Security
Safeguarding your confidential information takes a multi-pronged approach. From SOC 2 compliance, to transport encryption, to transparent encryption/decryption of data at rest, to data sanitization and validation and more, we're putting our best foot forward.
SOC 2 Compliance
SOC stands for Service Organization Controls. A SOC 2 report is a report that service organizations receive that demonstrates that certain IT controls are in place to secure the services provided. A SOC 2 report is audited by a qualified third party CPA firm. E-File Magic has undergone a successful SOC 2 audit.
E-File Magic has demonstrated adherence to various Trust Service Criteria (TSC). These criteria are largely focused on operational and technical controls E-File Magic has in place to help safeguard confidential information and maintain a secure operating environment while performing the services you request. Trust Service Criteria is broken down into a number of major categories, including:
- Security: Protection against unauthorized access, disclosure, or system damage that could compromise information or system availability, integrity, confidentiality, and privacy
- Availability: Information and systems are available for operation and use according to the company’s objectives
- Processing integrity: Complete, valid, accurate, timely, and authorized system processing
- Confidentiality: Appropriate protection over data designated confidential
- Privacy: Collection, use, retention, disclosure, and disposal of personal information meets company objectives.
Data Encryption
When you create Filers/Companies and Recipients, sensitive information such as Tax ID, Name, Address, etc are encrypted using the AES algorithm with 256-bit keys (AES-256). Each customer(what we call a Registrant in our system) is provisioned a unique set of encryption keys that differ from Registrant to Registrant. Additionally each users password is hashed using a key derivation function with a high cost (iteration) count.
E-File Magic utilizes three layers of encryption technology to protect sensitive information. First we encrypt data at the HTTP(transport) layer. Second, we encrypt the storage volumes(the operating system hard drives, if you will) on our primary compute cluster and backup snapshots. Third, we utilize encryption at the application layer. We employ both asymmetric and symmetric approaches to encryption to ensure information can be selectively shared, while inhibiting the need to store unencrypted encryption keys in our database or config files that can unlock sensitive information. Many of our competitors in the industry utilize two of these approaches, transport encryption, and storage volume/drive encryption, but employ limited use of application layer encryption. To effectively utilize application layer encryption it requires significant diligence in the design of the software, from initial development through launch, to allow for seamless functionality while working to maintain the integrity and security of the information; in short, it's not necessarily easy to do.
Additionally, E-File Magic is actively working to employ encryption at the application layer throughout it's software, going beyond encryption of many Recipient and Filer fields specifically. Many of our competitors claim to encrypt information at the application layer, but appear to take a minimalist approach in doing so by only encrypting fields like Tax Identification(SSN, EIN, ATIN,etc). We do not view the approach of "minimal data" encryption employed by many competitors as sufficient. Today E-File Magic is likely already exceeding many competitors in this regard by a significant margin and has been doing so for many years. We encrypt over fifty unique sensitive form related data points, in addition to a myriad of other data points throughout the system and we are actively expanding on this.
Transport Encryption
We use only High Grade (TLS 1.2) transport encryption for securing your web browser session to both our website and our cloud software application. Using High Grade encryption helps ensure that your connection cannot be intercepted and decoded or eavesdropped on while in transit between our servers and your computer. If you're reading this, it means your browser supports high grade encryption. You cannot access our website or our app without encryption enabled.
Storage Volume Encryption
The storage volumes that house our computer cluster and cloud database employ Storage Volume Encryption. Information is transparently encrypted/decrypted prior to writing/reading data from the physical storage devices utilized by our systems on Amazon Web Services.
Data Validation/Sanitization
We sanitize information and strip potentially malicious data from all input fields on our website and our cloud software application. We further validate each field's information to ensure it meets our programmatic expectation for insertion into our database.
Parameterized Statements
We exclusively utilize parameterized statements when inserting/retrieving/updating/deleting information that contains variable user defined input from/to our database. This prevents SQL injection attacks, which in the 2013 OWASP Top 10 was ranked number one in application security flaws.
Compliant Hosting Environment
Our servers run SELinux in enforcing mode hosted on AWS (Amazon Web Services). Amazon infrastructure was designed and is managed in alignment with the following regulations, standards, and best practices including: HIPPA, SOC 1/SSAE 16/ISAE 3402 (formerly SAS70), SOC 2, SOC 3, PCI DSS Level 1, ISO 27001, MTCS Tier 3, FedRAMP (SM), DIACAP and FISMA, ITAR, FIPS 140-2, CSA, MPAA. You can read more about Compliance in the Amazon AWS infrastructure by visiting the AWS Compliance site.
Compliant Print & Mail Processing Facility
The facilities we use for Printing & Mailing your forms passed an SSAE 16 Type II audit and works with businesses in the Financial, Healthcare, Tax and other industries that handle sensitive information.
Multi-Factor Authentication
We support Multi-Factor authentication to add an extra layer of security to your account. Multi-factor authentication requires at least two independent authentication factors. E.G. something you know (your password), and something you possess (a secret code on your smart phone). Essentially once you enable this feature in your profile, we provide you with a QR code you can scan with your smart phone using Google Authenticator (or similar). Once scanned a code will be available in the Google Authenticator app that rotates every thirty seconds. You will be required to type in your E-Mail Address, your Password, AND this six digit code when you login. This helps keep you safe in the event somebody with malicious intent gets a hold of your e-mail address and password. Without your smart phone too, they would be unable to access your confidential data.
Content Security Policy (CSP)
E-File Magic servers issue a defined Content Security Policy to modern web browsers, like Chrome, Edge, and Safari that support enforcement of CSP instructions(via server headers) client side. This allows E-File Magic to provide your browser with a set of rules that define the type of information and location in which your browser can load certain resources(like connecting to other sites or accessing JavaScript programs) when accessing www.efilemagic.com and app.efilemagic.com. A CSP helps to detect and mitigate certain types of attacks, such as Cross Site Script(XSS) and data injection attacks. You can read about Content Security Polices by clicking here.
Amazon Web Application Firewall with Managed Rules
Our servers operate in a Amazon Web Services environment and we have configured AWS WAF to inspect certain traffic transiting our Load Balancers using both Amazon managed rules and other third party managed rules. AWS WAF can help assist in mitigating common web exploits and attacks against our servers. You can read more about AWS WAF here.
Strict Transport Security
We employ Strict Transport Security headers issued from our servers to your Web Browser. These headers instruct your web browser that the site should only be accessed via an HTTPS(an encrypted HTTP session) connection. You can read more about HTTP Strict Transport Security here.