We have a deep appreciation for the sensitivity of your data. We combine enterprise-grade security features with regular external audits to ensure it's always protected.
See Caruso in action
Learn how Caruso can help you effortlessly manage your investors and funds, whether you have $10M or $100B in AUM.
Compliance
ISO 27001 Certification
ISO 27001 is a framework for managing IT security and sets out the specification for an information security management system (ISMS) that helps keep data safe. Caruso has achieved ISO 27001:2022 certification and is audited annually to ensure ongoing compliance.
Infrastructure
Best-in-class infrastructure provider
Caruso hosts all of its data in physically secure Amazon Web Services (AWS) facilities, including 24/7 on-site security, camera surveillance, and more.
Hardened web security
Cloudflare protects Caruso’s internet-facing services from threats posed by the public internet and the dark web with the best Web Application Firewall (WAF) and DDoS protection available.
Virtual private cloud (VPC)
All of Caruso’s servers are within their own virtual private cloud (VPC) with network access control lists (ACLs) that prevent unauthorized requests from getting to Caruso’s internal network. Most of Caruso’s internal systems are entirely unreachable from the public internet.
Encryption
All data sent to or from Caruso is encrypted in transit using 256-bit encryption. Caruso’s API and application endpoints are TLS/SSL only and score an A rating on Qualys SSL Labs‘ tests.
Failover and disaster recovery
Caruso was built with disaster recovery in mind. Data is spread across multiple data centers and will continue to be available should any one data center fail. Disaster recovery procedures are regularly tested using real-world scenarios.
Backups and monitoring
Caruso uses granular backup solutions for databases that contain customer data. All actions taken to modify Caruso resources and infrastructure are logged and audited.
Incident response
Caruso implements a protocol for handling security events, including escalation procedures, rapid mitigation, and post-mortem.
Development
Client data separation
Caruso’s software is developed with the philosophy that each client’s data must be isolated at multiple levels. Client data is separated at storage retrieval and data transport and verified at the response gateway.
Development and change management
Software development is conducted according to a documented SDLC process, and every change is tracked with version control. Automated controls ensure changes are peer-reviewed and pass extensive automated test suites before delivery.
Dedicated development and test resources
Caruso does not test on client data, period. Caruso operates dedicated development and testing environments.
Automated test suites
Caruso’s engineering team maintains a robust suite of automated tests to identify defects early in the software development lifecycle.
Penetration tests, and vulnerability scanning
Caruso uses third-party security tools to continuously scan for vulnerabilities. Caruso engages third-party security experts to perform detailed penetration tests on the Caruso application and infrastructure on a recurring basis and upon infrastructural upgrades.
People
Restricted access to data
Access to client data is limited to authorized employees who require it for their job. Caruso is entirely served over HTTPS. There are no corporate resources or additional privileges from being on Caruso's network.
Audited employee access logs
Access to investor and transaction information by Caruso employees is recorded and audited.
Continuous security training
All employees complete annual security awareness training.
Employee vetting
Caruso performs criminal background checks on all new employees.
Confidentiality
All employee contracts include a confidentiality agreement.
Corporate policies
Caruso has developed a comprehensive set of security policies covering various topics, including the ones mentioned on this page. These policies are updated frequently and shared with all employees.
