Our due diligence to assure all data is secure
1. What Borrower Data (Especially PII) Do We Use and Store?
We use and store the following borrower data:
- Loan info: Borrower & Co-Borrower Phone & Email and the previous loan’s qualifying credit score. Everything else is essentially public record information (a full list of fields is included below)
-
We do not use or store:
- Loan Pricing: We pull scenario-based pricing using minimal input fields and retain only the rate and pricing table for each scenario.
2. How Will That Data Be Transmitted?
The system will provide a secure authentication key (client ID, client secret) to pull the data over our secured network (SSL/TLS).
3. How That Data Will Be Stored? How Is It Kept Secure?
We are following industry standard best practices to store and secure the data. Here is the list of some major practices:
- The data will be stored using the Microsoft SQL server's inbuilt mechanism. We will be storing data using SQL server authentication through a strong password policy.
- All communication between the application and database will be secured on the network level using SSL/TLS.
- All data-sensitive data will be encrypted before storing into the database
- Role-Based Access Control (RBAC): We will be using roles to grant permissions based on job functions.
- Principle of Least Privilege: We will grant users the minimum permissions necessary to perform their jobs
- Regular Backups and Secure Storage. All backups will be encrypted using Backup Encryption.
- The backups will be stored in a secure location and with restricted access.
- We will be using SQL Server Audit to track and log events related to database activity.
- Dynamic Data Masking will be configured to obscure sensitive data in query results without modifying the actual data in the database.
- The physical server will be in a secure, access-controlled environment. A log will be maintained of physical access to the servers.
4. What Happens in a Breach?
Since we are using secure communication at all levels, it is very unlikely to have a data breach. However, we are prepared to handle any adverse situation as well using below steps:
-
Containment:
- Disconnect the Server: Immediately isolate the compromised SQL Server from the network.
- Block Suspicious Accounts: Disable accounts that may have been compromised.
-
Assessment:
- Log Review: Analyze SQL Server logs to identify unauthorized access patterns and compromised data.
- Data Check: Verify the integrity of the data and identify any altered information.
-
Remediation:
- Patch Vulnerabilities: Apply necessary patches to SQL Server and related applications.
Loan related data fields that are used and stored:
| LO Autopilot |
| Borrower Last Name |
| Borrower First Name |
| Borrower Phone |
| Borrower Cell Phone |
| Borrower Email |
| Borrower Credit Score |
| Borrower Veteran Status |
| Borrower Veteran 1st Time Use |
| Borrower FF Exempt |
| Co-Borrower Last Name |
| Co-Borrower First Name |
| Co-Borrower Phone |
| Co-Borrower Mobile Phone |
| Co-Borrower Email |
| Occupancy |
| Subject Property Address |
| Subject Property City |
| Subject Property State |
| Subject Property Zip |
| Subject Property County |
| Subject Property Type |
| Subject Property # Units |
| Appraised Value |
| Loan Number |
| Loan Type |
| Loan Purpose |
| Lien Position (1st or 2nd) |
| Note Rate |
| Total Loan Amount |
| Loan Term |
| Monthly P&I |
| Monthly PMI |
| Monthly Taxes |
| Monthly Insurance |
| Total Monthly PITI & PMI |
| Closed Date |
| 1st Payment Date |
| Bank Name |
| Branch Name |
| Loan Officer |