Security and Compliance
Movius follows the highest industry standards to ensure that you can trust us with your most critical data.
- We understand the importance of information security, including cybersecurity, to protect against external threats and malicious insiders.
- Our cybersecurity strategy prioritizes detection, analysis and response to threat intelligence, cyber risks, and malicious activity.
- We continuously strive to meet or exceed the industry’s information security best practices and apply controls to protect our clients and the infrastructure of the company.
- Our information security management program is built to comply with the ISO 27001 framework.
- The security controls for the Movius platform annually undergo SOC 2 Type 2 examination against AICPA defined standards.
- All data is encrypted in transit and at rest.
- Your data is protected using FIPS 140-2 Level 3 compliant HSMs and customer owned encryption keys.
- Storage is compliant with:
- Federal Information Processing Standard (FIPS) Publication 140-2
- Federal Information Security Management Act (FISMA)
- Health Insurance Portability and Accountability Act (HIPAA)
- Payment Card Industry (PCI)
- Basel II
- California Security Breach Information Act (SB 1386)
- EU Data Protection Directive 95/46/EC
- SAST and DAST are performed for every maintenance and general release.
- Manual Penetration testing is performed annually.
- Bi-weekly vulnerability scan is performed by in-house security experts.
- Movius performs daily backups of production data that is only used to minimize data loss in the event of a disaster.
- Production data is immediately written to an independent 2nd database which is either at the same location for single site installations or at a second data center in geo-redundant configurations.
- We complete re-certification and surveillance audits annually.
Manage Users and Admins
- All activities by Admins in Management Portal and Developers using the API are logged in Admin logs.
- Full search functionality helps you quickly track down activities of interest, including:
- Log in
- Adding, deleting, or viewing an account
- Viewing or downloading a report
- Viewing or downloading data
- You can also set up alerts for activities, such as password changes and deleted accounts. See Manage Alerts
- Admins have complete control over user access to MultiLine app. It’s possible immediately suspend or delete a user account from Management Portal to remove access to the application.
- Calls to a MultiLine number from a deleted account can automatically forwarded, tagged for a specific use or organization, or made generally available.
- Call or message recording is set by admins and does not allow users to turn the feature on or off, preventing any circumventing of your recording policies.
- You can apply any policies from your Enterprise Management solution to the MultiLine application.
- Apply corporate authentication and password requirement policies to MultiLine applications.
- Enforce using MultiLine applications when using corporate apps, including phone number links and conference codes.
- Restrict copy and paste, screenshots, and more from MultiLine to outside apps.
- We ensure ongoing compliance with the General Data Protection Regulation (GDPR).
- Users can clearly see what data is shared and have the option to opt in or out of sharing their personal data.
- You may cancel with us at any time by contacting our Customer Success team.
- We will work with you to offload your data and then securely remove your data from the platform.
Yes, Movius MultiLine enables compliance with MiFID II and FCA COBS 11.8, including the requirement to produce all communications related to a trade upon the request of a regulator, including mobile calls and texts, no matter whether the phone is corporate or privately owned. It brings the compliance, retention, archiving and eDiscovery capabilities that banks require while easily capturing, recording, storing and analyzing mobile voice and text communications.
Yes. Despite firms’ resistance to monitoring text communications, the reality is the Securities and Exchange Commission (SEC) and Financial Industry Regulatory Authority (FINRA) require that electronic communications used for business purposes are archived and supervised—including text messages.
Key points from the Notice include:
- Recordkeeping: Firms are reminded of their obligation to keep records of business communications under SEC Rule 17a-4(b)(4). Also, firms must train and educate their advisors regarding the distinction between business and personal communications, and the requirements to retain, supervise, and produce business communications.
- Text messaging: Firms that communicate or allow advisors to communicate through text messaging or chat services for business purposes must retain records of those communications, in compliance with SEC and FINRA rules.
MultiLine offers built-in capturing capabilities for all MultiLine texts at an enterprise scale. This happens automatically in the cloud and never requires end-user action.
Yes, MultiLine provides HIPAA-compliant texting and calling through a separate mobile phone number, allowing secure communication between caregivers and patients.
- Capture patient consent from text messages through an automated workflow. All patient consent is captured and available as a report in the Management Portal.
- Identify PHI related keywords and information to redact or block completely from being shared in text messages.
- Secure communication of PHI between caregivers and patients, with Cloud Data Storage that is HITECH and HIPAA Certified. All communication data is TLS 256-bit AES encrypted at rest and in transit.
Yes, it complies with GDPR imperatives including privacy by design, explicit consent, data breach notification, and subject access rights.
Yes. We understand that in highly regulated industries – there are often requirements to capture client opt-in or for the client to enroll in order to text with their advisor. We offer this feature and can configure it according to your company’s needs.
Yes. Contact your Customer Success Representative to receive this document.
The document covers access control, database control, data encryption, penetration testing, and vulnerability scanning policies.
Yes. We provide this process to you as part of the contract as well as contact information for our security team.