The Circulus Security Policy applies to the security policies, safeguards and procedures as implemented throughout the Circulus web application housed on app.circulus.io. The terms "Circulus,” "we," "us," and "our" in this document refer to Circulus and its affiliates or subsidiaries that link to this document. Circulus recognizes that protecting our customer's data is a fundamental and paramount priority, and the details below outline our security and access controls in place to ensure the highest levels of online security:

1. The site is hosted on cloud servers, to which only approved internal personnel are granted access on a limited and role-based basis. Access to these servers are approved by multiple Circulus department heads. All system access is removed immediately upon employee separation or within 90 days when an employee role changes. Access to physical assets is restricted to authorized personnel only.


2. All customer and vendor data is stored with a unique identifier, and is accessible solely from within the Circulus application. Only after successful login is the customer and vendor data visible to the corresponding user. Our internal technical and support team may access customer data, in order to resolve user issues and assist with user requests.


3. The Circulus servers are hosted at a SSAE 16 SOC 1 Type II level facility, with complete infrastructure monitoring and management administered by the 3rd party service provider. All network and system-level vulnerabilities are addressed within a timely manner, according to vendor service level agreements (SLA). Any issues with custom-built software is managed and addressed directly by internal technical support.


4. For security purposes, sensitive information is encrypted prior to saving it in the Circulus databases. Only upon a successful account login of a verified and legitimate user is the data decrypted for access.


5. Only users with admin privileges are permitted to utilize the bank account integration capabilities of the Circulus platform.


6. Password strength requirements include an 8-character minimum, including at least 1 alpha, 1 numeric and 1 special character for the Circulus SMB platform. For Enterprise platform, the password policy adheres to the client password policy.


7. Emails and attachments sent to the Circulus platform from customer or vendors are processed through spam algorithms and virus scanning prior to insertion into the Circulus platform. Anti-virus software is installed on all servers to prevent virus attacks.


8. The security and integrity of transmitted data between browser and server is ensured by deploying Secure Sockets layer (SSL) certificates on our web servers.


9. Dedicated firewall protects unwanted internet traffic from reaching our servers.