- What is your organization's strategy for hosting the server-side components
of your application?
- On-prem hosting - We host all server-side components of our application using on-premise physical infrastructure
- Cloud hosting - We host all server-side components of our application using off-premise cloud infrastructure
- Hybrid - We use a hybrid on-premise and cloud model for hosting server-side components of our application
- Other - Please see comments
- Does your organization have a documented information security policy that has
been operationalized to identify, mitigate, and monitor information security
risks, including physical security when applicable, relevant to your
business?
- Yes - We have a documented policy and an operational information security program (document attached)
- No - We have an operational information security program, but no documented policy
- No - We have a documented information security policy, but no operational program (document attached)
- No - We do NOT have a documented policy or an operational information security program
- Other - Please see comments
- Does your organization have a mechanism for discovering and maintaining visibility into all network endpoints connected to your corporate and production networks?
[NOTE: A network endpoint in this context is an asset connected to your corporate OR production network--like a laptop or a server instance]
- Yes - We have tools and processes that enable us to discover and maintain continuous visibility into all of our network endpoints
- No - We have asset visibility tools deployed, but no defined process for discovering or maintaining continuous visibility into all of our network endpoints
- No - We do NOT have tools or processes enable us to discover and maintain continuous visibility into all of our network endpoints
- Other - Please see comments
- Do you actively perform vulnerability scans against your employee and
contractor machines (e.g. laptops) and production assets (e.g. server
instances) to detect and patch vulnerabilities?
- Yes - We actively perform vulnerability scans against all employee and contractor machines, production assets, and patch vulnerabilities using a defined SLA
- No - We actively perform vulnerability scans against all employee and contractor machines, and production assets, but we do not patch vulnerabilities using a defined SLA
- No - We patch vulnerabilities using an ad-hoc process, but do not actively perform vulnerability scans against all employee and contractor workstations or production assets
- Other - Please see comments
- Do you use endpoint security tools and agents to protect employee and
contractor machines (e.g. laptops) and production assets (e.g. mutable server
instances) against malicious code (e.g. viruses and malware)?
- Yes - We protect all employee and contractor machines, and all production assets (e.g. mutable server instances) against malicious code (e.g. viruses and malware)
- No - We do NOT protect all employee and contractor machines, and all production assets (e.g. mutable server instances) against malicious code (e.g. viruses and malware)
- Other - Please see comments
- Does your organization allow employees and contractors to use their personal
devices (BYOD) for carrying out their job responsibilities?
- No - We do NOT allow employee or contractor personal devices to be used for carrying out their job responsibilities
- Yes - We allow employee or contractor personal devices to be used for carrying out their job responsibilities, and these devices are centrally managed by us
- Yes - We allow employee or contractor personal devices to be used for carrying out their job responsibilities, and these devices are NOT centrally managed by us
- Yes - We allow employee or contractor personal devices to be used for carrying out their job responsibilities, but these devices do not have access to production assets, environments, or data
- Other - Please see comments
- Does your organization have a defined process for controlling access to
production assets and data?
- Yes - We have defined processes for requesting, granting, reviewing, approving, and revoking access to production assets and data
- No - We do NOT have defined processes for requesting, granting, reviewing, approving, and revoking access to production assets and data
- Other - Please see comments
- Has your organization deployed strong factors of authentication (e.g.
2-factor authentication) for all critical assets?
- Yes - We have deployed strong factors of authentication (e.g. 2-factor authentication) for all production assets
- No - We have NOT deployed strong factors of authentication (e.g. 2-factor authentication) for all production assets
- Other - Please see comments
- Does your organization have a defined process for building and releasing code
changes to production assets?
- Yes - We have a defined process for building and releasing code changes to production assets
- No - We do NOT have a defined process for building and releasing code changes to production assets
- Other - Please see comments
- Does your organization enforce the testing of code changes before they're
deployed to production assets?
- Yes - We logically enforce the testing of code changes before they're deployed to production assets
- No - We do NOT logically enforce the testing of code changes before they're deployed to production assets
- Other - Please see comments
- Does your organization logically enforce the review and approval of code
changes before they are deployed to production assets?
- Yes - We logically enforce the review and approval of code changes before they are deployed to production assets
- No - We do NOT logically enforce the review and approval of code changes before they are deployed to production assets
- Other - Please see comments
- Does your organization encrypt data-in-transit between clients and servers
using TLS 1.2 or better?
- Yes - We use TLS 1.2 or better for all client-server communications
- No - We do NOT use TLS 1.2 or better for all client-server communications
- Other - Please see comments
- Does your organization encrypt consumer data you receive from the Plaid API
data-at-rest?
- Yes - We encrypt consumer data retrieved from the Plaid API using object/column level encryption, and volume-level encryption
- Yes - We encrypt consumer data retrieved from the Plaid API volume-level encryption
- No - We do NOT encrypt consumer data retrieved from the Plaid API at-rest
- Other - Please see comments
- Does your organization maintain a robust audit trail and logs for all
material events that occur in your production assets?
- Yes - We maintain robust audit trails and logs for all material events that occur in our production assets
- No - We do NOT maintain robust audit trails and logs for all material events that occur in our production assets
- Other - Please see comments
- Does your organization have monitoring and alerting mechanisms for real-time
detection and triage of events that may negatively impact the security of
production assets?
- Yes - We have monitoring and alerting mechanisms for real-time detection and triage of events that may negatively impact the security of production assets
- No - We do NOT have monitoring and alerting mechanisms for real-time detection and triage of events that may negatively impact the security of production assets
- Other - Please see comments
- Does your organization have a defined process for detecting, triaging, and
resolving security impacting incidents?
- Yes - We have a defined process for detecting, triaging, and resolving security impacting incidents
- No - We do NOT have a defined process for detecting, triaging, and resolving security impacting incidents
- Other - Please see comments
- Are your organization's cloud and on-prem production networks segmented
based on the sensitivity of assets in those networks, and their needed
exposure to the open internet?
- Yes - Our cloud and on-prem production networks are segmented based on the sensitivity of assets in each sub-network, and their needed exposure to the open internet
- No - Our cloud and on-prem production networks are NOT segmented based on the sensitivity of assets in each sub-network, and their needed exposure to the open internet
- Other - Please see comments
- Does your organization train all employees and contractors on security
awareness?
- Yes - We train all employees and contractors on security awareness during on-boarding and on an ongoing basis
- Yes - We train all employees and contractors on security awareness during on-boarding, but not an an ongoing basis
- No - We do NOT train all employees and contractors on security awareness
- Other - Please see comments
- Does your organization have a defined vendor intake and monitoring process
that is communicated to the company, and is enforced by technical and
administrative controls?
- Yes - We have a defined vendor intake and monitoring process that is communicated to the company, and is enforced by technical and administrative controls
- No - We do NOT have a defined vendor intake and monitoring process that is communicated to the company, and is enforced by technical and administrative controls
- Other - Please see comments
- Does your organization test the overall effectiveness of our information
security program using independent auditors, and perform pen-testing using
independent pen-testers?
- Yes - We test the overall effectiveness of our information security program using independent auditors, and perform pen-testing using independent pen-testers (document attached)
- Yes - We test the overall effectiveness of our information security program using independent auditors, but we do NOT perform pen-testing using independent pen-testers (document attached)
- Yes - We perform pen-testing using independent pen-testers, but do not test the overall effectiveness of our information security program using independent auditors
- No - We do NOT test the overall effectiveness of our information security program using independent auditors, or perform pen-testing using independent pen-testers
- Other - Please see comments
- Does your organization perform background checks on all employees and
contractors?
- Yes - Background checks are performed on all employees and contractors prior to being offered employment, and at least annually afterwards
- Yes - Background checks are performed on all employees and contractors prior to being offered employment
- No - Background checks are NOT performed on all employees and contractors
- Other - Please see comments
- Does your organization obtain consent from consumers for your organization's
collection, processing, and storing of their data?
- Yes - We obtain consent directly from consumers
- No - We do not obtain consent directly from consumers
- Other - Please see comments
- Does your organization have a defined and enforced data deletion and
retention policy that is in-compliance with applicable data privacy laws?
- Yes - We have a defined and enforced data deletion and retention policy that is in-compliance with applicable data privacy laws (document attached)
- Yes - We have defined and enforced a terms of service in-compliance with applicable data privacy laws (document attached)
- No - We do NOT have a defined and enforced data deletion and retention policy or a terms of service that is in-compliance with applicable data privacy laws
- Other - Please see comments
- Does your organization sell consumer data accessed through the Plaid API?
- No - We do NOT sell consumer data retrieved from the Plaid API
- Yes - We sell consumer data retrieved from the Plaid API
- Other - Please see comments
- Does your organization enforce 2FA on your client-facing mobile and/or web
applications?
- Yes - We enforce 2FA using a Security Key or Biometrics
- Yes - We enforce 2FA using Push Notification to Device (e.g. Duo Push or Google Device Prompt or similar) or Time-based One-Time Password (e.g. Google Authenticator App or similar with rotating code)
- Yes - We enforce 2FA using SMS-based or Email-based push OTP
- Yes - We enforce knowledge-based MFA (MFA questions)
- No - We don't currently enforce any type of 2FA in our client-facing application
- Other - Please see comments
From https://dashboard.plaid.com/overview/questionnaire-start.