How do we secure your data?

Application Security

PassportCard implements a security-oriented design across multiple layers, including the application layer. The PassportCard application is developed according to the OWASP Top 10 framework and all code is peer reviewed prior to deployment to production.

Our controlled CI/CD process includes static code analysis, vulnerability assessment, end-to-end testing, and unit testing that addresses authorization aspects and other aspects. PassportCard developers receive periodic security training to stay updated on secure development best practices.

Infrastructure Security

Another critical layer of security is our infrastructure. We employ multiple defense mechanisms, including:

• Firewalls for enforcing IP whitelisting and access through permitted ports only to network resources
• A web application firewall (WAF) for content-based dynamic attack blocking
• DDoS mitigation and rate limiting
• IDS/IPS sensors for early attack detection
• Advanced routing configuration
• Comprehensive logging of network traffic, both internal and edge

Data Encryption

PassportCard ensures the encryption of all data, both in transit and at rest:

• Traffic is encrypted using TLS 1.3 with a modern cipher suite, supporting TLS 1.2 at minimum.
• User data is encrypted at rest across our infrastructure using AES-256 or better.
• Credentials are hashed and salted using a modern hash function.

External Security Audits and Penetration Tests

Independent third-party assessments are essential for gaining an accurate, unbiased understanding of your security posture. PassportCard conducts annual penetration tests on both the application level and the infrastructure level, performed by reputable independent auditors.

Additionally, PassportCard undergoes external auditing as part of SOX audits, ISO certifications, and other external audits.

Supply Chain

We are aware of the security risks posed by your suppliers. Each supplier undergoes a risk survey, signs confidentiality agreements, and enters into contracts that include information security requirements. We also conduct periodic supplier surveys for all critical suppliers.

Physical Security

Our physical security measures in our offices include personal identification-based access control, CCTV, and alarm systems. Our data center is also equipped with security measures, CCTV cameras, access control, and an alarm system.

Disaster Recovery and Backups

PassportCard is committed to providing continuous and uninterrupted service to all its customers. We consistently and continuously backup data. All backups are encrypted and stored in multiple locations.

Our Disaster Recovery Plan undergoes annual testing to assess its effectiveness and to ensure our readiness in case of a service interruption.

Security in Human Resources

PassportCard acknowledges that its security relies on its employees. Therefore, all our employees undergo thorough information security awareness training during onboarding, with additional security training provided on a quarterly basis. Additionally, all employees are required to sign our Acceptable Use Policy.

Access Control

We understand the importance of data privacy and confidentiality. Regular user access reviews are conducted to ensure appropriate permissions are in place, following the need-to-know principle. Employee access rights are promptly updated in case of employment changes.

Authentication

Customer access to the personal area for self-service or administrator access requires two-factor-authentication (2FA).

For more information, you can contact our CISO (Chief Information Security Officer)

at ciso-q@PassportCard.co.il