Security

Last Updated: June 1, 2025

At AMORTISYS, the security of your data is our top priority. We apply industry-leading practices to protect every piece of information entrusted to us by brokers, their clients, and partner organizations.

1. Data Encryption

All data transmitted between your browser and our servers is encrypted using TLS 1.2 / 1.3 (256-bit). Data at rest is encrypted using AES-256, ensuring your sensitive mortgage and client information is protected both in transit and on disk.

2. Infrastructure Security

• Hosted on enterprise-grade cloud infrastructure with physical access controls and 24/7 monitoring.
• Network-level firewalls and intrusion detection systems (IDS) guard against unauthorized access.
• Regular automated vulnerability scans and penetration tests are conducted by third-party security firms.
• Database servers are isolated in private network segments with no public internet exposure.

3. Application Security

• All user passwords are hashed using industry-standard algorithms (BCrypt / PBKDF2); plaintext passwords are never stored.
• Multi-factor authentication (MFA/TOTP) is available for all user accounts and strongly recommended.
• Role-based access control (RBAC) ensures users can only access data appropriate to their role.
• Session tokens are short-lived and rotated on privilege changes.
• All user actions that modify sensitive records are captured in a tamper-evident audit log.
• Protection against OWASP Top 10 threats: SQL injection, XSS, CSRF, and more are addressed through framework-level controls and code review.

4. Access Controls & Employee Practices

• Access to production systems is restricted to a small number of authorized engineers with documented need.
• All access is authenticated via MFA and logged.
• Employees undergo security awareness training and background checks.
• The principle of least privilege is enforced across all internal systems.

5. Business Continuity & Disaster Recovery

• Automated daily backups with point-in-time restore capability.
• Backups are stored in geographically separate regions.
• Recovery Time Objective (RTO) of less than 4 hours; Recovery Point Objective (RPO) of less than 1 hour.

6. Incident Response

We maintain a formal incident response plan. In the event of a confirmed data breach that affects your personal information, we will notify affected users and applicable regulators in accordance with PIPEDA and applicable provincial privacy laws within 72 hours of discovery.

7. SOC 2 Readiness

AMORTISYS is actively working toward SOC 2 Type II certification. Our controls are designed and operated to meet the Trust Services Criteria for Security, Availability, and Confidentiality.

8. Responsible Disclosure

We welcome reports from security researchers. If you believe you have discovered a vulnerability in AMORTISYS, please contact us at security@AMORTISYS.com. We commit to acknowledging reports within 48 hours and providing a remediation timeline.

---

Questions about our security practices? Contact us at security@AMORTISYS.com.