You are here: iPipeline Security

iPipeline Security

Protecting our data and your data is our priority

We are a high technology business working in financial services across three continents and we understand good security is key to both our success and your success as our customer. The following paragraphs explain some of our general security practices and procedures and are for information purposes only. You should not rely on the information below for any purpose. Nothing herein is intended to be nor shall it become a supplement and/or an amendment to your master agreement with us or impose any additional obligations on iPipeline than those contained in your master agreement.

Secure People

The iPipeline security team leads the security efforts across the business. With many years of experience in information security for financial services, the team members hold globally recognized security certifications such as SANS GIAC, ISC2 and Cisco certifications - and are actively involved in industry associations such as the Information Systems Security Association (ISSA).

The security team ensures that iPipeline employees are aware of the importance of security and how to keep our business operations and our customers' data secure. iPipeline employees attend security awareness sessions as part of new employee on-boarding and training continues through regular multiple-channel communications updates on key security news items and issues of the day. The security team distributes monthly security bulletins and holds an annual global Security Awareness Week each October.

To meet our obligations around compliance with data protection and privacy laws, all employees complete mandatory annual security training, either online or through a series of Lunch & Learn sessions, focused on the requirements of legislation in that region. For example, European employees receive European Data Protection awareness training and US employees receive HIPAA awareness training. We also test our employees' knowledge and behaviors regularly through Phishing tests and employee surveys to measure the success of our awareness efforts.

Our security team is guided by the Global and Regional Security Committees, which meet every quarter and include representation from the Executive Board and heads of the R&D, IT, Network Operations, Customer Support and Human Resources departments.

Secure Processes

Security plays a part in every operational process at iPipeline - across initial architecture design, data handling, system configuration, code release and application and system maintenance and upgrades.

We operate an Information Security Management System (ISMS) built on ISO27001 principles led by the Global Security Committee. All employees are bound by a comprehensive set of clear Information Security Policies and Processes – structured in a hierarchy of Global Policy and related Regional Policies and Procedures relevant to secure operations and compliance in each region (North America, Europe and Asia).

Risk management plays a key role in maintaining our security posture and directing security resources and effort effectively. The iPipeline Risk Management Framework is aligned with our ISMS and is used to manage security risk, IT risk and commercial risk across the various parts of the business.

Our policies and processes are based on the ISO27001 framework, informed by the requirements of HIPAA, PCI DSS, State Privacy Laws, European Data Protection as well as the SANS Top 20 Critical Security Controls and the OWASP Top 10 Critical Web Application Security Risks.

Secure Technology

iPipeline designs and implements security controls through a combination of risk assessment, customer requirement and gold security practice.

  • Secure Hosting – iPipeline only co-locates at data centres from suppliers, with robust physical security and access controls, environmental, power and network controls, certified to recognised industry standards such as ISO27001 and SOC2.
  • Disaster Recovery & High Availability – iPipeline architects highly available solutions at software, hardware, network and geographical levels. We publish our monthly uptime on our website at https://www.ipipeline.com/sla. Every production data centre has a geographically remote disaster recovery site, linked by real time data mirroring.
  • Secure Backups – iPipeline's backup mechanisms are robust, encrypted and located remotely so data is never lost during a business interruption or a security incident.
  • Secure Networks– iPipeline’s entire Internet-facing infrastructure is protected by industry-standard firewalls and load balancers. We deploy intrusion detection and prevention systems to detect and react to security threats and our networks are tested regularly by in-house and external security auditors.
  • Secure Systems – Whenever iPipeline deploys a system it should meet a secure configuration level – fully patched, systems and applications locked down and running the latest anti-malware controls. Our code is tested through static and dynamic code analysis tools as well as vulnerability scans.
  • Security Audits – iPipeline's entire external infrastructure is security scanned regularly from the Internet, including a quarterly ASV scan for PCI compliance where required. External third parties are engaged regularly to conduct application and infrastructure tests against us.

Security Compliance

iPipeline operates business and writes applications to comply with all privacy and data protection legislation that applies to iPipeline in the regions where we operate. The iPipeline security team works closely with our legal partners to identify and keep track of compliance requirements.

In North America, we maintain compliance with HIPAA legislation and state privacy laws and in Europe, we comply with the European Data Protection laws and European Cookie Directive. In Japan, we are guided by the Act on the Protection of Personal Information (APPI).

Our iGO® , AMS, DataView and DocFast products are AT 101 SOC2 Type 2 certified and our AFFIRM product is SSAE16 SOC1 certified.

iGO SaaS and DocFast are also Level 4 PCI DSS certified to Payment Card Industry standards.

A detailed iPipeline Security White Paper is available upon request.  
Please contact marketing@ipipeline.com to request a copy.