Security & Compliance

Updated: 2026-05-30

Banking-Grade Security

DiBlanco Premier™ CRM is engineered with strong security hardening, the same standards used by banking and federal systems. Every layer of the platform is designed to protect your data and your clients' sensitive information.

Encryption

  • At Rest: AES-256-GCM encryption for all sensitive data in the database
  • In Transit: TLS 1.3+ enforced, HTTPS-only, no mixed content
  • Backups: AES-256-CBC + PBKDF2, encrypted storage, 14-day retention
  • Key Management: All keys stored outside the webroot, never hardcoded, rotated regularly

Authentication & Access Control

  • Passwords: Argon2id hashing (never bcrypt or MD5)
  • MFA (Multi-Factor Authentication): Mandatory for all users. Options: email, SMS, authenticator app, biometric
  • RBAC (Role-Based Access Control): Granular permissions, employees see only assigned clients and modules
  • Session Hardening: Secure cookies (HttpOnly, Secure, SameSite=Strict), rotation every 30 minutes, CSRF protection
  • Rate Limiting: 5 failed attempts per hour per session, automatic lockout

Audit Logging

  • HMAC-Chained Logs: Every critical action logged with HMAC-SHA256 chaining to prevent tampering
  • Retention: 7 years of audit logs, daily rotation, immutable storage
  • No PII in Logs: Sensitive data never logged, only action types and timestamps
  • CLI Verification: Tools to verify log integrity and detect tampering

Network Security

  • HTTPS Enforcement: Redirect + HSTS preload, TLS 1.3 minimum
  • CSP (Content Security Policy): Strict, 'self'-only, no external dependencies
  • WAF (Web Application Firewall): ModSecurity + Fail2Ban
  • DDoS Protection: Rate limiting, connection throttling, automated blocking
  • No External Dependencies: All critical functions self-hosted (MFA, email, security monitoring)

Compliance Certifications

  • IRS Circular 230: Authorized to practice before the IRS
  • GLBA (Gramm-Leach-Bliley Act): Financial data protection and privacy
  • GDPR (General Data Protection Regulation): EU data protection and privacy
  • CCPA (California Consumer Privacy Act): California resident data rights
  • HIPAA (Health Insurance Portability and Accountability Act): Healthcare data protection (where applicable)
  • PCI-DSS (Payment Card Industry Data Security Standard): Payment card data protection
  • SOC 2 (Service Organization Control 2): Security, availability, processing integrity, confidentiality, privacy
  • ISO 27001: Information security management system
  • NIST SP 800-63B: Authentication and lifecycle management
  • Florida Statutes §501.171 & §213.21(3)(a): Florida data protection and privacy laws

Data Protection

  • No Public Display of Sensitive Data: Client counts, employee counts, addresses, and confidential information are never displayed in public-facing UI
  • Encrypted Storage: All PII columns encrypted at the database level
  • Access Controls: Only SuperAdmin can delete data. All deletions logged and auditable
  • Backup & Disaster Recovery: Automated encrypted backups, tested recovery procedures, 14-day retention

Incident Response

  • 24/7 Monitoring: Self-hosted monitoring and alerting, no third-party dependencies
  • Rapid Response: Incident response team on-call, documented procedures, post-incident reviews
  • Communication: Transparent, timely notification of any security events
  • Remediation: Root cause analysis, immediate fixes, preventive measures

Security Updates & Patches

  • Regular Updates: Security patches applied within 24 hours of availability
  • Automated Monitoring: Self-hosted bots monitor vulnerabilities and apply updates
  • Testing: All updates tested in staging before production deployment
  • Zero-Downtime Deployments: Atomic updates with rollback capability

Your Responsibility

While we handle security at the platform level, we ask that you:

  • Use strong, unique passwords and enable MFA for all users
  • Keep your devices and software updated
  • Report suspicious activity immediately
  • Follow our security best practices and training
  • Maintain confidentiality of your login credentials

Questions or Concerns?

If you have security questions, concerns, or want to report a vulnerability, please contact our security team immediately. We take security seriously and appreciate responsible disclosure.