Security & Compliance
Amalgam is SOC2 Compliant. Our most recent Type 2 audit report was completed in March 2025. For more information on our security stance and audit history, please see our Trust Center.
Amalgam's management team establishes policies and controls for the handling of sensitive data by Amalgam team members. We monitor compliance with those controls, and prove our security and compliance to third-party auditors.
Exclusion of Financial Data
Amalgam's application processes financial data in-memory, but financial data is never stored in our database. This ensures that ownership of financial information remains unchanged, and privacy is enforced at the highest level.
Data Encryption
All datastores with customer data are encrypted at rest. Sensitive data elements such as access tokens are further encrypted by our application. Amalgam uses TLS 1.2 or higher everywhere data is transmitted over potentially insecure networks, along with HSTS to maximize security of data in transit. Server TLS keys and certificates are managed by AWS and deployed via Application Load Balancers.
Vulnerability Scanning
Amalgam's codebase undergoes regular vulnerability scanning, with any potential sources of exposure immediately triaged and mitigated.
Endpoint Protection
All corporate devices are centrally managed and equipped with mobile device management software and anti-malware protection. Endpoint security alerts are monitored with 24/7/365 coverage. We use MDM software to enforce secure configuration of endpoints, such as disk encryption, screen lock configuration, and software updates.
Secure Remote Access
Amalgam secures remote access to internal resources using NordLayer, a modern VPN platform. All administrative access to our application must pass through verified IP Addresses.
Vendor Security
Amalgam regularly reviews its vendors and assigns them a score based on their access level, potential for exposure, and potential for business interruption. Once the inherent risk rating has been determined, the security of the vendor is evaluated in order to determine a residual risk rating and an approval decision.
Security Education
Amalgam provides comprehensive security training to all employees upon onboarding and annually through educational modules within Vanta, our security compliance software.
Identity and Access Management
Amalgam employees are granted access to applications based on their role, and automatically deprovisioned upon termination of their employment. Further access must be approved according to the policies set for each application.