Security and Audit
Debitura's security practices, compliance frameworks, and audit capabilities to protect your data and ensure regulatory compliance.
Security Overview
Debitura implements enterprise-grade security measures to protect sensitive financial and personal data.
Core Security Principles
- Defense in depth - Multiple security layers
- Least privilege - Minimum necessary access
- Zero trust - Verify every access request
- Encryption everywhere - Data protected at rest and in transit
- Continuous monitoring - 24/7 threat detection
Data Encryption
Encryption at Rest
Database encryption:
- AES-256 encryption for all databases
- Encrypted backups
- Encrypted file storage
- Key rotation every 90 days
Sensitive data:
- API keys hashed with bcrypt
- Passwords never stored in plain text
- PII encrypted with field-level encryption
- Financial data in encrypted storage
Encryption in Transit
TLS/SSL:
- TLS 1.3 for all API communications
- 256-bit SSL certificates
- Perfect forward secrecy
- HSTS enforced
API security:
- HTTPS only (no HTTP)
- Certificate pinning available
- Strong cipher suites only
- Legacy protocol rejection
Authentication & Access Control
API Authentication
API key security:
- Unique keys per environment (sandbox/production)
- Scoped permissions
- Automatic expiration (configurable)
- Revocable instantly
Best practices enforced:
- Keys transmitted securely only
- No keys in URLs or logs
- Rate limiting per key
- Suspicious activity monitoring
Portal Authentication
Multi-factor authentication (MFA):
- Required for production access
- TOTP-based (Google Authenticator, Authy)
- SMS backup codes
- Recovery codes provided
Password requirements:
- Minimum 12 characters
- Complexity requirements enforced
- Password expiry (90 days)
- Breach detection integration
- No password reuse
Session management:
- Secure session tokens
- 30-minute inactivity timeout
- Concurrent session limits
- IP address validation
Role-Based Access Control (RBAC)
User roles:
- Owner - Full account access
- Admin - Management permissions, no billing
- Developer - API access, read-only portal
- Finance - Payout and reporting access only
- Support - Read-only case access
- Custom - Configurable granular permissions
Permission model:
- Resource-level permissions (cases, webhooks, etc.)
- Action-level controls (read, write, delete)
- IP allowlisting for sensitive operations
- Audit logging of all access
Compliance & Certifications
Regulatory Compliance
GDPR (General Data Protection Regulation):
- Data processing agreements
- Right to erasure (data deletion)
- Data portability
- Privacy by design
- Breach notification (72 hours)
- Data protection officer appointed
PCI DSS (Payment Card Industry):
- Level 1 Service Provider certified
- Annual audits
- Secure cardholder data handling
- Network segmentation
- Vulnerability management
SOC 2 Type II:
- Annual audits by independent assessors
- Security, availability, and confidentiality controls
- Reports available to enterprise customers
ISO 27001:
- Information security management system
- Regular recertification
- Continuous improvement process
Industry-Specific Compliance
Debt collection regulations:
- FDCPA compliance (US)
- EU Consumer Credit Directive
- Local jurisdiction requirements
- Ethical collection practices
Financial regulations:
- AML (Anti-Money Laundering)
- KYC (Know Your Customer)
- CTF (Counter-Terrorism Financing)
- Client money protection rules
Data Privacy
Personal Data Handling
Data minimization:
- Collect only necessary information
- Purpose limitation enforced
- Retention policies defined
- Automatic data purging
Data subject rights:
- Access requests (within 30 days)
- Rectification of incorrect data
- Erasure ("right to be forgotten")
- Data portability
- Object to processing
- Restrict processing
Privacy controls:
- Consent management
- Purpose tracking
- Legal basis documentation
- Cross-border transfer safeguards
Data Residency
EU data residency:
- EU customer data stored in EU
- GDPR-compliant processing
- Standard contractual clauses for transfers
Multi-region support:
- Regional data centers available
- Data sovereignty options
- Compliance with local laws
Audit Capabilities
Activity Logs
All actions logged:
- User logins and authentication
- API requests and responses
- Case status changes
- Payment and payout transactions
- Configuration changes
- Permission modifications
Log retention:
- 7 years for financial transactions
- 3 years for operational logs
- 1 year for debug logs
- Immutable audit trail (tamper-proof)
Log access:
- Via portal (filtered views)
- Via API (programmatic access)
- Export to SIEM systems
- Real-time streaming available
Audit Reports
Pre-built reports:
- User activity summary
- API usage statistics
- Case lifecycle audit trail
- Payment reconciliation
- Permission changes
- Failed authentication attempts
Custom reports:
- Filter by user, date, action type
- Export formats: PDF, CSV, JSON
- Scheduled report delivery
- API integration available
Vulnerability Management
Security Testing
Regular assessments:
- Penetration testing (quarterly)
- Vulnerability scanning (continuous)
- Code security reviews
- Dependency scanning
- Third-party security audits
Bug bounty program:
- Responsible disclosure policy
- Rewards for valid vulnerabilities
- Public acknowledgment (opt-in)
- Coordinated disclosure timeline
Incident Response
Security incident process:
- Detection - Automated monitoring and alerts
- Containment - Immediate threat isolation
- Investigation - Root cause analysis
- Remediation - Fix and deploy patches
- Communication - Notify affected parties
- Post-mortem - Lessons learned and improvements
Communication SLAs:
- Critical incidents: 1 hour notification
- High severity: 4 hours notification
- Medium/Low: 24 hours notification
- GDPR breaches: 72 hours notification
Infrastructure Security
Network Security
Perimeter protection:
- Web application firewall (WAF)
- DDoS protection
- Intrusion detection/prevention (IDS/IPS)
- Rate limiting and throttling
Internal security:
- Network segmentation
- Private subnets for databases
- VPC isolation
- Bastion hosts for administrative access
Application Security
Secure development:
- Secure coding standards
- Code review requirements
- Static analysis (SAST)
- Dynamic analysis (DAST)
- Dependency vulnerability scanning
Runtime protection:
- Container security
- Secrets management (HashiCorp Vault)
- Least privilege execution
- Immutable infrastructure
Business Continuity
Backup & Recovery
Data backups:
- Continuous replication
- Daily snapshots
- Geo-redundant storage
- 30-day retention
- Point-in-time recovery
Disaster recovery:
- RTO (Recovery Time Objective): 4 hours
- RPO (Recovery Point Objective): 15 minutes
- Failover to secondary region
- Regular DR drills (quarterly)
High Availability
Uptime commitment:
- 99.9% SLA
- Multi-region deployment
- Auto-scaling capabilities
- Load balancing
- Health monitoring
Third-Party Security
Vendor Management
Vendor assessment:
- Security questionnaires
- SOC 2 / ISO 27001 verification
- Annual reviews
- Contractual security requirements
Data processor agreements:
- GDPR-compliant DPAs
- Sub-processor disclosure
- Security obligations
- Audit rights
Integration Security
API security:
- OAuth 2.0 support
- Webhook signature verification
- IP allowlisting
- TLS mutual authentication (mTLS)
Third-party integrations:
- Reviewed for security risks
- Sandboxed execution
- Limited permissions
- Regular re-certification
Security Best Practices for Users
For API Integrations
- Protect API keys - Never commit to version control
- Use environment variables - Store keys securely
- Rotate keys regularly - Every 90 days minimum
- Implement IP allowlisting - Restrict key usage
- Monitor API usage - Detect anomalies
- Use HTTPS only - Never transmit keys over HTTP
For Portal Access
- Enable MFA - Required for production
- Use strong passwords - Minimum 12 characters
- Don't share accounts - Individual user accounts
- Review access logs - Monitor for suspicious activity
- Limit user permissions - Principle of least privilege
- Revoke access promptly - When users leave
For Data Handling
- Encrypt sensitive data - Before storing locally
- Minimize data collection - Only collect necessary information
- Implement data retention - Delete when no longer needed
- Use secure connections - VPN for remote access
- Train staff - Security awareness programs
Reporting Security Issues
Responsible Disclosure
To report a vulnerability:
- Email: security@debitura.com
- PGP key available on request
- Include detailed description and steps to reproduce
What to expect:
- Acknowledgment within 24 hours
- Initial assessment within 5 days
- Regular updates on progress
- Credit for valid findings (opt-in)
Please don't:
- Test on production systems without permission
- Access or modify data you don't own
- Publicly disclose before coordinated release
Security Roadmap
Ongoing improvements:
- Extended audit log retention
- Advanced threat detection (machine learning)
- Automated compliance reporting
- Enhanced encryption key management
- Biometric authentication options
Next Steps
- Review authentication guide for API security
- Understand webhooks security for signature verification
- Explore API reference for security-related endpoints
- Contact security@debitura.com for compliance questions