At SavvyMoney, safeguarding your data is more than a commitment - it's an integral part of our DNA. We consider it our prime responsibility to uphold unrivaled confidentiality, privacy, and security standards to shield your data.
Explore further by selecting any topic card, or enhance your access to comprehensive knowledge base responses and downloadable documentation by setting up an account.
Documents
Trust & Compliance Center Updates
We proudly announce that SavvyMoney has achieved the Cloud Security Alliance (CSA) STAR Level II Certification. This prestigious certification underscores our unwavering commitment to cloud security and data protection.
The CSA STAR Level II Certification is a rigorous, independent assessment that evaluates the security measures we have implemented to protect our clients' data. This certification validates our robust security framework and demonstrates our dedication to maintaining the highest cloud security standards.
At SavvyMoney, we strive to give our clients the utmost confidence in our security practices. Achieving the CSA STAR Level II Certification reinforces our promise to safeguard sensitive information and deliver exceptional service.
Please login to download the CSA STAR Level II Certification.
Dear IT Teams,
As part of our commitment to maintaining the highest standards of email communication security and compliance, SavvyMoney is actively updating our email server configurations. We strongly encourage you to review and update your email server settings. This initiative is crucial for avoiding delivery issues and fortifying the security of our mutual email interactions.
Important Update - TLS Configuration and Certificate Verification:
Starting March 31st, 2024, SavvyMoney will enforce stricter security measures regarding email communications. Specifically, we will verify the validity of public TLS certificates and ensure that hostnames match accordingly. This measure is crucial to maintaining secure and trusted communication channels. If your organization's email servers possess certificates that need to be updated or valid according to these new standards, SavvyMoney cannot send emails to your domain. This step underscores our commitment to safeguarding our digital ecosystem against potential security threats.
Recommendations for IT Teams:
- Please review and Update TLS Certificates: Ensure all certificates are current and valid and properly match the hostnames to comply with our upcoming security protocols.
- Verify DNS Settings: Reassess your DNS configurations, focusing on Sender Policy Framework (SPF), Domain-based Message Authentication, Reporting & Conformance (DMARC), and DomainKeys Identified Mail (DKIM) settings. Correct and secure DNS settings are vital for email authentication and protection against malicious activities.
TLS Configuration and Enforcement by Major Providers:
Please remember that major email service providers, such as Office365 and Google, have mandated using Transport Layer Security (TLS) and certificate validation since 2020. If your email servers are not aligned with these practices, we recommend taking immediate action to ensure compliance. Thank you for your prompt attention to this crucial matter.
We are pleased to announce that our organization has completed the SOC 2 Type II audit from March to September. This achievement demonstrates our ongoing commitment to maintaining high standards of security, availability, processing integrity, and confidentiality of our systems and services. Please login to download the latest report.
We have proactively addressed the HTTP/2 Rapid Reset Attack vulnerability. Last night, on October 11th, we adjusted our Nginx thresholds to minimize the potential for such attacks. We are also in close communication with Nginx, awaiting further patches to bolster our server's defenses even more.
To address concerns regarding potential exploitation: We have not detected any exploitation of this vulnerability in our environment at this time.
For our clients' peace of mind:
- Our API and widget services are safeguarded against this vulnerability thanks to AWS WAF's automatic mitigation.
- Our educational platform remains secure, as Cloudflare automatically protects it from such vulnerabilities.
Your security is our top priority, and we continue to take every necessary step to ensure the safety and reliability of our services.
Update 09/11/2023
SavvyMoney has chosen to continue support for the ECDHE_RSA_WITH_AES_256_CBC_SHA384 cipher suite, which is frequently utilized by the legacy Windows Server 2012. Please be advised that Microsoft's Extended Support for Windows Server 2012 and its R2 variant is set to conclude on October 10th, 2023.
For our partners' convenience and preparation, SavvyMoney will maintain support for ECDHE_RSA_WITH_AES_256_CBC_SHA384 only up to December 31st, 2023. We urge our partners to use this time to facilitate necessary upgrades.
SavvyMoney Security Team
Dear Valued Partner,
We're excited to inform you of essential security upgrades that we have undertaken to enhance the protection of your data.
Enhanced Security Measures: In our commitment to provide exceptional security and align with industry standards, we have integrated new security ciphers in line with SOC2 and the latest PCI 4.0 compliance. These ciphers represent the cutting-edge in data protection, ensuring your data's encryption, integrity, and overall security are of the highest caliber.
Transition Details: The older ciphers, once pivotal for safeguarding your transactions and data, will now be phased out. Our systems will solely rely on the updated security ciphers, guaranteeing your information's utmost confidentiality, integrity, and authenticity.
Reason for the Change: Our decision to embrace the new security ciphers stems from our unwavering pledge to ensure the pinnacle of security for your sensitive data. Adhering to SOC2 and PCI 4.0 standards means we consistently assess and refine our security measures in response to the ever-evolving landscape of threats.
Your Next Steps: Should your organization possess specific security configurations that this transition might impact, we urge you to revisit your security guidelines to confirm compatibility with our newly supported ciphers. Our dedicated support team stands ready to guide and assist you with any queries or concerns.
Our Newly Supported Ciphers: ECDHE-ARIA128-GCM-SHA256 ECDHE-ARIA256-GCM-SHA384 ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-ARIA128-GCM-SHA256 ECDHE-ECDSA-ARIA256-GCM-SHA384 ECDHE-ECDSA-CHACHA20-POLY1305 ECDHE-PSK-CHACHA20-POLY1305 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-CHACHA20-POLY1305
For further assistance or to obtain more details, you can reach our security team at security@savvymoney.com. We hold your partnership in high esteem and are here to back you every step of the journey.
Warm regards,
SavvyMoney Security Team
Exciting updates!
1. The Cloud Security Alliance CAIQ (Consensus Assessments Initiative Questionnaire) is now available for download. This questionnaire is a valuable tool for assessing the security of cloud providers.
2. We've also posted our most recent Certificate of Insurance for your reference.
If you would like to send: security@savvymoney.com an Encrypted Signed Message. Our Public PGP key is below.
-----BEGIN PGP PUBLIC KEY BLOCK----- xjMEZM2XnhYJKwYBBAHaRw8BAQdAp/sI8WUhaY6jq16IAv/3EHhJkNStXKc8 IbDvWSHNckDNMlNhdnZ5TW9uZXkgU2VjdXJpdHkgVGVhbSA8c2VjdXJpdHlA c2F2dnltb25leS5jb20+wowEEBYKAD4FgmTNl54ECwkHCAmQXIXC9KjPnuwD FQgKBBYAAgECGQECmwMCHgEWIQRtBahtcb2qS77/BpdchcL0qM+e7AAAHf0A /RXGWO49p0Ejqt4SiZohRo6RoHqRRUs1q8RFOsGE3iX5AQDwYxSH3JLdo5ib KWKGj6M2P6SMauF05zpYHo83nWUrAs44BGTNl54SCisGAQQBl1UBBQEBB0DH 2S3P1mqvAGhXTSPvSaNcR6ZM0nxomIX+CXh21pmXIgMBCAfCeAQYFggAKgWC ZM2XngmQXIXC9KjPnuwCmwwWIQRtBahtcb2qS77/BpdchcL0qM+e7AAAS3cB AM6xeAKgKzaisQsOI77AdM5GjNQD8fT+zwGpOJmGHVvrAP40om5uCpMrML/o DkdhlZ0gQptYUoFU0oAHVHLfrU87AA== =03Sr -----END PGP PUBLIC KEY BLOCK-----
SavvyMoney and AWS are aware of CVE-2023-20593, otherwise known as "Zenbleed," and can confirm this issue affected AMD "Zen 2", also known as "Rome," CPUs that power the C5a, C5ad, G4ad, and G5 instance families. Because of the design of the EC2 Nitro hypervisor, there is no risk of cross-instance data access. The updated microcode from AMD has been applied to all C5a, C5ad, G4ad, and G5 instances. SavvyMoney has already confirmed all remediations by AWS for any instances using the Zen 2 architecture.
SavvyMoney wants to assure our valued customers that our systems remain unaffected by the MoveIT vulnerability. In light of recent concerns, we understand the importance of addressing potential security risks promptly.
Rest assured, SavvyMoney has taken proactive measures to ensure the security and privacy of our client's information. We do not utilize MoveIT within our infrastructure. Our robust security measures, including firewalls, encryption protocols, and regular security audits, help protect against potential threats.
That's why we want to highlight the joint advisory released by the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI), which provides valuable insights into the MoveIT vulnerability. You can find the joint advisory on CISA's website. We encourage you to review the advisory to stay informed about the risks associated with the vulnerability.
We remain committed to maintaining a secure environment for our customer's data and will continue to invest in the necessary resources to uphold the highest security standards.
Don't hesitate to contact our dedicated customer support team for any questions or concerns. We value your trust in SavvyMoney and are here to provide you with a secure and reliable financial experience.