Information Security
Confluence Technologies Inc. Information Security Overview
Confluence is committed to maintaining the integrity and confidentiality of client data through a robust and certified Information Security Management System (ISMS). The ISMS is designed to align with international standards and best practices, ensuring that our products and services meet the highest security expectations and are subject to regular external audits conducted by independent certification bodies.
Confidentiality
Confluence uses appropriate, modern technologies designed to ensure client information confidentiality, whether the information is en-route to, stored at or being processed by Confluence.
Integrity
Information is carefully managed at Confluence to maximize accuracy and completeness. Establishing and maintaining integrity is achieved through a combination of processes and procedures which support appropriate data management, change management, and quality control practices.
Availability
Access Management
Data Security & Privacy
Confluence is committed to the highest standards of data security. Client data is classified and protected using effective security controls, which may include encryption at rest, in transit, or in use, depending on risk assessment and technical capabilities. Security measures are tailored to meet regulatory requirements, industry best practices, and the unique needs of each product or service.
For data privacy, refer to Confluence Privacy Notices – Confluence Technologies.
ISO/IEC 27001:2022
Confluence is ISO/IEC 27001:2022 Certified. ISO 27001 provides a globally recognized framework for establishing, implementing, and continually improving an ISMS. This certification demonstrates Confluence’s commitment to preserving the Confidentiality, Integrity, and Availability of information. It promotes a holistic approach to information security by integrating people, policies, processes, and technology to manage risks and ensure cyber resilience.
ISAE 3402 / SOC 1 Type II
Confluence has achieved ISAE 3402/ SOC 1 Type II accreditation for:
- Financial Reporting and Regulatory Reporting Platforms
- Portfolio Analytics Service
- Hosted Portfolio Management and Analytics Platform
- Portfolio Valuations Services
These reports validate the effectiveness of Confluence’s internal controls over financial reporting and security, ensuring reliability and compliance for clients leveraging these services.
Hosting & Data Residency
Confluence partners with leading data centers and cloud providers to provide on-line services for our hosted service users. These data center facilities provide the highest levels of physical security protecting the environment from unauthorized access. Robust infrastructure, including redundant power, cooling, and network connectivity, supports high availability and minimizes the risk of service disruption, helping Confluence maintain continuous system operations.
Security Incident Management
As part of our ISO 27001-certified ISMS, Confluence maintains an incident management program and a 24/7 Security Operations Center (SOC), operated in partnership with a trusted external provider. The SOC team uses real-time Security Information and Event Management (SIEM) and Managed Detection and Response (MDR) solutions to continuously monitor activity, investigate alerts, respond to security incidents, and coordinate containment, remediation, and recovery efforts.
Resiliency
Confluence has designed its platforms and data storage to be backed up and made available in the event of a disaster. Confluence uses server virtualization and storage mirroring technologies to make this happen. Systems are architected to work together, eliminating single points of failure. Multiple pathways for power, internet, and network connectivity help ensure that critical services remain operational even if individual components experience issues.
Risk Management
Confluence manages information security risks in line with ISO 27001 requirements. All key information assets within the scope of the ISMS are included in risk assessment. Additionally, Confluence performs information security reviews and due diligence on key service providers to identify, evaluate, mitigate, and monitor risks tied to third-party software and services.
Vulnerability Management
Confluence employs a comprehensive vulnerability management program that includes regular SAST (Static Application Security Testing), DAST (Dynamic Application Security Testing), and Software Composition Analysis (SCA) to identify and assess risks in both proprietary and third-party code. Vulnerabilities are evaluated and prioritized using the Common Vulnerability Scoring System (CVSS) to ensure effective remediation. In addition, Confluence engages a CREST-certified independent third party to conduct annual penetration testing of both network and application environments across all hosted products and services.
Security Education & Training
Confluence maintains a robust and continuous security training program. As part of the Confluence ISMS, all staff are required to complete security awareness training during their induction and then quarterly thereafter. In addition, Confluence provides role- specific security training to individuals with roles and/or responsibilities for specific domains.
Shared Responsibilities
Confluence primarily owns and manages the technology stack in its on-premises data centers. For certain products, Confluence partners with specialized data center providers such as Abacus and CyrusOne, who oversee the physical infrastructure and core systems within their facilities. For cloud services, Confluence follows the Shared Responsibility Model framework that clearly defines roles of Confluence, and our Cloud Service Providers (CSPs). CSPs are responsible for security and availability of the underlying infrastructure, physical security for their data center location, and the security of services described in contractual agreements.