Security Program Overview

Fast’s security program provides a strong framework for the protection of Fast’s 
information assets. The program is led by a dedicated, deeply experienced security 
 team working closely with relevant stakeholders from Fast’s engineering, product, and payment 
 risk operations teams; it is based on globally recognized security and privacy standards and commonly  accepted best practices. The program is dynamically updated to mitigate threats based on frequent risk  assessments performed against our environment. Additionally, we employ numerous technical and  organizational measures to protect the security and privacy of company, buyer, and seller data and  assets, and we have a robust team of security engineers responsible for maintaining a strong information  security program that is customized for Fast’s business objectives and operating architecture.  

Access Controls 

Access controls are determined by business requirements provided through formally controlled processes,  employee and contractor acknowledgment of responsibilities, as well as network, operating system, and  application controls. Fast implements user access restrictions and applies role-based access permissions.  We also use strong authentication and authorization methods including multi-factor authentication and  utilize a password manager requiring complex passwords with mandatory periodic reset.  

Bug Bounty Program 

Fast operates a bug bounty program through Bugcrowd. The security researchers are invited to join this  private bug bounty program based on their past performance on the Bugcrowd platform. A reward is  granted to the threat hunters based on the quality of the submission.  

Business Continuity and Incident Management 

Fast employs dedicated teams located in multiple geographies to support our platform and  infrastructure, and we use geographically separate data centers and cloud service provider availability  zones to facilitate infrastructure and service availability and continuity. We retain backup copies of  critical data and operate redundant and resilient systems. We regularly update software and install  security patches. Fast has an incident response plan and team.  

Data Centers and Cloud Providers 

Fast uses leading cloud service providers to ensure availability and continuity. These providers utilize an  array of security equipment, techniques, and procedures designed to control, monitor, and record  access to the facilities. We have also implemented solutions designed to protect against and mitigate  the effects of DDoS attacks. 

Fast Personnel and Physical Security 

Fast personnel are required to conduct themselves in a manner consistent with the company’s  guidelines regarding confidentiality, business ethics, authorized usage, and professional standards.  Fast conducts background checks to the extent legally permissible and in accordance with applicable  local labor law and statutory regulations. Personnel are required to execute a confidentiality agreement  and must acknowledge receipt of, and compliance with, Fast’s information security and privacy policies.  All employees participate in security and privacy training. Fast also uses physical access control  systems, including electronic physical access control and video monitoring.  

Network Security and Encryption 

Fast uses encryption in transit via strong cryptographic protocols and encrypts personally identifiable  information at rest. Fast also leverages SSL to encrypt data-in-transit between sellers and Fast, as well  as between Fast and subprocessors. Fast employs independent third parties to perform penetration  testing of Fast services and platforms hosting personal data, and Fast conducts regular vulnerability  scans. Fast implements physical protection measures for critical locations, including badging  requirements and fire detection and suppression systems.  

Partner (Vendor) Risk Assessment 

Through its partner risk assessment program, Fast performs a security and privacy assessment for all new  technologies and services prior to deployment. Fast also performs annual reviews of vendors responsible  for processing highly sensitive information. Vendors or contractors with access to Fast systems and  information are subject to the same security policies and procedures expected of our own employees. 

Payment Card Industry (PCI) Compliance  

Fast was successfully assessed as a PCI DSS Level 1 service provider. Level 1 is the highest level of  assurance a service provider can receive. Fast is committed to annual reassessments to maintain this  level of PCI compliance for its products and services. If you are using Fast’s products and services,  Fast is responsible for PCI Compliance.  

Secure Software Development Life Cycle (SSDLC) 

Fast has a dedicated application security team that performs threat hunting activities to identify security  issues as the software is tested and released. Fast uses Static Application Security Testing (SAST),  Software Composition Analysis (SCA), and Dynamic Analysis Security Testing (DAST) methods to detect the  vulnerabilities. Periodic external penetration tests are performed to identify potential code quality issues.  

Security Training and Awareness 

Fast mandates security and privacy compliance training for all new and existing employees annually. This  training program covers security concepts including acceptable use, access control best practices, and  data classification and handling of sensitive data. Engineers are trained in secure software development  practices, including OWASP Top 10. Employees are subject to disciplinary action up to and including  termination for security violations. Moreover, background checks are performed on employees prior to  starting employment with Fast.

Was this article helpful?
0 out of 1 found this helpful
Have more questions? Submit a request