Security & Privacy

Privacy is at the core of what we do.
A GDPR-compliant Data Protection Agreement is signed between Figures and every participant. Anonymous data is being collected, stored (in Europe) and processed in accordance with GDPR regulation. Your data is safe with us.
The objectives for information security at Figures are the following:
Protect confidentiality, integrity, availability and traceabilityy of information, systems, facilities and people.
Ensure the people, processes and systems at Figures are trustworthy by ensuring:
  • Information is disclosed only to authorized parties
  • Information is altered by only authorized parties
  • Information is available to authorized parties when needed.
Maintain compliance with applicable legal, regulatory and contractual requirements that are related to information security.
Deliver information security primarily driven by risks, standards based and independently verified.
More information about your data security:
All the materials on Figures’s Website are provided "as is". Figures makes no warranties, may it be expressed or implied, therefore negates all other warranties. Furthermore, Figures does not make any representations concerning the accuracy or reliability of the use of the materials on its Website or otherwise relating to such materials or any sites linked to this Website.
We conduct the following security measures :
Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures for application security to provide guidance to the appropriate planning, delivery and support of the organization's application security capabilities. Review and update the policies and procedures at least annually.
Establish, document and maintain baseline requirements for securing different applications
Define and implement technical and operational metrics in alignment with business objectives, security requirements, and compliance obligations.
Define and implement a SDLC process for application design, development, deployment, and operation in accordance with security requirements defined by the organization.
Implement a testing strategy, including criteria for acceptance of new information systems, upgrades and new versions, which provides application security assurance and maintains compliance while enabling organizational speed of delivery goals. Automate when applicable and possible.
Establish and implement strategies and capabilities for secure, standardized, and compliant application deployment. Automate where possible.
Define and implement a process to remediate application security vulnerabilities, automating remediation when possible.
We conduct the following security measures :
Establish, document, approve, communicate, apply, evaluate and maintain business continuity management and operational resilience policies and procedures.
Review and update the policies and procedures at least annually.
Establish strategies to reduce the impact of, withstand, and recover from business disruptions within risk appetite.
Periodically backup data stored in the cloud. Ensure the confidentiality, integrity and availability of the backup, and verify data restoration from backup for resiliency.
Establish, document, approve, communicate, apply, evaluate and maintain a disaster response plan to recover from natural and man-made disasters. Update the plan at least annually or upon significant changes.
Supplement business-critical equipment with redundant equipment independently located at a reasonable minimum distance in accordance with applicable industry standards.
We conduct the following security measures :
Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures for Cryptography, Encryption and Key Management. Review and update the policies and procedures at least annually.
Define and implement cryptographic, encryption and key management roles and responsibilities.
Provide cryptographic protection to data at-rest and in-transit, using cryptographic libraries certified to approved standards.
Use encryption algorithms that are appropriate for data protection, considering the classification of data, associated risks, and usability of the encryption technology.
Establish a standard change management procedure, to accommodate changes from internal and external sources, for review, approval, implementation and communication of cryptographic, encryption and key management technology changes.
Generate Cryptographic keys using industry accepted cryptographic libraries specifying the algorithm strength and the random number generator used.
Manage cryptographic secret and private keys that are provisioned for a unique purpose.
Rotate cryptographic keys in accordance with the calculated cryptoperiod, which includes provisions for considering the risk of information disclosure and legal and regulatory requirements.
We conduct the following security measures :
Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures for the classification, protection and handling of data throughout its lifecycle, and according to all applicable laws and regulations, standards, and risk level. Review and update the policies and procedures at least annually.
Apply industry accepted methods for the secure disposal of data from storage media such that data is not recoverable by any forensic means.
Create and maintain a data inventory, at least for any sensitive data and personal data.
Classify data according to its type and sensitivity level.
Create data flow documentation to identify what data is processed, stored or transmitted where. Review data flow documentation at defined intervals, at least annually, and after any change.
Develop systems, products, and business practices based upon a principle of security by design and industry best practices.
Develop systems, products, and business practices based upon a principle of privacy by design and industry best practices. Ensure that systems' privacy settings are configured by default, according to all applicable laws and regulations.
Define, implement and evaluate processes, procedures and technical measures that ensure any transfer of personal or sensitive data is protected from unauthorized access and only processed within scope as permitted by the respective laws and regulations.
Define and implement processes, procedures and technical measures to enable data subjects to request access to, modification, or deletion of their personal data, according to any applicable laws and regulations.
Obtain authorization from data owners, and manage associated risk before replicating or using production data in non-production environments.
Data retention, archiving and deletion is managed in accordance with business requirements, applicable laws and regulations.
Define and implement processes, procedures and technical measures to protect sensitive data throughout it's lifecycle.
Define and implement processes, procedures and technical measures to specify and document the physical locations of data, including any locations in which data is processed or backed up.
We conduct the following security measures :
Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures for defining allowances and conditions for the acceptable use of organizationally-owned or managed assets. Review and update the policies and procedures at least annually.
Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures that require unattended workspaces to not have openly visible confidential data. Review and update the policies and procedures at least annually.
Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures to protect information accessed, processed or stored at remote sites and locations. Review and update the policies and procedures at least annually.
Establish and document procedures for the return of organization-owned assets by terminated employees.
Establish, document, and communicate to all personnel the procedures outlining the roles and responsibilities concerning changes in employment.
Employees sign the employee agreement prior to being granted access to organizational information systems, resources and assets.
"Figures" include within the employment agreements provisions and/or terms for adherence to established information governance and security policies.
Document and communicate roles and responsibilities of employees, as they relate to information assets and security.
Identify, document, and review, at planned intervals, requirements for non-disclosure/confidentiality agreements reflecting the organization's needs for the protection of data and operational details.
Establish, document, approve, communicate, apply, evaluate and maintain a security awareness training program for all employees of the organization and provide regular training updates.
Provide all employees with access to sensitive organizational and personal data with appropriate security awareness training and regular updates in organizational procedures, processes, and policies relating to their professional function relative to the organization.
Make employees aware of their roles and responsibilities for maintaining awareness and compliance with established policies and procedures and applicable legal, statutory, or regulatory compliance obligations.
We conduct the following security measures :
Establish, document, approve, communicate, implement, apply, evaluate and maintain policies and procedures for identity and access management. Review and update the policies and procedures at least annually.
Establish, document, approve, communicate, implement, apply, evaluate and maintain strong password policies and procedures. Review and update the policies and procedures at least annually.
Manage, store, and review the information of system identities, and level of access.
Employ the separation of duties principle when implementing information system access.
Employ the least privilege principle when implementing information system access.
Define and implement a user access provisioning process which authorizes, records, and communicates access changes to data and assets.
De-provision or respectively modify access of movers / leavers or system identity changes in a timely manner in order to effectively adopt and communicate identity and access management policies.
Review and revalidate user access for least privilege and separation of duties with a frequency that is commensurate with organizational risk tolerance.
Define, implement and evaluate processes, procedures and technical measures for the segregation of privileged access roles such that administrative access to data, encryption and key management capabilities and logging capabilities are distinct and separated.
Define and implement an access process to ensure privileged access roles and rights are granted for a time limited period, and implement procedures to prevent the culmination of segregated privileged access.
Define, implement and evaluate processes and procedures for customers to participate, where applicable, in the granting of access for agreed, high risk (as defined by the organizational risk assessment) privileged access roles.
Define, implement and evaluate processes, procedures and technical measures to ensure the logging infrastructure is read-only for all with write access, including privileged access roles, and that the ability to disable it is controlled through a procedure that ensures the segregation of duties and break glass procedures.
Define, implement and evaluate processes, procedures and technical measures that ensure users are identifiable through unique IDs or which can associate individuals to the usage of user IDs.
Define, implement and evaluate processes, procedures and technical measures for authenticating access to systems, application and data assets, including multifactor authentication for at least privileged user and sensitive data access. Adopt digital certificates or alternatives which achieve an equivalent level of security for system identities.
Define, implement and evaluate processes, procedures and technical measures for the secure management of passwords.
Define, implement and evaluate processes, procedures and technical measures to verify access to data and system functions is authorized.
We conduct the following security measures :
Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures for logging and monitoring. Review and update the policies and procedures at least annually.
Define, implement and evaluate processes, procedures and technical measures to ensure the security and retention of audit logs.
Identify and monitor security-related events within applications and the underlying infrastructure. Define and implement a system to generate alerts to responsible stakeholders based on such events and corresponding metrics.
Restrict audit logs access to authorized personnel and maintain records that provide unique access accountability.
Monitor security audit logs to detect activity outside of typical or expected patterns. Establish and follow a defined process to review and take appropriate and timely actions on detected anomalies.
Use a reliable time source across all relevant information processing systems.
Establish, document and implement which information meta/data system events should be logged. Review and update the scope at least annually or whenever there is a change in the threat environment.
Generate audit records containing relevant security information.
The information system protects audit records from unauthorized access, modification, and deletion.
Establish and maintain a monitoring and internal reporting capability over the operations of cryptographic, encryption and key management policies, processes, procedures, and controls.
Log and monitor key lifecycle management events to enable auditing and reporting on usage of cryptographic keys.
Monitor and log physical access using an auditable access control system.
Define, implement and evaluate processes, procedures and technical measures for the reporting of anomalies and failures of the monitoring system and provide immediate notification to the accountable party.
We conduct the following security measures :
Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures for all endpoints. Review and update the policies and procedures at least annually.
Define, document, apply and evaluate a list of approved services, applications and sources of applications (stores) acceptable for use by endpoints when accessing or storing organization-managed data.
Define and implement a process for the validation of the endpoint device's compatibility with operating systems and applications.
Maintain an inventory of all endpoints used to store and access company data.
Define, implement and evaluate processes, procedures and technical measures to enforce policies and controls for all endpoints permitted to access systems and/or store, transmit, or process organizational data.
Configure all relevant interactive-use endpoints to require an automatic lock screen.
Manage changes to endpoint operating systems, patch levels, and/or applications through the company's change management processes.
Protect information from unauthorized disclosure on managed endpoint devices with storage encryption.
Configure managed endpoints with anti-malware detection and prevention technology and services.
Configure managed endpoints with properly configured software firewalls.
Configure managed endpoints with Data Loss Prevention (DLP) technologies and rules in accordance with a risk assessment.
Enable remote geo-location capabilities for all managed mobile endpoints.
Define, implement and evaluate processes, procedures and technical measures to enable the deletion of company data remotely on managed endpoint devices.
Define, implement and evaluate processes, procedures and technical and/or contractual measures to maintain proper security of third-party endpoints with access to organizational assets.