We take security seriously at NODE40. Founded by long-time developers with rich backgrounds in information security, our security culture starts at the top and permeates every facet of our day to day operations. All employees and contractors are required to read, acknowledge annually, and strictly adhere to our Information Security Policies and Procedures within the NODE40 Information Security Management System.
NODE40 is committed to complying with our users’ rights and obligations under the General Data Protection Regulation (GDPR), which took effect on May 25, 2018.
NODE40 has strict policies in place that are designed to safeguard sensitive information, including customer data, by restricting access to authorized users and providing a reliable audit trail of system events and activity in order to identify unauthorized access or activities.
Access to NODE40 information is restricted to ensure only authorized users or groups of users (in the case of accountant-managed clients) are granted rights. Authorization is granted by applying the principle of least privilege which begins at no access and expands as needed to information required by the authorized user in a controlled manner. This applies to both customer access and employee access at NODE40. NODE40 logs and monitors system activity throughout its interconnected NODE40 services.
To help enforce strong account access, NODE40 searches public databases for known compromised username and password combinations. If a match is discovered during account creation or password changes, the provided credentials are denied.
NODE40 allows - and highly encourages - customers to enable 2FA within their accounts. Enabling 2FA adds an extra step at sign in and provides an extra layer of access control to one’s account and data. You can read more about 2FA or sign in now and enable 2FA.
Employees at NODE40 are required to use 2FA in their day-to-day work, including services such as email, cloud access, and messaging.
NODE40 protects sensitive data, including customer data, through a series of access control policies and state of the art encryption technology. We control network traffic to and from authorized devices through carefully constructed rules including, but not limited to, the type of data permitted, frequency of data permitted, and intended origin/destination of the data. At the application layer, additional safeguards are in place to ensure the users are granted access only to their own data and are restricted to performing operations authorized against a set of well-defined privileges. At the data layer, NODE40 encrypts data considered private or sensitive such as third party API keys, blockchain infrastructure keys, tax forms, account data including passwords, and wallet extended public keys (xPubs).
NODE40 ensures third party service providers implement and effectively operate appropriate controls to protect the privacy and security of NODE40 Information Security Management System and data.
For sub-service providers, a current SOC 2 Type II audit report is requested and reviewed annually when available.
If you think you may have found a security vulnerability within NODE40, please get in touch with our security team.