Security & Data Privacy at Valon
Valon Mortgage is serious about security. Valon’s engineering team develops servicing technology with your security in mind, so as to be truly resistant to today’s sophisticated attacks. In addition, Valon’s Platform Engineering team diligently monitors the changing regulatory landscape to ensure our privacy-by-design infrastructure stays compliant.
For more information about our privacy policy, please visit valon.com/privacy-policy.
Security Standards Compliance
Valon holds a SOC 2 Type 2 Certification, renewed annually via independent audit. This standard, created by the American Institute of Certified Public Accountants (AICPA), covers "Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy."
Data Retention
User and employee data may be stored for as long as it is necessary to perform the relevant service. As soon as the relationship between the service provider and the customer or the employee and the employer ends, the data must be disposed of as soon as reasonably possible.
Data Disposal
Valon chooses Google Cloud Platform (GCP) as GCP has detailed instructions on how long data is kept for after a deletion request has been issued by the customer. Fast deletion needs to be balanced with data durability. GCP fortunately published a Data Deletion Whitepaper to make sure customers are well educated that GCP takes a principled approach to the storage and deletion of Customer Data. According to Google, each data center adheres to a strict disposal policy and uses the techniques described to achieve compliance with NIST SP 800-88 Revision 1 “Guidelines for Media Sanitization” and DoD 5220.22-M “National Industrial Security Program Operating Manual.”
Notification of Data Breach
To comply with global privacy standards set forth by the California Consumer Privacy Act, or the European Union General Data Protection Regulation, Valon takes a principled and diligent approach towards notification of data breaches.
Data breach is defined as disclosure of Personal Information that is otherwise Non-Public-Information. Data breach of Personal Information happens when one of the following occurs:
- Disclosure of unencrypted Personal Information such as (first name, last name, SSN, government issued card number, bank account information, password)
- Disclosure of encrypted Personal Information such as (first name, last name, SSN, government issued card number, bank account information, password) along with the disclosure of the encryption key.
In the unlikely event of a data breach, Valon will assess the affected systems and individuals, notify affected individuals of a data breach in the most expedient time possible and without unreasonable delay. Generally, this should happen with 72 hours of knowledge of the data breach.
The security breach notification shall be written in plain language, shall be titled “Notice of Data Breach,” and shall present the following information: “What Happened,” “What Information Was Involved,” “What We Are Doing,” “What You Can Do,” and “For More Information.” Additional information may be provided as a supplement to the notice.
How We Keep Valon Secure
At Valon, we’re committed to serving our customers with respect and accuracy. Due to the complex nature of financial regulations, we are very thorough in determining the features that provide the most value to our customers. In order to accomplish this, we have a strict workflow that dictates our product development.
First, we comb through federal, state, and agency regulations. This research is translated into a policy manual that contains everything that Valon plans to implement in response to these regulations. The policy document is then signed off by the servicing regulation team.
The PRD is then translated into an execution tracking mechanism known as the Objective & Key Results (OKR). OKRs are well-proven mechanisms for laying out a complete set of product features.
Each step is transparently linked to the last and validated by an expert in the field.
Prevention of Insider Risk
Valon takes steps to reduce and mitigate against insider risks. Valon uses Cloud Audit Logs available from Google Cloud Platform (“GCP”) to monitor “Who did what, when, and where?” in Valon’s GCP instance. This prevents monitors for unauthorized access of customer information and allows for a real-time intrusion detection system.
Usage of Cloud Audit Logs also prevents unauthorized exfiltration of company IP/user data.
How Is My Data Protected?
Your confidentiality is important to us. In the section below, we list a number of ways your data is protected by Valon.
Use of “always on VPN”
Valon Technologies, Inc. adopts the BeyondCorp Zero Trust security model for our web site.
Encryption in transit
All communication within Valon’s platform is encrypted by industry-leading cryptographic protocols like TLS 1.2+ using the strongest available encryption scheme supported by your browser such as 128-bit or 256-bit keys.
Encryption at rest
Data within Valon’s platform is protected by Google Cloud’s encryption at rest.
Security training
- Use strong passwords that are tough to crack.
- Use password-activated screensaver when not physically with their computer.
- Make sure the company device laptop/cellphone/desktop are stored in a secure location and locked.
Need-to-know
All employee and user data is designated on a need-to-know basis. Viewing of user or other employee’s nonpublic personal information is prohibited and audited. Doing so without proper business justification is fireable behavior, in addition to potential legal actions.
Two-person integrity approach
Any change to Valon proposed by an engineer is first reviewed and approved by a different engineer before deployment.
Annual penetration tests
Valon brings in third parties annually to perform penetration tests and provide insights.
Google Cloud Computing
Since our service is built on top of and hosted on Google’s Cloud Computing platform, we inherit many security features from them. You can see more about this here.
Responsible disclosure
Valon offers legal safe harbor for bug discovery in alignment with the below qualifications.
Valon Vulnerability Disclosure Policy
Valon welcomes feedback from security researchers and the general public to help improve our security. If you believe you have discovered a vulnerability, privacy issue, exposed data, or other security issues in any of our assets, we want to hear from you. This policy outlines steps for reporting vulnerabilities to us, what we expect, what you can expect from us.
Systems in Scope
This policy applies to any digital assets owned, operated, or maintained by Valon.
Out of Scope
- Assets or other equipment not owned by parties participating in this policy.
Vulnerabilities discovered or suspected in out-of-scope systems should be reported to the appropriate vendor or applicable authority.
Our Commitments
When working with us, according to this policy, you can expect us to:
- Use strong passwords that are tough to crack.
- Use password-activated screensaver when not physically with their computer.
- Make sure the company device laptop/cellphone/desktop are stored in a secure location and locked.
Our Expectations
In participating in our vulnerability disclosure program in good faith, we ask that you:
- Play by the rules, including following this policy and any other relevant agreements. If there is any inconsistency between this policy and any other applicable terms, the terms of this policy will prevail;
- Report any vulnerability you’ve discovered promptly;
- Avoid violating the privacy of others, disrupting our systems, destroying data, and/or harming user experience;
- Use only the Official Channels to discuss vulnerability information with us;
- Provide us a reasonable amount of time to resolve the issue before you disclose it publicly;
- Perform testing only on in-scope systems, and respect systems and activities which are out-of-scope;
- If a vulnerability provides unintended access to data: Limit the amount of data you access to the minimum required for effectively demonstrating a Proof of Concept; and cease testing and submit a report immediately if you encounter any user data during testing, such as Personally Identifiable Information (PII), Personal Healthcare Information (PHI), credit card data, or proprietary information;
- You should only interact with test accounts you own or with explicit permission from the account holder; and
- Do not engage in extortion.
Official Channels
Please report security issues via security@valon.com, providing all relevant information. The more details you provide, the easier it will be for us to triage and fix the issue.
Safe Harbor
When conducting vulnerability research, according to this policy, we consider this research conducted under this policy to be:
- Authorized concerning any applicable anti-hacking laws, and we will not initiate or support legal action against you for accidental, good-faith violations of this policy;
- Authorized concerning any relevant anti-circumvention laws, and we will not bring a claim against you for circumvention of technology controls;
- Exempt from restrictions in our Terms of Service (TOS) and/or Acceptable Usage Policy (AUP) that would interfere with conducting security research, and we waive those restrictions on a limited basis; and
- Lawful, helpful to the overall security of the Internet, and conducted in good faith.
You are expected, as always, to comply with all applicable laws. If legal action is initiated by a third party against you and you have complied with this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through one of our Official Channels before going any further.
Note that the Safe Harbor applies only to legal claims under the control of the organization participating in this policy, and that the policy does not bind independent third parties.
Maintaining Access Control
Our users entrust us with their personal information (“User Data”), which includes but is not limited to name, address, phone number, credit card number, loan number, social security number. We in turn, have the obligation to not only fulfill the responsibility of providing the service (“Service” - at time of writing, this refers to servicing of mortgages), but do so in a way that ensures the highest level of security standards. For information about our privacy policy, please visit valon.com/privacy-policy.
Definitions
FTE
Valon Full Time Employee
TVC
Other people may have access to Valon systems and data, including TVCs (temps, vendors, and contractors), and others who may be temporarily assigned to perform work or services for Valon. We use the term “TVC” to include all non-FTE on such an assignment regardless of their access to Valon systems and data.
NPI
“Nonpublic personal information” (NPI). NPI is any “personally identifiable information” that Valon collects about an individual, unless that information is otherwise “publicly available.”
Requirements
Every FTE and TVC is responsible for Valon’s security and user privacy and must follow Valon’s security and privacy policies, guidelines, and procedures. When Valon’s Security and Privacy Policies do not address a given situation, FTEs and TVCs are expected to use common sense in keeping Valon secure and user data private. To assist FTEs and TVCs in meeting this responsibility, Valon maintains an appointed Chief Trust and Safety Officer (“CTSO”) that provides guidance on security matters.
Due to the importance of protecting Valon’s assets, including intellectual property, equipment, customer information, and reputation, all Valon business practices must comply withValon security policies.
Valon’s resources, such as buildings, services, systems, networks, and data, are provided primarily for business purposes, and access to them is granted on that basis. Valon will strike an appropriate balance between the ease with which FTEs and TVCs can get their work done and the security risks to the company.
FTEs and TVCs must not attempt to bypass access control mechanisms (such as locks, passwords, encryption, and access control lists) to accessValon resources, but should seek authorization from the appropriate party.
If data should be protected and is not, FTEs and TVCs are expected to apply appropriate access controls according to the Valon Security & Privacy Policies, or inform the standing CTSO. FTEs and TVCs who discover security issues are expected to report them to the responsible parties who are then required to make the necessary improvements. At time of writing, this is either the CTSO, or those reporting to the CTSO.
Lastly, Valon will review and, when necessary, adjust its policies over time as the company evolves, and to use industry best practices where applicable. Changes to security policies should be announced appropriately.
Any questions?
We’re here to talk. Contact Valon any time through the following channels:
