduct network level and application level penetration testing and vulnerability scanning.

Software development life cycle

CirculateBLACK’s software development life cycle is fully integrated with our security organization and strategy. Assessment of risks of software projects is based on the OWASP Top 10. Secure coding principles are emphasized and developers undergo recurrent secure coding training. Static Code Analysis, Dynamic Code Analysis, and Software Composition Analysis are done at multiple stages of the software development lifecycle. All code is version controlled, subject to peer reviews, integration, functional, and QA testing.

How we protect customer data

CirculateBLACK takes a number of steps to protect customer data. This is a collaborative effort to identify and mitigate risks and implement best practices.

Data encryption in transit

Data submitted to the CirculateBLACK website and transmitted over public/open networks is encrypted. TLS version 1.2+ protocols are used and an AES 256 bit cryptographic algorithm is employed. The security team constantly monitors changing encryption standards, makes recommendations, and implements changes as needed.

Encryption at rest

We use the FIPS-approved cryptographic algorithm – AES 256 bit when encrypting datasets at rest.

Secure infrastructure hosting service

CirculateBLACK infrastructure is hosted with KESHANDE Technology’s Forward Web Services. Forward Web maintains multiple certifications for its data centers, including ISO 27001 compliance and PCI DSS Certification.