At WealthForge, we treat our clients’ data with care and take pride that our solutions are trusted by consumers, partners, users, and investors. By leveraging AWS servers and using privacy-and security-by-design principles, we strive to ensure our applications meet or exceed industry standards. Additionally, our cybersecurity framework is a comprehensive strategy that we use to protect our technology and informational assets against unauthorized access, theft, and destruction. In compliance with the Framework, WealthForge lays out an overview of its security controls below.
Administration of Security Controls
WealthForge’s Cybersecurity working group administers the Firm’s cybersecurity framework. The Firm’s Chief Technology Officer and its Corporate Counsel jointly administer the cybersecurity program.
WealthForge anticipates the need to scale and support WealthForge’s security and availability requirements. As a result, WealthForge needed an infrastructure partner who can scale and support WealthForge’s growth. Amazon AWS is that partner. Amazon runs one of the largest cloud platform services and developed significant expertise in building, operating, and maintaining the worldwide infrastructure required to support their business.
WealthForge leverages and adds security controls on top of Amazon AWS as follows:
The infrastructure security – operated collectively by WealthForge and Amazon AWS and further described below – starts with physical security, extends through the computer, network, and storage layers of the service, and is complimented by well-defined security and access policies.
WealthForge leverages AWS physical security for access to its physical servers and implements physical security controls in its offices as part of a comprehensive security strategy. This strategy aims to preserve the confidentiality, integrity, and availability of our services from physical threats.
WealthForge leverages AWS physical security for access to its physical servers. AWS data centers are housed in nondescript facilities. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, state-of-the-art intrusion detection systems, and other electronic means. Authorized staff utilizes multi-factor authentication mechanisms to access data centers, and all physical access by employees is logged and audited routinely. When an employee no longer has a business need for these privileges, their access is immediately revoked, even if they continue to be an employee of Amazon.
Data center access and information is only provided to employees and contractors who have a legitimate business need for such privileges. All visitors and contractors are required to present identification and are signed in and continuously escorted by staff.
Physical access to the Company’s property and assets is essential to performing job functions, collaborating with third parties, and building and maintaining client relationships. These rules are in place to protect the employee and WealthForge. All employees are responsible for taking the appropriate steps, as outlined below, to ensure the safety and security of WealthForge facilities, physical assets, documents, and information.
The main office door is locked during non-business hours.
During non-business hours, access to the building is controlled through the use of electronic pass cards. Employees must have approval to receive a pass card.
Additional access to the office is controlled via electronic keypad entry using a personal identification number (PIN). Employees must submit a ticket for PIN activation. "Piggybacking," which is the practice of allowing another person through the entry after entering your PIN, is not allowed. Upon termination, employee PINs are deactivated.
While using the WealthForge’s facilities, all employees must also follow the Company’s Acceptable Use Policy and Personally Identifiable Information (PII) Policy to ensure proper use, storage, and disposal of WealthForge physical assets, documents, and information.
Access cards and/or keys must not be shared with others.
Access cards and/or keys that are no longer required must be returned to the Technology Department. Lost or stolen access cards and/or keys must be reported to the Technology Department as soon as possible, so that their access may be removed.
Guests visiting the office are not allowed access to areas that may contain sensitive information. Guests are not eligible for pass cards or PIN activation for access-controlled entry into the office.
Contractors and extended guests may be granted access to the Company's offices for the duration of their visit. Upon completion of the visit, access to the offices is terminated.
The Technology Department will verify compliance with this policy through various methods, including but not limited to, business tool reports, internal and external audits, and feedback to the policy owner. Any exception to the policy must be approved by the Technology Department in advance. An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
Instance Level Security
WealthForge's Instance Level Security includes:
Palo Alto dual firewalls with only necessary ports available.
Palo Alto redundant firewalls are located on premise at WealthForge office. Redundancy and fail-over have been tested successfully every 6 months.
SFTP is disabled on the firewall.
Data Security (Data-at-Rest)
WealthForge made multiple investments to ensure customer and investor data is secure and available. The company’s proprietary stores user data in AWS’s S3 storage service. WealthForge limits access to this database to specific individuals and all access attempts are logged. Access to S3, even within AWS, must be encrypted, providing additional insurance that the data is also transferred securely.
When WealthForge is engaged for broker-dealer services, investor data is also stored in compliance with 17a-4 on Citrix’s ShareFile. Access information on ShareFile is limited by job description. Access to ShareFile may only be granted by the super-administrator. By design no data can be deleted from ShareFile, only archived and retrieved.
WealthForge also has additional access controls including limits on the use of portable devices and prevention of the use of removable media.
Employee access to all systems, including third-party software applications is immediately terminated upon resignation or termination.
Network Security (Data-in-Transit Security)
The AWS network provides protection against traditional network security issues, including:
WealthForge complements AWS network security with specific security controls for its platform and network. These include the use of Palo Alto firewalls, VPN for offsite work, antivirus, encryption, password management, and patching.
Availability and Performance Monitoring
WealthForge monitors the availability of its websites, servers, etc. WealthForge has additionally implemented a back-up internet service provider to minimize internet downtime in the home office.
AWS has multiple data centers for redundancy and reliability, as does Google, which is our email platform.
Security begins with the people WealthForge employs. WealthForge implements security controls for employees and contractors before, during, and after tenure at WealthForge.
Before hiring all employees and independent contractors undergo background checks where permitted by law. The background check reviews both criminal and financial background indicators, including any actions that might trigger loss of the private placement exemption under the 506(d) Bad Actor rule. Additionally, all employees are made aware of their responsibilities, including security policies, as well as repercussions for failure to adhere to said responsibilities and policies.
Upon hiring, WealthForge requires all employees to go through an on-boarding process that includes:
WealthForge conducts mandatory annual training for all employees on cybersecurity, confidentiality, and other HR training to clarify to its employees the extent of their obligations over data protection.
When Departing WealthForge
Least Privilege Access Policy
WealthForge requires that all access to its infrastructure, application, and data be controlled based on business and operational requirements. In all cases, administrative access is based on the concept of least privilege; users are limited to the minimum set of privileges required to perform their required job functions.
Software Development Security
The WealthForge Software Development Lifecycle is designed with precautions to reduce security risks during code development while delivering software functionality.
WealthForge Technologies, LLC’s secure software development lifecycle (S-SDLC) policies and standards align with the Open Web Application Security Project (OWASP) Software Assurance Maturity Model (OpenSAMM). OpenSAMM provides a framework to help organizations implement secure software development that can be customized to each organization’s industry-specific risk profiles.
Integrating security considerations into the software development lifecycle creates a security-focused development environment and a culture that values early risk identification and mitigation as standard operating procedure. WealthForge Technologies’ in-house development team follows the security-focused software development process outlined in this document to consistently provide a product designed to withstand ever-evolving cyber threat conditions. Outsourced development is limited to discrete processes and the code is reviewed in line with this policy before deployment.
Software Development Lifecycle
The WealthForge software development lifecycle uses an iterative approach to development by leveraging the Agile framework.
This iterative approach concentrates on producing frequent new versions of the software in incremental, short cycles. The process loops round with each of the stages being carried out many times in small iterations, or sprints. This results in small incremental releases with each release building on previous functionality. Each release is thoroughly tested to ensure software quality is maintained.
In Agile, development testing is performed in the same iteration as programming. Because testing is done in every iteration – which develops a small piece of the software – users can frequently use those new pieces of software and validate the value.
WealthForge incorporates security into various stages within the Software Development Lifecycle.
Strategy and Metrics
Strategy and Metrics activities include planning for secure software development and gathering data to validate the effectiveness of the plan. WealthForge Technologies has processes in place to address the following activities:• Establish unified strategic roadmap for software security within the organization.
• Measure relative value of data and software assets and choose risk tolerance.
Policy and Compliance
Policy and compliance activities include establishing a compliance framework and associated auditing practices to ensure adherence to security standards. WealthForge Technologies has processes in place to address the following activities:Understand relevant governance and compliance drivers to the organization, which includes:
• Identify and monitor external compliance drivers
• Build and maintain compliance guidelines
Establish security and compliance baseline and understand per-project risks, which includes:
• Build policies and standards for security and compliance
• Establish project audit practice
Require compliance and measure projects against organization-wide policies and standards, which includes creating compliance gates for projects.
WealthForge has implemented three Construction security practices: Threat Assessment, Security Requirements, and Security Testing.
The construction phase threat assessment includes identifying possible risks to the organization and facilitating risk management. WealthForge Technologies currently has processes in place to address the following activity:Concretely tie compensating controls to each threat against internal and third-party software, which includes:
• Explicitly evaluating risk from third-party components.
To support the security requirements practice, security must be explicitly considered and included at the project level during the requirements gathering process. WealthForge Technologies currently has processes in place to address the following activities:Consider security explicitly during the software requirements process, which includes:
• Derive security requirements from business functionality
• Evaluate security and compliance guidance for requirements
Mandate security requirements process for all software projects and third-party dependencies, which includes:
• Build security requirements into supplier agreements
• Expand audit program for security requirements
Implementing secure architecture promotes a “secure-by-design” framework upon which the software is built. WealthForge Technologies currently has processes in place to address the following activities:Insert consideration of proactive security guidance into the software design process.
Direct the software design process toward known-secure services and secure-by-default designs, which includes:
• Identify and promote security services and infrastructure
• Identify security design patterns from architecture
Code review ensures and enforces code-level security standards to identify and mitigate potential vulnerabilities before code is deployed. WealthForge Technologies currently has processes in place to address the following activities:Opportunistically find basic code-level vulnerabilities and other high-risk security issues, which includes:
• Perform point-review of high-risk code
During security testing, the software is tested in its runtime environment to identify any security concerns before deployment. WealthForge Technologies currently has processes in place to address the following activities:Establish process to perform basic security tests based on implementation and software requirements, which includes:
• Derive test cases from known security requirements
• Conduct penetration testing on software releases
Make security testing during development more complete and efficient through automation, which includes:
• Utilize automated security testing tools
• Integrate security testing into development process
Require application-specific security testing to ensure baseline security before deployment, which includes:
• Employ application-specific security testing automation
• Establish release gates for security testing
Deployment entails the processes and activities related to how an organization manages release of software that has been created. This can involve shipping products to end users, deploying products to internal or external hosts, and normal operations of software in runtime environment. WealthForge has implemented three Deployment Security Practices: Vulnerability Management, Environment Hardening, and Operational Enablement.
Vulnerability management establishes processes for handling internal and external vulnerability reports to ensure a consistent response. WealthForge Technologies currently has processes in place to address the following activities:Understand high-level plan for responding to vulnerability reports or incidents, which includes:
• Identify points of contact for security issues
• Create an informal security response team(s)
Elaborate expectations for response process to improve consistency and communications, which includes:
• Establish consistent incident response process
• Adopt a security issue disclosure process
Improve analysis and data gathering within response process for feedback into proactive planning, which includes:
• Conduct root cause analysis for incidents
• Collect per-incident metrics
Environment Hardening includes improving the organization’s operational environment to ensure the security of applications deployed within it. WealthForge Technologies currently has processes in place to address the following activities:Understand baseline operational environment for applications and software components, which includes:
• Maintain operational environment specification
• Identify and install critical security upgrades and patches
Improve confidence in application operations by hardening the operating environment, which includes:
• Establish routine patch management process
• Monitor baseline environment configuration status
Validate application health and status of operational environment against known best practices, which includes:
• Identify and deploy relevant operations protection tools
• Expand audit program for environment configuration
Operational Enablement provides security standards for operational staff to configure, deploy, and run the organization’s software. WealthForge Technologies currently has processes in place to address the following activities:Enable communications between development teams and operators for critical security-relevant data, which includes:
• Capture critical security information for deployment
• Documenting procedures for typical application alerts
Improve expectations for continuous secure operations through provision of detailed procedures.
Web Application Security Controls
WealthForge implements web application security controls in the entire software lifecycle, runtime operations, and monitoring.
Access to WealthForge
WealthForge implements IP blacklisting and other security controls to mitigate the risk of Distributed Denial of Service (DDoS) attacks at the global router level.
WealthForge Security Personnel
Members of the WealthForge Cybersecurity Team proactively monitor the development lifecycle and the infrastructure to keep security controls current. The security personnel work on each stage is described on the Software Development Security and the Security and Penetration Tests sections.
Security and Penetration Tests
As part of its security strategy, WealthForge has penetration tests run on its platforms at least once a year.
WealthForge monitors its environments at all times using various third-party services. Monitoring tools include: Threatstack for intrusion/detection, Datadog for network performance and server up-time, various AWS tools.
Personally Identifiable Information (PII) Policy
The Company takes seriously the protection and confidentiality of the Personally Identifiable Information (PII) of its employees, consultants, clients, prospective clients, issuers, partners, independent contractors, and vendors. This Personally Identifiable Information Policy is intended to be a comprehensive statement of the Company’s policies and procedures as they relate to PII, and is a vital component of the Company’s Comprehensive Cyber Security Framework.
This policy applies to all employees and consultants. Departments named in the policy have delegated authority for developing and implementing procedural guidance to ensure that their Departmental responsibilities under this policy are communicated and enforced.
Personally Identifiable Information (PII)
PII is defined as information that can be used to distinguish or trace an individual’s identity (such as their social security number, taxpayer identification number, employer identification number, biometric data, or other similar information) alone, or when combined with other personal information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, or other similar information.
PII may reside in hard copy or electronic records; both forms of PII fall within the scope of this policy.
The Company complies with federal and state law, and Securities and Exchange Commission (SEC) and Financial Industry Regulatory Authority (FINRA) regulations governing PII. The Compliance and Legal Departments work jointly to maintain PII security provisions and to oversee regulatory reporting requirements. If any provision of this policy conflicts with a statutory or regulatory requirement governing PII, the policy provision(s) that conflict shall be superseded.
PII Retention: The Company retains PII only as long as necessary, in accordance with applicable federal and state law, industry regulations, and the Company's Document Retention Policy. The Compliance, Legal, Technology, and Finance Departments work jointly to maintain organizational record retention procedures, which dictate the length of data retention and data destruction methods for both hard copy and electronic records.
PII Training: New hires who may have access to PII are provided with a copy of this policy, and with introductory training regarding the provisions of this policy and the implementation of procedures for the Department to which they are assigned. All employees whether in positions with regular ongoing access to PII or transferring into such positions are provided with training reinforcing this policy and procedures for the maintenance and protection of PII data.
Other Security Measures: In order to protect the privacy of its PII, the Company ensures that its Network remains secure. The Company maintains a current Network diagram and utilizes strong rules and configuration standards, as well as capable and regularly-updated anti-virus and malware software. The Company ensures that security updates and patches are promptly installed via a comprehensive remote management system. The Company also implements a strong password policy for all of its employees.
Data Management and Handling
Data Access: The Company maintains multiple IT systems where PII data may reside. User access to such IT systems is the responsibility of the Technology Department. The Technology Department has created internal controls for such systems to establish legitimate access for users of data, and access is limited to those approved by the Company. The access for such users is restricted to allow access only to the extent required, and all access to network resources containing PII is tracked and monitored by the Company. Any change in vendor status or the termination of an employee or independent contractor with access results in immediate termination of the user’s access to all systems where the PII may reside.
The Company controls access to paper records containing PII by locking such records in files and data storerooms. The Company carefully maintains its inventory and enforces accountability by following a strict and secure destruction schedule.
Data Transmission and Transportation
On-site Access to PII: The Technology Department manages on-site access of data that may include access to PII. The Legal and Human Resources Departments have operational responsibility for the initial grant of access and the appropriate termination of access. These Department are required to provide timely notice of intended grants and terminations to the Technology Department.
Off-Site Access to PII: The Company understands that employees may need to access PII while off-site or on business travel, and access is permitted provided that the data to be accessed is minimized to the degree possible to meet business needs. Such data shall reside only on assigned encrypted laptops and approved encrypted storage devices that have been secured in advance by the Technology Department. Remote access to the network requires the use of a VPN, installed and supported by WealthForge Technology team.
Vendors and Third Parties: The Company may share data with vendors and third parties who have a business need to have PII. Where such inter-company sharing of data is required, the Technology Department is responsible for creating and maintaining data encryption and protection standards to safeguard all PII that is transmitted to vendors and third parties. Vendors include all external providers of services to the Company and proposed vendors. No PII information can be transmitted to any vendor via any method unless the vendor has been pre-certified by the Legal Department for the receipt of such information.
Portable Storage Devices: In the course of doing business, PII data may also be downloaded to company-provided, encrypted laptops or other encrypted computing storage devices to facilitate Company business. To protect such data, the Company will also require that any such devices use Technology Department-approved encryption and security protection software while such devices are in use on or off Company premises. The Company has disabled the ability to export data to a portable storage device from its computers. In the case that a portable storage device is needed, the Technology Department will create an encrypted device and allow the export. After the export is completed, the ability to export will be disabled again. The Technology Department has responsibility for maintaining data encryption and data protection standards to safeguard PII data that resides on these portable storage devices.
Data Breach and Notification: Databases or data sets that include PII may be breached inadvertently or through wrongful intrusion. Upon becoming aware of a data breach, the Company will contain the breach, conduct a forensic investigation of the breach, report the breach to appropriate state and federal agencies, and notify all affected individuals whose PII data may have been compromised. The Company will then implement controls to prevent a similar attack from occurring in the future.
Confidentiality: All Company employees must maintain the confidentiality of PII as well as Company proprietary data to which they may have access and understand that that such PII is to be restricted to only those authorized by this policy. Employees with ongoing access to such data will sign acknowledgement reminders annually attesting to their understanding of this Company requirement as part of the regular training all employees receive related to confidentiality.
Violations: The Company views the protection of PII data to be of the utmost importance. Infractions of this policy or its procedures will result in disciplinary actions under the Company’s discipline policy and may include suspension or termination in the case of severe or repeat violations. PII violations and disciplinary actions are incorporated in the Company’s PII on-boarding and training to reinforce the Company’s continuing commitment to ensuring that PII data is protected by the highest standards.
The Company requires its employees to abide by the following Confidentiality Policy, as set forth in the employee handbook:
At the Company, employees use confidential and proprietary vendor, client, and company information, systems, processes, and resources to complete their jobs. Employees are expected to use, protect, and dispose of such confidential and proprietary information and resources in accordance with WealthForge’s policies and obligations. They are not to discuss the Company’s or its clients’ affairs with, or in the presence of, persons who have no “need to know.” This includes discussions in elevators, taxicabs, restaurants, and other public places.
Each employee is required, as a condition of his or her employment, to sign an offer of employment and a Proprietary Information, Inventions and Non-Solicitation Agreement (“PIINA”) that more specifically discusses employees’ obligation to maintain confidentiality. If an employee has questions or concerns about his or her obligation to maintain confidentiality, or believes that he or she has even inadvertently disclosed the Company’s or its vendors’ or clients’ confidential information, the employee should immediately raise the concern with his or her manager or supervisor or Corporate Counsel.
Employees of the Company are expected to adhere to the Company’s Cybersecurity Framework. They must not disable, bypass, circumvent, or otherwise attempt to negate information security measures. If they discover such attempt or actual information security violation, they must immediately notify their manager, immediate supervisor, or HR Representative.
In order to ensure the protection of confidential or proprietary information to which employees have access, they must abide by the following Company requirements: