Data security

• Data in transit
  • All data transferred between the user's browser and Central’s servers is encrypted in transit. Central uses TLS v1.2+.
• Data at rest
  • Data is encrypted at rest using AES-256 key encryption with key material managed by AWS Key Management Service (KMS).
  • Customer documents and database fields may use a second layer of AES-256 encryption with customer-specific keys.
• Data center security
  • Central uses Amazon Web Services (AWS) to host its production servers and supporting services.
  • Central uses Neon (neon.tech) for hosted Postgres databases. Neon uses AWS to host it’s service and database instances.
• Data availability
  • Central’s production systems and data are backed up on a regular basis. We run through a checklist to verify data is recorded and usable. Backups are tested on a periodic basis.

Application security

• Access controls
  • Access to Central’s systems is limited based on employee roles and responsibilities. The principle of least privilege is enforced.
• Testing and review
  • All changes to our application are subject to peer review and testing before being merged.
• Separate environments
  • Central maintains segregated testing, development, and production environments.

Vulnerability management

• Vulnerability scanning
  • Central uses AWS’ security tools to constantly scan our applications, systems, and infrastructure for potential security risks and vulnerabilities.
• Code analysis
  • Central’s code repositories are regularly scanned for security issues using static code analysis.
• Bug bounty
  • We welcome responsible disclosure from security researches, though Central does not offer rewards for user-submitted bugs at this time.

Product security

• Multi-Factor Authentication
  • Central allows you to add an extra layer of security to your account by enabling two-step verification, also called two-factor authentication. This reduces the risk of having your account accessed by anyone else.
  • Central supports both SMS and TOTP two-factor codes.
• Fraud monitoring
  • Central’s financial partners monitor customer accounts and transactions to help prevent fraud.