Security
Overview
FISTWorks is built for financial services. Every layer of the platform — from authentication to database storage to file transmission — is designed to protect sensitive banking data. This page explains exactly how we keep your data secure.
Passwordless Authentication
FISTWorks uses passwordless sign-in powered by Microsoft Entra ID. There are no passwords to create, remember, or reset.
When you sign in:
- Enter your email address.
- A one-time verification code is sent to your inbox.
- Enter the code to access your account.
This eliminates the most common attack vectors in financial applications:
| Threat | How passwordless protects you |
|---|---|
| Credential stuffing | No password exists to reuse from other breaches. |
| Phishing | One-time codes expire quickly and cannot be replayed. |
| Brute force attacks | There is no password to guess. |
| Weak password risks | Users cannot choose weak or reused passwords. |
Encryption at Rest
Sensitive fields are encrypted directly in the database using column-level encryption. This means:
- Bank account numbers, routing numbers, and recipient identifiers are encrypted before they are stored.
- SFTP connection credentials (passwords, SSH keys) are encrypted at rest.
- Third-party integration tokens (e.g., QuickBooks) are encrypted at rest.
- Even database administrators cannot read encrypted values without explicit authorization.
Column-level encryption protects your data even in the event of a database compromise — encrypted fields appear as unreadable ciphertext.
Encryption in Transit
All data transmitted between your browser and FISTWorks is encrypted using TLS (HTTPS). This applies to:
- Every page you visit.
- Every API call.
- Every file upload and download.
SFTP file transmissions to your bank use SSH encryption, providing end-to-end protection for ACH files in transit.
Data Masking
Sensitive financial data is masked at multiple levels:
- In the application — Bank routing numbers are partially masked in the UI (e.g., displayed as
*****0021) to prevent shoulder-surfing and accidental exposure. - In the database — Dynamic data masking rules ensure that sensitive fields return masked values by default, providing defense-in-depth even if application controls are bypassed.
- In logs — Sensitive data is never written to application logs, error messages, or diagnostic telemetry.
Multi-Tenant Data Isolation
FISTWorks uses a multi-tenant architecture where each organization's data is strictly isolated:
- Every database query is scoped to your organization. There is no way to access another organization's data.
- Role-based access controls restrict administrative actions (e.g., managing bank connections, inviting members) to organization administrators.
- Members can only see data within organizations they belong to.
Audit Trail
Every significant action in FISTWorks is logged in a comprehensive audit trail that cannot be modified or deleted by users. Tracked events include:
- ACH file generation and transmission
- Bank connection changes (added, edited, deleted)
- Recipient changes
- Member management (invitations, promotions, removals)
- SFTP connection tests and file transmissions
- Account and organization lifecycle events
The audit log is available on the Organization page for administrators to review at any time.
Infrastructure Security
FISTWorks is hosted on Microsoft Azure, benefiting from Azure's extensive security certifications:
| Certification | Description |
|---|---|
| SOC 1 Type II | Controls over financial reporting |
| SOC 2 Type II | Security, availability, and confidentiality controls |
| ISO 27001 | International information security management standard |
| HITRUST | Health and information trust framework |
| PCI DSS | Payment card industry data security standard |
Our Azure infrastructure includes:
- Azure SQL Database with automatic backups and geo-redundant storage.
- Azure Key Vault for secure management of encryption keys and application secrets.
- Azure Front Door for DDoS protection and global content delivery.
- Application Insights for real-time monitoring and threat detection.
Secret Management
Application secrets (database connection strings, API keys, encryption keys) are stored in Azure Key Vault — never in source code, configuration files, or environment variables on the application server. Key Vault provides:
- Hardware-backed key storage.
- Access logging for all secret retrievals.
- Automatic key rotation support.
Session Security
- Sessions expire after 30 minutes of inactivity, automatically signing you out.
- Active sessions are refreshed transparently — if you are actively using the platform, you stay signed in.
- Anti-forgery tokens protect against cross-site request forgery (CSRF) attacks on all form submissions.
No Tracking
FISTWorks does not use analytics cookies, advertising trackers, or third-party tracking pixels. The only cookies used are essential for authentication and session management. See our Privacy Policy for full details.
Responsible Disclosure
If you discover a security vulnerability in FISTWorks, please report it to us through our Contact page. We take all security reports seriously and will respond promptly.