IT Compliance & Security

Impexium understands the importance of maintaining a secure and compliant environment.

We utilize a variety of controls to prevent environmental misuse of information. Our compliance program incorporates risk-based control reviews, annual internal and external audits, third-party contract and vendor management efforts and provider compliance assessments to ensure continued compliance with regulatory requirements.

Security program

Our Security Program is designed to limit access to the entire network environment. Impexium undergoes rigorous control reviews and audits on an annualized basis to ensure the security of our platforms. Our security program protects our system accounts and network environment in a layered approach for overall security. While no environment is 100% secure, we take precautions to protect the systems and data to which we are entrusted.

IDENTIFY

  • Suite of monitoring and security tools to secure our environments.
  • Risk Management Assessment completed annually to access our overall company risk.

PROTECT

  • Next generation firewalls and web application firewalls.
  • Next generation anti-virus and malware/ransomware protection.
  • Daily operations monitoring and alerting.
  • Network segmentation.
  • Multi-factor authentication (MFA).
  • Annual cyber/AML/fraud training.

DETECT

  • SIEM/MDR monitored 24/7 by a third-party.
  • Quarterly vulnerability scanning by a third-party.
  • Bi-annual penetration testing.
  • Various third-party monitoring tools and dashboards.

RESPOND

  • Security Incident Response Plan in place.
  • Trusted resources for cyber intelligence and support.
  • Forensics teams available as needed.

RECOVER

  • Daily backups/cloud storage.
  • Replication services in Azure.
  • Cyber insurance.
  • Business Continuity Program in place.

Software platform & data security standards

We are committed to protecting your privacy and the confidentiality of your personal information. We understand the potential impact on our clients if member data or payment information were to be breached and we work hard to ensure the highest level of security in our industry.

SOC 1, TYPE 2 AUDIT

Impexium undergoes an annual SOC 1, Type 2 audit by an independent accounting firm. The purpose of this audit is to validate the design and operating effectiveness of internal controls relating to financial reporting.

PCI DSS SAQ-D ATTESTATION

Impexium also completes an annual PCI DSS SAQ-D Attestation of Compliance. This detailed assessment demonstrates our focus on safeguarding electronic card data that Impexium stores, processes, and transmits. Impexium also utilizes third-party gateways that are PCI Level 1-compliant.

Hosting services

Impexium leverages a cloud environment to provide a fully redundant, fault tolerant, scalable platform. Our cloud platform leverages the most state-of-the-art technology provided by our partners. Impexium utilizes Microsoft Azure for its managed IT operations and applications hosting.

Our engineers maintain innovative skills and awareness of the newest features and options available. We maintain a robust lab environment where we evaluate new technology for applicability and adoptability. We maintain partnerships with architects and engineers that allow us to quickly adopt modern technology without unnecessary risk.

Technical Support, Operations & Disaster Recovery Capabilities

Technical Support & Operations
Disaster Recovery
Network Security
Physical Security

Technical Support & Operations

Impexium maintains direct support relationships with our software vendors. We do not engage channel partners for support unless required by the vendor. We have named contacts with second level support for all of our critical software platforms. Our engineers and architects maintain up-to-date training. The entire support team receives up-to-the notifications of health and alerts that impact the stability of the system. Our rapid response team reacts with an all-hands-on-deck mentality when unexpected events occur. Our extensive monitoring platform gives our support team up to the minute awareness of the health of our systems.

Our operations philosophy is fast paced with a focus on stability and performance. Every configuration change or code deployment is evaluated for security and impact based on an established process of rigorous testing and in-depth peer review. Every change is created in our development environment and test deployed in staging before being approved for production. Our Quality Assurance team weighs in on every major change before implementation.

Disaster Recovery

All critical data is stored on highly redundant, highly performant storage systems that are monitored for stability, tuned for performance, and configured to tolerate multiple failure of individual components. All data and system files are automatically backed up on a regular basis to minimize the risk of data loss and enable the recovery of data with minimal downtime. Backups of the database, network and file shares, and servers are scheduled daily. Differentials are backed up every two hours. Weekly full SQL backups are conducted within SQL native, in addition to 5-minute transactional backups. Backed-up data is appropriately secured and not accessible to unapproved users. Data and configuration files required to provide service continuity in case of a site failure are synchronized daily to our secondary sites to minimize downtime in case of unforeseen disaster.

Impexium leverages a multi-tiered backup retention methodology to provide varying levels of recoverability. We have secure copies of backups maintained in the Azure cloud environment.

Network Security

The Microsoft Azure Cloud platform provides a highly reliable and secure service to our customers. Azure provides packet filter firewalls at the individual network adapter level and the network and subnet levels. Administrative access to the systems is restricted to authorized personnel. Web Application Firewalls (WAF) are also in place to provide a higher layer, more intelligent protection for more sophisticated attacks

Impexium deploys a managed 24/7 SIEM/MDR, that extends our risk management profile by utilizing threat hunting, Machine Intelligence, and anomalous behaviors to identify, detect and prioritize any threat to the environment. Our SOC team is immediately alerted to any vulnerability and cyber threat and provides a clear path to response and eradication as required.
Remote access to production and development environments is restricted to authorized staff and secured via an encrypted VPN using multi-factor authentication. Administrative access to the VPN is restricted to authorized personnel.

Physical Security

Access to Impexium’s physical location in Virginia is secured and restricted to authorized personnel.

Compliance

The Compliance team is committed to aligning compliance efforts to ensure the security, quality, and efficiency of all systems and customer information. The team works to prevent, detect, and respond to business conduct that is inconsistent with the organization’s values, as well as regulatory requirements.

Our regulatory and security compliance efforts are periodically reviewed and enhanced.
Using a risk-based approach, the team evaluates internal controls across the organization to ensure alignment with PCI DSS, SOC 1, Type 2 control requirements, and soon, SOC 2, Type 1 requirements.
The team monitors organizational controls for federal, state, and other country regulatory requirements.

Let Us Show You What's Possible With Impexium

Trade associations, professional societies, and non-profits of all sizes have transformed their businesses and exceeded member expectations with Impexium’s membership management software. Request a personalized demo today.