Security and confidentiality
Our mission at Secfi is to help startup employees and shareholders understand, maximize and unlock the value of their equity. At the heart of this is trust and transparency — you should trust us to keep your data safe. And you should know exactly how we’re doing that. As we describe in our Privacy Policy, we don't collect and use your information for anything other than providing the services we offer. Here is how we protect the data we do collect, and our systems that store that data.
Data encryption
Any data uploaded to Secfi is stored in an encrypted database while at rest. Any time your data is “in transit,” it is encrypted over HTTPS, the industry standard for secure internet transactions. This means we take steps to secure the data you send to and from Secfi, even if your network is not secure, such as when you’re on a public Wi-Fi network.
Access controls
We employ Amazon Cognito, an identity authentication platform, which is designed to ensure our users’ login credentials are protected and secure. Access to our servers is tightly controlled, and we keep audit logs of all issued commands.
Infrastructure and system security
Secfi provides services from ISO27001 and PCI DSS compliant AWS data-centers. We implement the following security measures that are designed to protect our servers from attacks and abuse:
We configure restrictive firewalls and require secure log-in practices in an effort to harden our servers
Our staff is required to encrypt their hard drives, use strong passwords and enable screen locking
We run regular vulnerability scans and use independent auditors for external penetration Tests.
We send you emails only from secfi.com addresses, and we have set up DMARC reject mode to make it hard for bad actors to send phishing emails from our domain.
Credentials and trust
We are a FINRA licensed broker-dealer.
We are an ERA regulated by the Securities and Exchange Commission.
Each of our Equity Strategists has all necessary licenses (SIE, Series 7, and Series 63 licenses from FINRA).
We only work with large institutional investors with a long track record and proven history.
How you can help
Always check the identity of the email sender - we use only @secfi.com domain for our communication. If you receive an email from a different domain address claiming to be Secfi - let us know by forwarding it to "hello@secfi.com", do not respond to that email sender, and let us take it from there.
We will never ask you for your password except when you register for, and/or sign-on to, your account, or when you change your password, on our secfi.com website.
Use a unique password for your account at Secfi. Reusing passwords increases the likelihood of a third party gaining unauthorized access to your account.
Use a password manager to store your unique, long and randomized password. Two of the most popular managers are 1Password and LastPass.
Keep your password confidential and don't share it with anyone else. This decreases the likelihood that the password will get into the hands of a bad actor.
Bug bounty program - Temporarily paused
As part of our work in protecting our customers, partners, assets and good reputation from digital threats, Secfi welcomes security researchers and whitehat hackers to review our public-facing defenses with an objective and professional eye to identify potential vulnerabilities and improve the overall security level of our platform. Please report any vulnerabilities to security@secfi.com. Kindly note that our bug bounty program is temporarily paused while we are preparing for an upcoming pentest. We will update this page once our bug bounty program recommences.
The bug bounty program, including any rewards offered in connection therewith, are applicable only to security vulnerabilities. If you want to report a functionality bug please use either the Intercom messaging tool on the website, or the following email address: hello@secfi.com.