Security & Debt Collection Compliance

Knowing  your data is secure in Collect! means you can focus on collecting.

Data corruption, managing data access, protecting sensitive information, hacking, compliance requirements …. there is a lot to think about when it comes to security and compliance.  Fortunately, Collect! has done the heavy lifting to provide a highly secure and compliant software solution.

Collect! uses Vanta for security compliance monitoring and tracking.  Review Collect!’s security posture by requesting access to Collect!’s Trust Report by clicking this link  https://trust.collect.org/

 

Application Security

Encryption – Encrypt data at the database or column level

Redaction – Redact data viewable by operators at the column level

Access – Restrict which accounts your operators can view, edit or delete by account, lockout, client or client type operator

Multi-Factor Authentication – Use QR code or email MFA options

Logging – Automatically log user activities and data modifications into an audit file

Premise Backup – Employ Collect! best practices to backup on your server or an outside server 

Redundant Backup – Redundant second site or home server backup is available on request

Password Management – Client administrator is provided with an administrative password. The client administrator defines and implements their own passwords policy for their users within their instance

Data Access – Client data remains available to the client via reports or directly from the database

AWS Cloud Security

Cloud Security – Client sites are hosted on dedicated Virtual Machines in the fully redundant Tier 3 AWS Data Center closest to the client’s primary location. The Collect! cloud solution includes backups, alternative power and hardware resources, updates, upgrades and our Standard Membership package for ongoing support. 

Configuration – Collect! makes use of Amazon Machine Images (AMI) configured to meet or exceed CIS benchmark policies. Collect! makes use of AWS monitoring and logging tools i.e. CloudWatch, CloudTrail and Inspector. Vanta Security Compliance Software draws auditable metadata from AWS tools. 

Compliance – AWS is SOC 2 and SOC 3 compliant. AWS cloud infrastructure and services have been validated by third-party testing performed against the NIST 800-53 Revision 4 Controls, as well as additional FedRAMP Requirements. 

Cloud Backup – Cloud subscriber data is backed up with AWS Backup, AWS Volume Snapshots and ESET Endpoint Security. Data drives are backed up at the same time nightly. Operating system drives are backed up monthly. All backups are full and retained for 2 months. Redundant offsite backup and ‘hot’ backup are available on request. 

Data Security – Collect! performs periodic network tests.

Client Access Security – Collect! performs periodic penetration testing on web-based systems i.e. client portal, consumer portal and dashboard.

Encryption – Data is encrypted at rest with AWS default encryption and in transit with Microsoft Remote Desktop native encryption.

Data Sanitization – Data is sanitized as part of the bulk importing process.

Continuous Security Monitoring – ESET Security Endpoint protects against malware. Zabbix provides real time monitoring.

Intrusion Prevention – Collect! employs a separate monitoring tool for data collection and processing, distributed monitoring, real-time problem and anomaly detection, alerting and escalations, visualizations and more.

Denial of Service – Collect! blacklists IP addresses after 3 failed login attempts by default. 

AWS Compliance – AWS SOC 2 & SOC 3 reports available.

Code Security

Coding Best Practices

  • Collect! works with Veracode and other scanning systems to remediate vulnerabilities
  • Collect! implements best coding practices using the OWASP framework

Compliance

COMPLIANCE

Compliance Tracking

  • Comtech uses Vanta Continuou Security and Compliance Monitoring Software for metadata and configuration information for infrastructure, identity provider, version control, endpoints and hosts

US Health Portability & Accountability Act (HIPAA)

  • Compliant since 2015
  • Annual assessments using HIPAAOne
  • All issues remediated
  • BAA available on request

SOC 2 Type II

  • Comtech worked with KPMG and Vanta Security Compliance Tracking Software for readiness
  • Comtech Type II audit in 2023

Payment Card Industry (PCI)

  • Collect! uses tokenization and does not store card information
  • Collect! works with PCI compliant payment processors for data storage

US Consumer Financial Protection Bureau Regulation F

  • Collect! Version 13 provides new screens fields and functionalities designed for Reg F including
    • Validation notice, judgement, dispute tracking forms
    • Agent alerts, contact analytics
    • Contact opt-in/opt-out status, details, methods
    • Contact control engine
    • Workflow analysis reports
    • Letter template audit report

Database Security

Collect! makes use of Microsoft’s SQL Server’s many features to create a secure database application

  • Authentication & authorization
  • TSL or SSL protocols at communication channel layer
  • SQL Server Service Key

Integrations

Collect! offers integrations with many 3rd party services for secure automated data exchanges

Policies & Documents

Comtech maintains a complete set of policies and documents to direct security management

  • Code of Conduct
  • Asset Management
  • Operations Security
  • Risk Management
  • Secure Development
  • Business Continuity and Disaster Recovery
  • Information Security
  • Access Control
  • Human Resource Security
  • Third-Party Management
  • Incident Response Plan

Internal

Work Environment

  • All staff sign a non-disclosure agreement
  • Comtech conducts reference and criminal record checks on new staff
  • Comtech is a locked work environment monitored by security cameras
  • Comtech infrastructure is protected by robust firewall
  • Cloud subscription data is encrypted at rest
  • Data is encrypted with SSL encryption in transit
  • Work is performed on desktop workstations, never laptops or mobile devices
  • Workstations are password controlled
  • Passwords are force changed regularly
  • Workstation sessions time-out automatically
  • Data is made available to technicians on a ‘need to view’ basis
  • Periodic review and audits ensure staff compliance
  • Retired hard-drives are electronically and mechanically shredded