Our Security Policy

Version 1.5. Latest update: 06/01/2023

First, Soraban is undergoing continuous SOC 2 compliance and security monitoring with SecureFrame (https://secureframe.com/).

Second, we are always striving to improve security in our design. We help you meet the challenge of managing your teams, your clients and the shared data, so you can rest easy when you can your clients upload and share data through our platform.

Our software is built on the of the most credible and secure storage API that help you stay secure and compliant so you can better protect your organization. These services all comply with the most widely accepted standards and regulations like ISO 27001 and SOC 1, 2, and 3. There is a link for each service if you want to know more information.

Data Security

Encryption-at-rest

  • All sensitive data in transit and at rest must be encrypted using strong, industry-recognized algorithms.
  • Soraban maintains approved encryption algorithm standards. These internal standards are reviewed and subject to change when significant changes to encryption standards within the security industry change.
  • Soraban will not engage in “roll-your-own” encryption, algorithms, or practices and will not use “security through obscurity” within production infrastructure or applications.
  • All Soraban-owned, employee-utilized laptops are to have full disk encryption enabled at all times, as these devices are expected to interact with Soraban resources, infrastructure and/or client data while performing Soraban business.
  • All Soraban-owned wireless networks, including both corporate and guest networks, are to encrypt corporate office data in transit using WPA2-AES encryption.

Encryption-in-transit

  • The minimum acceptable TLS standard in use by the company is TLS v1.3.
  • All Soraban public web properties, applicable infrastructure components and applications using SSL/TLS, IPSEC and SSH to facilitate the encryption of data in transit over open, public networks, must have certificates signed by a known, trusted provider.

Password Security

  • Soraban employees must use complex passwords, where possible, for all of their accounts that have access to Soraban data.
  • “Complex” passwords have at least one uppercase letter, one lowercase letter, one number, and one non-alphanumeric character, and are at least 10 characters long.
  • All generated passwords for Soraban users and system accounts must be unique. Soraban employees may not reuse passwords that are or were used elsewhere, e..g passwords used for personal accounts.
  • A common way attackers obtain access to corporate resources is by using employees’ personal passwords that were obtained in breaches of other services.
  • When creating end-user passwords for the first time and/or during a password reset, the VP of Engineering must also force the end-user to change their password upon logging in for the first time.
  • Soraban employees are required to use 1Password to manage their passwords and generate sufficiently complex passwords.
  • All Soraban system and user passwords must be encrypted when stored at rest within an application or database.
  • All Soraban system and user passwords must be encrypted during transmission.
  • Under no circumstances should Soraban employees share their account passwords with anyone, including other Soraban employees.


Access Monitoring

  • Each Soraban employee has a unique user ID and password that identifies him/her as the user of a Soraban IT asset or application.
  • Soraban's server database is physically located in data centers for Amazon Web Services (AWS), one of the world’s most secure and widely-used cloud computing platform. Learn More

Data Erasure

  • By default, a customer’s data is stored for the duration of his or her contract with Soraban.
  • Soraban may provide the option for customers to delete data after their subscription ends. This request must be made by the customer, and Soraban may require additional ID verification. Soraban should hard delete all information from currently-running production systems within one week of the deletion request.

Product Security

  • Service-Level Agreement is available for enterprise customers upon request.
  • 2FA is available for all the firm users and contractors.

Free up your team from admin work

Request Demo
Modern client data collection software built for tax firms.
Privacy PolicySecurity
Support
Help Center
© 2023. All rights reserved.