Frequently Asked Questions on Firmli Security

The Data Center where your data is stored is selected automatically based on the Country chosen by you while signing up for Firmli services.  

Access to your data is limited to a select few employees who require it for technical support purposes, following a need-to-know principle. Regular reviews are conducted to ensure the appropriateness of this access.

We employ encryption protocols to safeguard customer data both in transit and at rest. Industry-standard AES-256 encryption is utilized for data at rest. Additionally, data transmitted over public networks is encrypted using Transport Layer Security (TLS) 1.2/1.3, ensuring protection against unauthorized access or alterations.

We manage and control encryption keys internally through our proprietary Key Management Service (KMS). Presently, there isn’t a feature allowing customers to upload and use their own encryption keys.

The passwords utilized for accessing Firmli services are stored using a non-reversible encryption scheme. We employ the bcrypt hashing algorithm with per-user-salt, ensuring that even if our login database were compromised, it would be exceedingly difficult and resource-intensive to reverse engineer the passwords.

Our infrastructure allows us to manage and allocate space for our customers separately, ensuring that the data of each customer is logically separated from others. we ensure that each customer’s service data remains inaccessible to others, maintaining a strict segregation of data through robust implementation.

We use technologies provided by reputable and well-established service providers, which offer a range of Distributed Denial of Service (DDoS) mitigation capabilities. These measures are implemented to proactively prevent disruptions caused by potential DDoS attacks.

Certainly, we conduct routine automated and manual penetration testing exercises to evaluate our systems’ security posture. This involves utilizing a mix of certified third-party scanning tools and proprietary in-house tools to scan our codebase thoroughly.

If you find a problem in our platform, please let us know so we can fix it quickly. kindly email us at security@firmli.com

We have an Incident Support Team dedicated to informing and assisting respective clients or organizations through an email to primary email address.

In the event of a security breach, we notify our affected clients within 3-4 business days of the incident. Upon request, our affected clients will receive a comprehensive report within 7-10 business days.

Additional security features that can be availed by customers:

  • Multi factor Authentication
  • IP restrictions
  • Role/Permission based Access control
  • Device wise account activity audit

We retain the data in your account for as long as you remain a user of Firmli Services. Upon termination of your Firmli user account, your data will be removed from the active database during the next scheduled cleanup, which takes place every 6 months. Any data removed from the active database will also be deleted from backups after 3 months.

We conduct full backups weekly. Backup data in a data center is stored in the same location as the original data and is encrypted while at rest. Furthermore, we perform weekly restoration and validation of backups. All backed-up data is retained for a period of 1 month. If a specific customer requests it, we can restore their data from the backup and provide access to it.

We maintain a monthly uptime of 99.9% according to our Service Level Agreement (SLA). We utilize cloud infrastructure from Amazon and Digital Ocean, renowned for their consistently high availability of services.

We use technical access controls and internal policies to prevent employees from accessing user data without authorization. Following the principles of least privilege and role-based permissions helps reduce the chances of data exposure. We use authentication methods like strong passwords, two-factor authentication, and passphrase-protected SSH keys.