Fast’s security program provides a strong framework for the protection of Fast’s
information assets. The program is led by a dedicated, deeply experienced security
team working closely with relevant stakeholders from Fast’s engineering, product, and payment
risk operations teams; it is based on globally recognized security and privacy standards and commonly accepted best practices. The program is dynamically updated to mitigate threats based on frequent risk assessments performed against our environment. Additionally, we employ numerous technical and organizational measures to protect the security and privacy of company, buyer, and seller data and assets, and we have a robust team of security engineers responsible for maintaining a strong information security program that is customized for Fast’s business objectives and operating architecture.
Access controls are determined by business requirements provided through formally controlled processes, employee and contractor acknowledgment of responsibilities, as well as network, operating system, and application controls. Fast implements user access restrictions and applies role-based access permissions. We also use strong authentication and authorization methods including multi-factor authentication and utilize a password manager requiring complex passwords with mandatory periodic reset.
Bug Bounty Program
Fast operates a bug bounty program through Bugcrowd. The security researchers are invited to join this private bug bounty program based on their past performance on the Bugcrowd platform. A reward is granted to the threat hunters based on the quality of the submission.
Business Continuity and Incident Management
Fast employs dedicated teams located in multiple geographies to support our platform and infrastructure, and we use geographically separate data centers and cloud service provider availability zones to facilitate infrastructure and service availability and continuity. We retain backup copies of critical data and operate redundant and resilient systems. We regularly update software and install security patches. Fast has an incident response plan and team.
Data Centers and Cloud Providers
Fast uses leading cloud service providers to ensure availability and continuity. These providers utilize an array of security equipment, techniques, and procedures designed to control, monitor, and record access to the facilities. We have also implemented solutions designed to protect against and mitigate the effects of DDoS attacks.
Fast Personnel and Physical Security
Fast personnel are required to conduct themselves in a manner consistent with the company’s guidelines regarding confidentiality, business ethics, authorized usage, and professional standards. Fast conducts background checks to the extent legally permissible and in accordance with applicable local labor law and statutory regulations. Personnel are required to execute a confidentiality agreement and must acknowledge receipt of, and compliance with, Fast’s information security and privacy policies. All employees participate in security and privacy training. Fast also uses physical access control systems, including electronic physical access control and video monitoring.
Network Security and Encryption
Fast uses encryption in transit via strong cryptographic protocols and encrypts personally identifiable information at rest. Fast also leverages SSL to encrypt data-in-transit between sellers and Fast, as well as between Fast and subprocessors. Fast employs independent third parties to perform penetration testing of Fast services and platforms hosting personal data, and Fast conducts regular vulnerability scans. Fast implements physical protection measures for critical locations, including badging requirements and fire detection and suppression systems.
Partner (Vendor) Risk Assessment
Through its partner risk assessment program, Fast performs a security and privacy assessment for all new technologies and services prior to deployment. Fast also performs annual reviews of vendors responsible for processing highly sensitive information. Vendors or contractors with access to Fast systems and information are subject to the same security policies and procedures expected of our own employees.
Payment Card Industry (PCI) Compliance
Fast was successfully assessed as a PCI DSS Level 1 service provider. Level 1 is the highest level of assurance a service provider can receive. Fast is committed to annual reassessments to maintain this level of PCI compliance for its products and services. If you are using Fast’s products and services, Fast is responsible for PCI Compliance.
Secure Software Development Life Cycle (SSDLC)
Fast has a dedicated application security team that performs threat hunting activities to identify security issues as the software is tested and released. Fast uses Static Application Security Testing (SAST), Software Composition Analysis (SCA), and Dynamic Analysis Security Testing (DAST) methods to detect the vulnerabilities. Periodic external penetration tests are performed to identify potential code quality issues.
Security Training and Awareness
Fast mandates security and privacy compliance training for all new and existing employees annually. This training program covers security concepts including acceptable use, access control best practices, and data classification and handling of sensitive data. Engineers are trained in secure software development practices, including OWASP Top 10. Employees are subject to disciplinary action up to and including termination for security violations. Moreover, background checks are performed on employees prior to starting employment with Fast.