LoginAbout Compound

Compound Security Overview

Introduction

Compound’s users and clients trust us with their most sensitive financial data. We take the security of this data extremely seriously. Compound is hosted using comprehensively hardened and secure infrastructure-as-a-service (IaaS) platforms like Amazon Web Services. 

Product Security

Authentication

Compound only allows authentication from Google Accounts and Google Workspace (formerly GSuite) to the Compound Dashboard. Compound does not store any passwords. 

Encryption

Our client data is encrypted in transit and at rest. All files stored in Compound's internal vault are in an encrypted bucket in S3. All server-sent events use the SSE-S3 key bucket key to encrypt data. In addition to other data-protection methods, each object is encrypted with a unique key, which is itself encrypted with a key that is rotated regularly. Additional details are available here.

Physical Security

Compound production data is processed and stored within world-renowned data centers that use state-of-the-art multilayer access, alerting, and auditing measures.

System Security

Servers and Networking

Our web servers encrypt data in transit using the industry standard for HTTPS security (TLS 1.2) so that requests are protected from eavesdroppers and man-in-the-middle attacks. Our SSL certificates are 256-bit RSA, signed with SHA256.

Storage

All persistent data is encrypted at rest using industry-standard AES-256 algorithms.

Operational Security

Employee Training

All Compound employees are trained on security best practices and awareness during onboarding. Ongoing and continuous phishing tests are conducted on a monthly and quarterly basis to ensure employees are implementing best practices. 

Employee Access

We use Google account infrastructure to verify employee account identity and require the highest level of security available (such as two-factor authentication) for apps that access critical infrastructure or customer data. All employee contracts also include a confidentiality agreement that keeps your information both private and secure.

Service Levels, Backups, and Recovery

Compound’s infrastructure uses multiple and layered techniques for increasingly reliable uptime, including the use of load balancing and task queues. Compound uses highly redundant data stores, rapid recovery infrastructure, and point-in-time backups that make an unintentional loss of customer data very unlikely.

Server and Client Hardening

Compound servers use AWS-managed infrastructure which utilizes firewalls to restrict system access from external and internal networks, DDoS attacks, spoofing, sniffing, and port scanning. Request-handling code paths have frequent user re-authorization checks, payload size restrictions, rate-limiting where appropriate, and other request verification techniques. All requests are logged and searchable by security-trained operations staff.

The Compound app uses multiple techniques to ensure that requests are secure and authentic, including XSS and CSRF protection, signed and encrypted user authentication cookies, and timed session expiration.

Customer Payment Information

We use Stripe for credit card payment processing and do not store any credit card information. Stripe is a trusted, Level 1 PCI Service Provider, the most stringent level of certification available in the payments industry.