Date of Last Revision: December 11, 2021
The CirculateBLACK security program is aligned to the NIST Cybersecurity Framework Functions and a combination of controls from NIST 800-53, CIS CSC Top 20, and the PCI Data Security Standard.
Audits and 3rd party assessments for compliance
Audits: Annually, CirculateBLACK engages external Assessors to audit its compliance with PCI requirements.
Continuous Testing: CirculateBLACK engages external Scanning and Penetration Testers to conduct network level and application level penetration testing and vulnerability scanning.
Software development life cycle
CirculateBLACK’s software development life cycle is fully integrated with our security organization and strategy. Assessment of risks of software projects is based on the OWASP Top 10. Secure coding principles are emphasized and developers undergo recurrent secure coding training. Static Code Analysis, Dynamic Code Analysis, and Software Composition Analysis are done at multiple stages of the software development lifecycle. All code is version controlled, subject to peer reviews, integration, functional, and QA testing.
How we protect customer data
CirculateBLACK takes a number of steps to protect customer data. This is a collaborative effort to identify and mitigate risks and implement best practices.
Data encryption in transit
Data submitted to the CirculateBLACK website and transmitted over public/open networks is encrypted. TLS version 1.2+ protocols are used and an AES 256 bit cryptographic algorithm is employed. The security team constantly monitors changing encryption standards, makes recommendations, and implements changes as needed.
Encryption at rest
We use the FIPS-approved cryptographic algorithm – AES 256 bit when encrypting datasets at rest.
Secure infrastructure hosting service
CirculateBLACK infrastructure is hosted with KESHANDE Technology’s Forward Web Services. Forward Web maintains multiple certifications for its data centers, including ISO 27001 compliance and PCI DSS Certification.