Our commitment to Data Security
uConfirm® provides an online system that facilitates the exchange of employment and income verification data between subscribing employers and third party verifiers. Clients authorize uConfirm to fulfill verification requests for data on current and former employees using a secure online process. Verifiers include, but are not limited to lenders, background screeners, property managers and social service agencies.
Subscribing employer clients refer verifiers to www.uconfirm.com where they submit requests to verify employment and in some cases, income data for a specific employee. A processing fee is collected and uConfirm fulfills the request utilizing data provided by the client. The verifier views the completed request online. All activities are completed in a secure password protected and encrypted environment.
uConfirm is sensitive to the nature of the data that we retain and take the security of the information very seriously. A sound and robust data security system has been implemented. Systems are continually managed and updated in order to prevent unauthorized access to confidential data. uConfirm’s systems meet or exceed industry security standards. Our systems were designed specifically to securely process employment verifications. This core focus allows us to maintain systems with reduced complexity and fewer moving parts, leading to more control over management of sensitive employee data. The purpose of this document is to summarize the approach we take to protect confidential data.
Comprehensive security policies have been developed, documented and approved by management. They include a business continuity disaster recovery plan, incident response plan and best practice policies for handling confidential data.
Use of Data
uConfirm does not leverage employee data in order to seek revenues in other lines of business or overlay the information we retain outside of the intended business use of the contracted services. We also do not profit from or use employee data in any type of analytical services sold to the financial services industry.
All information stored at rest in the database is encrypted using a secure symmetric algorithm. Encryption is performed at the field level and all encryption/decryption is done within our custom application and not on the database servers. This process ensures all data is encrypted in transit to and from the database, that no clear text data is recorded in the database transaction logs, and that even individuals with direct access to the database cannot read sensitive information. Web application traffic is encrypted with TLS (HTTPS). Weak protocols (like SSL) and ciphers (like RC4) have been disabled at the server level.
Data Storage and Protection
Confidential data is stored in a SSAE 16 Type II certified data centers with strong physical security controls such as key cards, biometric authentication, security patrols, closed circuit video and supported by 24×7 monitoring to ensure that building access is limited to authorized personnel only. Redundant power distribution units, back-up generators and environmental controls are used. Next-generation network firewalls filter all traffic to necessary ports and restricting all others to prevent unauthorized intrusion – The NGF performs real time virus prevention, intrusion prevention, and website blocking and filtering to limit exposure to external threats. Advanced web application firewall (WAF) service for intrusion detection and prevention – its detection technology scans all incoming traffic to our data centers and will block threats in real-time before they can reach our servers – the WAF performs outgoing traffic analysis for detection and blocking of rootkits and backdoors. A globally distributed content delivery network system provides real-time fail over and protects against large scale distributed denial of service attacks (DDOS).
This summary is intended only to provide a general overview of uConfirm’s commitment to data security. During the vendor review and setup process, uConfirm will provide more specific details on all aspects of our security infrastructure.