Posh’s security, privacy and compliance philosophy is based on a robust, resilient, and proactive approach. We take things very seriously.
This isn’t some generic CMS. The in-house Posh content system lets you match your language to the unique needs of your financial community.
We invest heavily in security to keep our platform secure and aware of potential threats. See our Security Whitepaper for more information.Security
Our Privacy By Design process evaluates every major product release to ensure proper implementation of the best privacy practices. Click here to learn more.Privacy
For banks and credit unions, compliance is an essential consideration—and compliance shouldn’t be optional for service providers.Compliance
Our teams are focused on keeping Posh systems and our client data secure, compliant, and available through a number of security-by-design controls, processes, and procedures.
We earn our clients' trust by implementing role-based access controls, the latest encryption standards, high transport security standards, and a number of other risk and threat mitigation controls. Posh AI assistants enable financial institutions to improve communication with their customers. Through our confidentiality controls and data integrity processes, we protect, secure, and encrypt those conversations based on our core security principles.
Security is a priority throughout our organization and is built into our culture. We maintain an experienced and skilled security team who conduct security assessments, promote secure coding practices, operation activities, perform risk assessments, conduct penetration tests, and ensure we adhere to the latest regulatory and compliance standards.
At Posh, we build our security philosophy on the CIA triad. Here are some examples of how we enforce these principles:
Through strong encryption, cryptography, and tokenization standards.
Using tools and controls to mitigate the ability to alter data or unauthorized access to data. These tools include FIM, Key Management controls, and secure management of secrets and keys.
Geographic redundant Google zones support our ability to ensure Posh maintains high availability for the platform. Regular backs-up and semi-annual DR tests enhance our ability to provide attractive SLAs for our product.
Posh conversational AI bots enable financial institutions to improve communication with their customers. Through our confidentiality controls and data integrity processes, we protect, secure, and encrypt those conversations based on our core security principles. Posh’s security team runs red/blue team events that are conducted multiple times a year to ensure the effectiveness of their incident response plans against new and emerging attack vectors.
Posh follows a secure SDLC process whereby our development takes into consideration security vulnerabilities identified through the OWASP Top Ten or the CIS Top 20 benchmarks. The development team keeps abreast of growing and changing security trends to help them implement secure coding practices and ensure the platform is protected from client-side and server-side attacks.
By recognizing our customers' requirements to ensure we keep their information confidential, we have implemented TLS >=1.2+ and registered our top-level domain on the HSTS preload list to secure data in transit. These defense in-depth controls build trust and confidence in our company and products.
Access controls are crucial—particularly when limiting access to confidential or restricted data. When accessing internal systems, Posh users authenticate using a company-owned device, which features numerous security best practice controls, such as, multi-factor authentication, end-point encryption and VPN enforcement.
As part of Posh’s privacy awareness standards, we implement a privacy-by-design methodology by embedding privacy within the design of our product and processes through a data protection impact assessment.
As a leading Fintech organization in the conversational AI space, we follow strict standards as we process, transmit, and store customer data. Many of our current customers are interested in how we handle their data, including the security standards we use to ensure their data remains confidential. For data in transit, we leverage TLS >=1.2+ with secure and strong ciphers. For data at rest, we leverage AES256. It should be noted that for data at rest, Posh does not have access to the DEKs (Google managed Data Encryption Keys)
We have processes in place to ensure when our customers leverage the Posh platform and collect some form of PII data, our Data Loss Prevention (DLP) systems performs activities to ensure this information is not persisted. As part of our privacy-by-design approach, we currently do not persist sensitive PII and make every effort to use alternate identifiers which do not directly identify a data subject. Our Data Protection Impact Assessment (DPIA) procedure ensures we adhere to data minimization controls where possible.