Security at Factal
Last updated November 7, 2023
Factal values our members' trust and takes security very seriously. This page answers some frequently asked questions about Factal's security posture.
What security standards does Factal follow?
As of October 2023, Factal is within the observation window for SOC 2 type II certification. We anticipate receiving our first report from our external auditor in Q1 2024.
My organization needs Factal to fill out a security questionnaire or provide documentation of Factal's policies. What should I do?
Current Factal members should contact their member success manager with any documentation requests.
Do Factal employees complete regular security training?
All Factal staff, contractors, and interns -- including our editors -- are required to complete security training and review and accept Factal's security policies annually.
Logging into Factal
Can my organization use single sign-on (SSO) to log into Factal?
Yes! Factal can integrate with your organization's Identity Provider for SSO (SAML 2.0) login capabilities. Contact your member success manager to set up an appointment with Factal's integration team.
Can users sign in with multi-factor authentication (MFA)?
Soon! Factal anticipates making MFA available for Factal.com using an authenticator app by the end of 2023. Organization administrators will be able to opt their organizations' users into MFA.
How often do I have to log back in to Factal?
Your organization admins can set when your Factal session expires in the Org/Member Settings tab under Organization Settings.
Vulnerability scanning and penetration testing
How often does Factal have penetration testing conducted?
Factal contracts with third-party testers to have penetration testing conducted at least annually. A copy of the most recent report is available upon request to members and prospective members.
How often does Factal conduct vulnerability scans?
Factal conducts vulnerability scans at least quarterly. GitHub security advisories and security scanning functionality built into Factal’s CI/CD process alert team members to vulnerabilities in software dependencies.
How is Factal data encrypted?
Factal data is encrypted at rest and in transit. Data is secured at rest using AES-256 encryption. Data is secured in transit via TLS 1.2+. Encryption keys are managed by Heroku.
If you have any other questions, please email firstname.lastname@example.org.