Fluid Financial, Inc. (“Fluid”, the “Service”) is committed to maintaining the confidentiality, integrity and security of our customer’s personal information and related financial transaction data. This policy specifies our approach to security and the commitments we make to our customers. This policy is designed to meet the standards specified by the privacy rule and the safeguards rule promulgated under the Financial Services Modernization Act (FSMA)/GrammLeachBliley Act (GLBA); and the standards for personal data protection of the FFIEC EBanking guidelines.
To respect and maintain the privacy of our customers, Fluid maintains a clear privacy notice that is provided to all customers (see appendix A). Fluid implements the appropriate administrative, technical and physical controls to ensure that it adheres to all promises and commitments stated within its privacy notice.
Privacy Notice
Fluid provides privacy notices to consumers and customers as required under the GrammLeachBliley Act (“GLBA”). The privacy notice describes Fluid’s information collection and sharing practices, along with information about how the individual may “opt out” of certain types of information sharing as provided under GLBA. The notice also provides information about how consumers and customers can contact Fluid with any inquiries or complaints.
Collection and Use
Fluid has an obligation to ensuring that collection and use of personal information is limited to that which is relevant and appropriate for legitimate business purposes and is consistent with any privacy notices provided. Personal information shall be properly maintained to ensure that it is accurate, complete, and current. Information is only shared internally and with third parties as permitted by the privacy notice and by law.
In order to protect the personal information provided by our clients, Fluid maintains an information security program that implements the administrative, technical and physical controls necessary to protect the security, confidentiality and integrity of our customer’s personal information. Our security program consists of the following elements:
Management Ownership
Fluid has a designated information security director who is responsible for the overall management of the information security program and coordinates the implementation of all required security controls.
Risk Based Approach
For the business processes and applications that store, transmit, or process personal information, Fluid identifies and assesses the relevant risks to that information. Based on the risks identified, and taking into consideration the risk probability and risk impact, we then implement, monitor and test security controls to sufficiently mitigate risk. Risk assessments are conducted at least annually to identify changes to our risk posture and our information security controls are updated as required.
Security of Third Party Providers
All third party service providers utilized by Fluid undergo a risk assessment process. Service contracts require providers to implement security controls as appropriate for the services they provide and the data they store or process.
In line with this requirement, Fluid hosts its servers within data centers that have achieved ISO 27001 certification and have been validated as a Level 1 service provider under the Payment Card Industry (PCI) Data Security Standard (DSS). Our data centers undergo annual SOC 1 audits and have been successfully evaluated at the Moderate level for Federal government systems as well as DIACAP Level 2 for DoD systems.
Fluid has developed a set of overarching security controls based upon the primary risks to our customer’s personal information. These security controls may be enhanced for certain applications to address applicationspecific risks.
Identity and Access Management
Employee and Administrative Access
- Fluid maintains tight control over any workforce member (employee, consultant, contractor, third party) that has access to applications that store or process customer personal information. Workforce members are only granted access in accordance with the following principles:
• Least Privilege: Access is granted with an appropriate business justification and with only the minimum access rights necessary to perform the job function.
• Separation of Duties: Where appropriate and technically feasible, access privileges are disseminated among multiple users so as to reduce the risk of fraud and errors.
Remote access
- Remote administrative access to any application that stores or processes personal information is controlled using twofactor authentication where technically feasible.
User Authentication
- Users are authenticated using a password. Passwords are required to be at least eight characters in length and must contain at least one number or symbol character (nonalphanumeric).
- User accounts are temporarily suspended after six unsuccessful login attempts and the user is notified via email.
- Passwords are securely stored as per OWASP application development guidelines.
- Passwords are reset by emailing the user a password reset link.
Secure Application Architecture and Development
- Fluid software is developed using commonly accepted security standards and secure code development practices such as those specified by the Open Web Application Security Project (OWASP).
- Fluid services are securely architected by placing Internet facing components (such as web servers) within security zones separate from internal components (such as application and database components). Communications between components are restricted via firewalls and routers to only traffic necessary for providing Fluid services
Secure Data Transmission and Storage
- Fluid software is designed such that all transmission of personal information or financial transaction information is secured using Secure Socket Layer (SSL) technology.
- Personal information and financial transaction information are stored using at least 256bit AES encryption or an equivalent standard.
Security Monitoring
- Fluid services are actively monitored using antivirus and intrusion detections software in order to detect malicious code and anomalous activity.
Data Backup and Retention
- All data is regularly backed up to secure against unintentional deletion. A portion of backups are stored at an offsite location to secure against environmental dataloss events.
Fluid is committed to maintaining the confidentiality, integrity and security of any personal information about our users. This notice explains the type of personal information we collect, the purpose for its collection and how we protect personal information. “Personal information,” for the purposes of this policy, means information that identifies you (such as your name, address, phone number, email address) or otherwise associated with your account (such as banking and financial information).
Personal Information Collection
We collect the following types of personal information via our website as provided by you:
- Contact information such as name, address, mailing address, phone number and email address.
- Identity information such as your Social Security Number (SSN).
- Employment information such as your Employer name and Employer Identification Number (EIN).
- Financial information such as your bank name, routing number and account number.
- Data required for processing of work contracts such as work delivery dates and amounts due.
Fluid does not collect personal information about you from third parties other than those stated.
Information Sharing
Fluid does not and will not sell or rent your personal information to anyone, for any reason, at any time. Fluid will use and disclose your personal information only as follows:
- To fulfill the agreed upon service such as processing of contracts, invoices and payments. This may require providing your information to certain financial institutions (for example, your bank) in order to process payment transactions.
- To deliver to you any administrative notices and communications relevant to your use of the Service.
- To retrieve credit history and risk profile from credit reporting agencies.
- To fulfill your requests for certain products and services.
- For market research, project planning, troubleshooting problems, detecting and protecting against error, fraud and other criminal activity.
To thirdparty contractors that provide services to Fluid and are bound by these same privacy and security restrictions.
We may also disclose your personal information as permitted and required by law, such as to comply with a subpoena or to investigate fraud.
User Access and Choice
At any time, you may correct or update your personal information via the Fluid website
We will retain your personal information for as long as your account is active or as needed to provide you services. We will retain and use your information as necessary to comply with our legal obligations, resolve disputes and enforce our agreements.
We may use your information to notify you of new or additional services. Out of respect for your privacy, you may opt out of any marketing emails by following the unsubscribe instructions included in these emails.
Security
Fluid takes the security of your personal information very seriously. When you enter your personal information via the Fluid website, we encrypt the transmission using secure socket layer (SSL) technology. Further, the information is stored encrypted on our servers as well as protected with generally accepted physical, technical and administrative controls. No method of data transmission or storage is 100% secure, however. Therefore, we cannot guarantee its absolute security. If you have in questions regarding this, please contact us at [email protected].
Last updated: June 20, 2020