Policies and Plans

Privacy Policy

Privacy Policy

Last Updated June 8, 2020

LoanPro Software, LLC (“LoanPro” or “we”) strongly supports and believes in security and privacy. The following policies and procedures outline how we protect customer data and the personal information of individuals.

Please read this Privacy Policy carefully to understand how LoanPro collects and uses your personal information and personal data (“Personal Information”). This Privacy Policy covers all Personal Information that we receive from various sources, as outlined below. By using or accessing LoanPro’s website(s) and our online loan servicing software and other SaaS (software as a service) subscription services (the “LoanPro Service”) in any way, or by engaging in transactions with LoanPro through any other means, you acknowledge that you accept the practices and policies outlined in this Privacy Policy, and you hereby consent to our collection, use and disclosure of your information in the manner described herein. If you do not agree with this Privacy Policy, please do not use this website or transact business with LoanPro.

Please note the tables at the end of this Privacy Policy that contain our additional policies and information specifically with respect to information and data collected and processed in connection with financial transactions, such as loans processed by the LoanPro Service.

WHAT WE DO WITH COLLECTED DATA - LoanPro Software uses collected, non-personally-identifiable data to analyze and review our products to improve and enhance them. We also offer business opportunities to our clients on an opt-in basis for products, or connections that we deem relevant to that Client. We may use the data collected and share it in the normal operation of business to provide services that are integrated with our offerings. We may also share data with affiliated companies to market these integrated products and services, however, any products and services offered will be offered on an opt-in basis only. Note: LoanPro Software does not sell personally identifiable data to unrelated 3rd parties (no cold calling). LoanPro Software does share information with its related entities only in accordance with strict data security procedures.

Both federal and state law in the United States define Personal Information or Personal Data, as do the laws of Canada, the European Union, and other countries and jurisdictions. This Privacy Policy is intended to include the most expansive definition. However, please recognize that your rights related to your Personal Information, and how Personal Information is defined, are based upon your state, province and/or country where you reside.

PERSONAL INFORMATION THAT WE COLLECT –

LoanPro collects information about our Free-Trial and paid LoanPro Service clients (“Clients”), our Clients’ personnel, and third parties to whom Clients have made loans. This information includes the following Personal Information:

  • Contact information: full name, phone, address, company name, industry, email address.
  • Financial information relating to loans that individuals may have with our Clients.
  • Payment information, including credit card type or number, bank account number, billing address (under our PCI DSS Level 1 AOC).
  • Data gathered by our software such as browser type, time, location, and IP address from which the software is accessed.
  • Purchasing history: LoanPro stores the names of persons who sign contracts on behalf of Clients.
  • Information regarding use of our SaaS software and support services by Client employees and authorized users, including IP addresses, usernames, and encrypted passwords.
  • Information listed in the Financial Transactions tables below.

California Consumer Privacy Act Notice: Pursuant to the § 1798.110 of the California Consumer Privacy Act (“CCPA”), the categories of Personal Information that we have collected about individual consumers in the preceding twelve months are:

  • Identifiers and Categories of Personal Information listed in the California Customer Records Act - See the identifiers listed above that are collected by LoanPro.
  • Customer Records - This information is stored in the form of documents attached to a Client file. The Client records collected and processed by LoanPro include identifiers as well as financial information, as outlined above.
  • Internet Activity – LoanPro collects only IP addresses.
  • Employment Information
  • Inferences about personal preferences and attributes drawn from profiling (e.g., using cookies)

LoanPro does not offer services or sell products to children and does not request or knowingly collect Personal Information from minors.

HOW WE COLLECT YOUR PERSONAL INFORMATION -

General. We collect Personal Information when:

  • you or your employer or organization sign up for or register an account with us
  • you visit our website.
  • you complete an offer form on a marketing website for a free trial account of the LoanPro Service
  • you use the LoanPro Service or our other services or software
  • participate in a feature of our website that requests or requires your Personal Information
  • you otherwise transact business with or communicate with LoanPro (in person or by telephone, email, mail or otherwise)
  • your Personal Information is contained in the records of a loan that a Client is using the LoanPro Service to process. Our Clients act as data controllers (“Controllers”) in the use of the software and the collection and processing of Personal Information to be able to effectively operate the software. In such cases, our role in processing the Personal Information provided by our Clients is as a “Processor,” since we are processing data on behalf of the Controller (who is the Client). As a Processor, we are obligated to process this Personal Information as part of our license agreement entered with the Client. Our license agreement, as well as this Privacy Policy, obligate us to treat all such information as confidential.

We also collect Personal Information in the following ways:

Methods listed in the Financial Transactions section (see below).

Cookies and other tracking technologies - The software we provide may set cookies in your web browser to store information during a period of software use. This information is necessary for various tools and features of the software including the collector queue, search parameters, and other features that use cookie data. You can change your web browser settings at any time to stop accepting cookies or to prompt you before accepting a cookie from the sites you visit. If you do not accept cookies, however, the LoanPro Service will not function properly for you, and you may not be able to use some sections or functions of our websites. We may also use other web-based user tracking technologies, such as clear GIFs, Flash cookies, pixel tags, or web beacons.

Data obtained for marketing purposes for potential Clients or others. We may obtain marketing data from third parties that we use to reach out to inform potential Clients and others of our services. The Personal Information collected generally includes the email address of a contact person with a potential Client or other and may also include their name and phone number. We also use the contact information provided to us by our Clients to communicate information about our products and services, which may include marketing our products and services.

HOW WE USE YOUR PERSONAL INFORMATION -

We may use and process Personal Information for any purpose that is permitted under applicable data protection laws in accordance with this Privacy Policy. “Processing” of Personal Information includes collecting, recording, organizing, structuring, storing, altering or modifying, retrieving, transmitting, disclosing or otherwise making available to third parties, deleting, and otherwise using or dealing with your Personal Information. We may process your Personal Information with or without automatic means.

These purposes include:

  • Our business purposes, including addressing customer service issues and warranty claims; processing sales leads, quotes, invoices and payments; collecting debts; planning and conducting marketing activities, tradeshows, trials, consultations, seminars, webinars, and demonstrations; responding to inquiries; conducting web analytics, security monitoring, and business operations and administration; and addressing tax and other regulatory requirements. Our business purposes also include the purposes listed in the Financial Transactions section below.
  • Purposes related to our software products, including SaaS or cloud-based software. These purposes include licensing and operation of the software, remote management, education and information services, training, webinars, communication, customer service, system monitoring and data security. We use Personal Information to enable use of software features and related services, including through use of third-party service providers. We also use Personal Information to communicate with our users to inform them of software updates and enhancements, educational information, available software features and modules, and other information that may helpful or informative for our users.
  • Marketing. Your Personal Information will not be used for cold calling. However, we send Clients and users of our SaaS software marketing communications, on an opt-in basis, to inform them of and offer new products, services, promotions, or other business opportunities to our Clients . If you would like to stop receiving information about Special Offers from LoanPro, please see the “YOUR RIGHTS RELATING TO YOUR PERSONAL INFORMATION” section of this Privacy Policy below.
  • For the protection of LoanPro and others. If LoanPro, in good faith, determines that you have used the service to menace, threaten, harass, intimidate or otherwise deceptively pose as another person, or in any other way in violation of law. Simply, if you attempt to use the website or purchase or use a product for any unlawful means, you have no expectation of privacy and we may use and disclose any and all information for the protection of LoanPro and others.
  • Pursuant to law, rule or regulation. If required or permitted to do so by law or if, in good faith, LoanPro believes that such action is necessary to: (1) comply with laws and regulations or with legal processes; (2) protect and defend LoanPro’s rights and property or prevent fraud; (3) protect LoanPro against abuse, misuse or unauthorized use of LoanPro’s products or services; (4) protect the personal safety or property of our personnel, users of our website or the public; and/or (5) comply with tax reporting requirements, then LoanPro may use and disclose any and all information as needed. The servers that serve our website automatically identify a computer by its IP address.
  • Aggregated and de-identified data. We may anonymize data to create statistical data or system usage data, by removing all personal identifiers and/or aggregating your data with other’s data so that it is not identifiable as to any particular person. Such de-identified data may be retained and used by LoanPro to improve and enhance its products and services and for other proper purposes, provided that such retention and use is permitted by applicable laws.

Legal basis. We base our processing of Personal Information on the need to perform our contractual obligations under our license agreements and our legitimate activities as a provider of software and related services. We also process Personal Information to comply with applicable law and to exercise our legal rights. We may also use your Personal Information for internal purposes, including auditing, data analysis, system troubleshooting, and research. In these cases, we base our processing on legitimate interests in performing the activities of the organization.

HOW WE SHARE OR DISCLOSE YOUR PERSONAL INFORMATION -

No sale of Personal Information. We never sell or rent Personal Information to third parties.

Disclosures of Personal Information. We may disclose or share your Personal Information with other parties in the following circumstances:

  • Third-party service providers. We may use other third-party service providers (or subprocessors) to process Personal Information to facilitate use of our products and services, to provide services that are integrated with our LoanPro Service or other offerings, and in the operation of our business. This includes providing Personal Information to third parties for their processing in performing functions on our behalf, particularly the functions listed above in the “HOW WE USE YOUR PERSONAL INFORMATION” section. These functions include processing payments, collecting debts, hosting software, performing security services, analyzing data, performing surveys, administering our website(s), and/or providing technical support services. These third party providers will be contractually and/or legally required to protect Personal Information from additional processing (including for marketing purposes) and transfer in accordance with applicable laws.
  • Affiliates. Some of our services, including portions of the LoanPro Service and customer support services, are provided by LoanPro’s affiliates, and we share Personal Information with our affiliates for those business purposes. We may also share data with affiliates to market integrated products and services, however, any such additional products and services offered are provided on an opt-in basis only. LoanPro shares Personal Information with its affiliates only in accordance with strict data security procedures.
  • Compliance with law and protecting our legal rights. We may disclose your Personal Information to regulatory bodies if we have a good-faith belief that doing so is required under applicable laws or regulations. This may include submitting Personal Information required by tax or other governmental authorities, or lawfully requested by governmental agencies, including law enforcement and judicial authorities. We may also disclose your Personal Information in order to exercise or defend our legal rights; to take precautions against liability; to protect the rights, property, or safety of LoanPro or any individual or third party; to maintain and protect the security and integrity of our information system; to protect LoanPro against fraudulent, abusive, or unlawful acts; or to investigate and defend LoanPro against third-party claims or allegations.
  • Corporate Transactions. If a third party acquires all or substantially all of the assets of, or ownership interests in, LoanPro whether by merger, acquisition, reorganization or otherwise, LoanPro may transfer its database, including all Personal Information contained therein, to the acquiring entity.
  • Aggregated and de-identified data. We reserve the right to disclose aggregated user statistics as well as non-personally identifiable information (such as anonymous usage data), in order to describe our services to prospective partners, licensees, advertisers, and other third parties.

DATA SECURITY AND STORAGE - LoanPro uses at least industry-standard security methods and precautions to protect our Clients' information and all Personal Information. When Clients submit sensitive information, it is protected using safe and secure methods reasonably available. LoanPro, through its use of PCI-Wallet (which holds a PCI DSS Level 1 AOC Certificate) is fully PCI DSS compliant. In addition to PCI DSS compliance and data encryption, we also use industry-standard security procedures to protect data offline. Our employees use Client-provided support codes to gain access to data in order to provide support. Through this system, a record is automatically kept of who authorized such support & who provided the support.

Specific security measures implemented by LoanPro include:

  • PCI DSS-compliant
  • SOC 1, SOC 2 Type I compliant
  • Veracode Secure Development Certification for all developers.
  • Non-disclosure agreements (NDAs) are signed with employees, vendors and contractors
  • Obligatory security awareness trainings for all employees on an annual basis.
  • Drug test and criminal checks for all employees
  • System monitoring using Sumo Logic, AWS Console and
  • Technical security policies include:
    • Data backup policy
    • Data Retention, Storage & Disposal Policy
    • Data Encryption & Key Management Policy
    • Acceptable Encryption Policy
    • Vulnerability & Risk Rating Process
    • Asset Inventory
    • AWS Physical Security Policies for servers
    • Change Control Process
    • Change Control for Infrastructure Process
    • Log review process
    • Firewall & Router Configuration standards
    • System Hardening and Configuration Standards
    • OWASP Guidelines adherence

We use Amazon Web Services (AWS) and Google Drive to store electronic information. All data access by LoanPro is restricted to within our pre-approved office locations and data center. Only employees who need the information to perform a specific job are granted access to Personal Information. Our employees must use a secure shell (ssh) to access this information and must also be allowed access from a specific IP address within our offices. Furthermore, all employees are kept up-to-date on our security and privacy practices to avoid security breaches through what is called "social engineering." Important details and changes are discussed in staff meetings and email memos. Finally, the servers on which we store Personal Information are kept in a secure environment, protected by a firewall and kept in a secure room in our data centers for physical security, currently with Amazon AWS.

RETENTION OF PERSONAL INFORMATION -

LoanPro processes Personal Information for a reasonable period of time to fulfill its business purposes stated above. Personal Information is then archived for time periods as required or necessitated by law or legal considerations. LoanPro reserves the right to delete a Client’s data, including Personal Information provided by that Client, from its system after its license agreement with that Client terminates. LoanPro also deletes Personal Information in response to an individual’s request, as set forth in the “YOUR RIGHTS RELATING TO YOUR PERSONAL INFORMATION” section below.

LoanPro reserves the right to retain usage data relating to our products and services, as well as data that has been anonymized and/or aggregated, to the extent permitted by applicable laws. With respect to any Personal Information collected by us for marketing or for our own internal purposes, we will retain that data for a reasonable time in order to fulfill those purposes.

We regularly review our retention policy to ensure compliance with our obligations under data protection laws and other regulatory requirements.

YOUR RIGHTS RELATING TO YOUR PERSONAL INFORMATION -

General. If you wish to opt out from any of the uses of Personal Information that are specified in this Privacy Policy, except in the case of legal proceedings or where your data is required for tax, transactional or other legal purposes, please contact us as described in the “LOANPRO’S CONTACT INFORMATION” section below. Please note that your subsequent disclosure of Personal Information to us may override prior opt-out requests. LoanPro does not discriminate against those who opt out. However, opting out may prevent us from conveniently and efficiently providing further, product support services and information to you.

Unsubscribing to marketing communications: In particular, if we are sending you email communications of a marketing nature, an ‘unsubscribe’ option is provided in the footer of every email. You may also contact us directly to unsubscribe to marketing emails or other marketing communications, at the contact information set forth in the “LOANPRO’S CONTACT INFORMATION” section below. If you have agreed to receive marketing communications, you may always opt out at a later date.

While LoanPro does not sell Personal Information or other client data, we have enabled tracking of whether a Client has opted out of the sale of its data. This can be updated at any time upon the Client’s request.

Your California privacy rights. This section applies to California residents only.

  • Shine the Light law. Pursuant to Section 1798.83 of the California Civil Code, residents of California have the right to request from a business, with whom the California resident has an established business relationship, certain information with respect to the types of Personal Information the business shares with third parties for direct marketing purposes by such third party and the identities of the third parties with whom the business has shared such information during the immediately preceding calendar year. LoanPro does not presently share any information with third parties for direct marketing purposes. However, to submit such a request, you can contact us as set forth below.
  • California Consumer Privacy Act (CCPA). Pursuant to the CCPA (Section 1798.100 et seq. of the California Civil Code), residents of California have the following rights:
    • Right of access to your Personal Information, up to twice a year at no charge, including:
      • § The categories of Personal Information LoanPro collects about the consumer,
      • § The categories of sources of the consumer’s Personal Information,
      • § The business or commercial purpose for collecting or selling the consumer’s Personal Information,
      • § The categories of any third parties with whom the business shares the consumer’s Personal Information, and
      • § The specific pieces of Personal Information collected about the consumer.
    • Right to request deletion of data, subject to certain exceptions, such as where the information is needed to provide services to the consumer, or for security or legal reasons.
    • Right to not be discriminated against for exercising your rights under the CCPA, such as denial of services or higher pricing.
    • Right to opt out of having your Personal Information sold.

You can exercise your rights under the CCPA by calling our toll-free number set forth in the contact information below.

  • California Minors. California residents under age 18 (“California Minors”) have additional privacy rights under California law. LoanPro does not knowingly collect any Personal Information of California Minors or allow them to post content to our website or subscription service. To have any content or Personal Information provided by or about a California Minor removed, please contact LoanPro at the contact information provided below.

Your Canadian privacy rights. This section applies to Canada residents only.

Under the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA), we are required to comply with certain principles with respect to your Personal Information. These principles are:

  1. Accountability: We are accountable for the Personal Information we collect from you. We have developed a data protection policy for your business and appointed the data privacy officer to help you with any concerns related to your Personal Information.
  2. Identifying purposes for collection of Personal Information: This Privacy Policy identifies our purposes for collecting your Personal Information.
  3. Obtain valid, informed consent: We require your consent to the ways in which we collect, use and disclose your Personal Information, except is some limited, specific situations and as permitted by law (for example, to comply with laws and regulations, to protect our legitimate business interests, and to cooperate with law enforcement and governmental agencies’ requests). If we add a new use, we will request and obtain your consent for that new use before using your Personal Information in that new way. You may withdraw your consent by notifying us as specified below.
  4. Limiting collection to identified purposes: We limit the amount and type of the Personal Information we gather to what is necessary for the purposes identified in this Privacy Policy.
  5. Limiting use, disclosure, and retention: We limit our use, disclosure and retention of Personal Information to the purposes and uses identified in this Privacy Policy. We will destroy or erase your Personal Information when it is no longer necessary for those authorized purposes.
  6. Accuracy: We seek to keep your Personal Information correct and up-to-date. However, we will assume that the information we are supplied is accurate unless we are notified otherwise. You may contact us at any time to correct your Personal Information in our systems.
  7. Safeguards: We use reasonable and appropriate safeguards to keep Personal Information secure and private and guard against unauthorized access, loss, and theft.
  8. Openness: We make our privacy policies and practices easily available. If you have any questions, you may contact us at any time as set forth in the Contact Information section below.
  9. Access: If you request access to your Personal Information that is in our system, by contacting us as set forth below, we will provide you with a copy of that information within 30 days. Upon your request, we will also inform you if we have any of your Personal Information, explain how we’ve you’re your Personal Information, and provide a list of any other organizations to which your Personal Information has been disclosed.
  10. Recourse for complaints: You have the right to challenge our compliance with these guidelines. We commit to investigate all complaints and to modify our privacy practices if necessary.

    If you wish to exercise any of your rights relating to your Personal Information or data under the principles outlined above, you may contact our Data Privacy Officer at the contact information set forth below. We may be unable to remove Personal Information to the extent that it is permitted or required to be retained by applicable law or document retention and data backup policies, or if removal is not practicable due to technological reasons. Please note that removal of your Personal Information may prevent or hinder us from providing further services and information to you.

    LoanPro may require you to provide sufficient information to permit us to provide an account of the existence, use, and disclosure of Personal Information. The information provided shall only be used for this purpose.

    Your Personal Information may be transferred outside of Canada for processing and storage. LoanPro and its service providers may store Personal Information on servers located in other jurisdictions, including the United States. Please note that privacy laws in such jurisdictions differ from Canadian privacy laws (e.g., PIPEDA) and that in some jurisdictions your Personal Information may be accessed by law enforcement authorities or the courts in such jurisdictions.

PRIVACY POLICIES OF OTHER WEBSITES -

Our websites contain links to other third party websites. This Privacy Policy applies only to our websites, so if you click on a link to another website, it is governed by their own privacy policy.

NOTIFICATION OF CHANGES - If we change this Privacy Policy, we will post those changes on this page. Please review our Privacy Policy often to keep yourself aware of what Personal Information we collect, how we use it, and under what circumstances, if any, we disclose it. If you object to any changes to this Privacy Policy, you may close your account and discontinue use of our website and services. Each time you use any service of LoanPro, you agree that the current version of this Privacy Policy applies.

LOANPRO’S CONTACT INFORMATION:

If you have any questions about this Privacy Policy or the Personal Information that we hold, would like to cease receiving marketing materials from us, have any complaints, or would like to exercise any of your other rights related to your Personal Information, please contact us:

LoanPro Software, LLC
172 N East Promontory, Suite 275
Farmington, Utah 84025

Email: legal@loanpro.io
Phone: (800) 559-4776

If you wish to report a complaint or if you feel that LoanPro has not addressed your concerns in a satisfactory manner, you may also contact your state or local data protection authority.

FACTS WHAT DOES LOANPRO SOFTWARE DO WITH YOUR PERSONAL INFORMATION?
Why? Financial companies choose how they share your personal information. Federal law gives consumers the right to limit some but not all sharing. Federal law also requires lenders to tell you how they collect, share, and protect your personal information. Please read this notice carefully to understand what we do.
What? The types of personal information we collect and share depend on the product or service you have with us. This information can include:
  • Business EIN, address, contact information, and other business information, agent user's name and contact information
How? All financial companies need to share customers’ personal information to run their everyday business. In the section below, we list the reasons financial companies can share their customers’ personal information; the reasons LoanPro Software, LLC chooses to share; and whether you can limit this sharing.
Reasons we can share your personal information Does LoanPro Software, LLC share? Can you limit this sharing?
For our everyday business purposes-such as to process your transactions, maintain your account(s), respond to court orders and legal investigations. YES NO
For our marketing purposes-to offer our products and services to you. YES NO
For joint marketing-with other financial companies. YES YES
For our affiliates’ everyday business purposes- information about your transactions and experiences. YES NO
For our affiliates’ everyday business purposes- information about your creditworthiness. NO We don't share
To limit our sharing
  • Call 1-800-559-4PRO
  • Visit us online: loanprosoftware.com
  • Contact us via email: legal@simnang.com
Please note: If you are a new customer, we can begin sharing your information 30 days from the date we sent this notice unless you have expressly directed us to immediately share your information. When you are no longer our customer, we continue to share your information as described in this notice. However, you can contact us at any time to limit our sharing.
Questions? Call 1-800-559-4PRO or go to loanprosoftware.com
Who we are
Who is providing this notice? LoanPro Software, LLC
What we do
How does LoanPro Software protect my personal information? To protect your personal information from unauthorized access and use, we use security measures that comply with federal law. These measures include computer safeguards and secured files and buildings.
How does LoanPro Software collect my personal information? We collect your personal information, for example, when you:
  • Open an Active or Trial Account
  • Use your payment profile on file
  • Use our websites
  • Give us your contact information

We also may collect your personal information from others, such as affiliated partners, our Clients and other companies, social media, government agencies, and public records to provide our services and to comply with government requirements to know our customers.

Why can’t I limit all sharing? Federal law gives you the right to limit only
  • Sharing for affiliates’ everyday business purposes
  • Affiliates from using your information to market to you
  • Sharing for non affiliates to market to you

State laws and individual companies may give you additional right to limit sharing

Definitions
Affiliates Companies related by common ownership or control. They can be financial and nonfinancial companies.
Non-affiliates Companies not related by common ownership or control. They can be financial and nonfinancial companies.
Non Affiliates we share with can include service providers and integrated partners for feature offerings.
Joint Marketing A formal agreement between non affiliated financial companies that together market financial products or services to you.
Our joint marketing partners include financial institutions, service level providers, industry consultants and other lending companies.
Other Important Information
https://loanprosoftware.simnang.com/policies-and-plans.html

Data Backup Policy

Data Backup Policy

Last Updated August 9, 2019

LoanPro operates on the AWS (Amazon Web Services) platform. This gives us the ability to provide several data backup features. All LoanPro database servers are hosted in AWS RDS, using an Aurora MySQL engine cluster in either provisioned or “serverless” mode.

DATABASE BACKUPS

Hot Standby — Our company employs a real-time hot standby database for all operating SQL databases. Data is synchronously replicated automatically to multiple availability zones, even if the database itself is hosted in a single availability zone. This provides data redundancy, but also allows for instance failover. In the event of a failure, the cluster automatically selects a read replica to be promoted as master with minimum service interruption (within 30 seconds) with no manual interaction required.

For serverless engines, failover time is currently undefined (typically under 10 minutes), because it depends on demand and capacity availability in other availability zones.

Point-In-Time Recovery — Our company utilizes Point-In-Time Recovery (PITR) for the entire database. This is achieved through Amazon RDS automated snapshots and Aurora backup data. We have the capability to restore the database to one of the existing daily snapshots (up to the past 7 calendar days) or to a specific point in time in the same period typically within 5 minutes.

Daily Backups — Our company utilizes the snapshot feature of Amazon RDS to do daily incremental backups, up to the past 7 calendar days. These daily backups are redundantly stored in Amazon Simple Storage Service (S3). Amazon S3 redundantly stores data in multiple facilities and on multiple devices within each facility. To increase durability, Amazon S3 synchronously stores snapshot data across multiple facilities before confirming that the data has been successfully stored.

DOCUMENT BACKUPS

All documents, images, and files uploaded to the software are hosted in Amazon S3 cloud storage with versioning. This versioning allows us to retrieve not only the most recent version of the file, but up to the last 100 saved revisions of the file.

Please note that backup procedures and data-retrieval protocols are based on Amazon’s current product line, which is subject to change. If Amazon changes its products or services in a way that materially, adversely affects LoanPro and its customers, LoanPro will use all reasonable efforts to negotiate a remedy with Amazon, or to find a substitute provider or method to provide the same service.

Data safety and integrity are top priorities at LoanPro. We take the safety of your business data very seriously.

Disaster Recovery Plan

Business Continuity & Disaster Recovery Plan

Last Updated August 2, 2019

Purpose

It is our top priority to make our clients’ data available when and where they need it, in the cleanest, most organized way feasible. The purpose of this Disaster Recovery & Business Continuity Plan is to outline how we will fulfill this purpose, even if a disaster were to affect our operations.

Disaster

A disaster is any event or circumstance that restricts our ability to deliver our software to our customers for more than 24 consecutive hours, or that prevents us from operating out of our current facilities for more than 1 week.

Order of Recovery

In the event of a disaster, the following would be the priority for recovery of our operations:

1. Continuous Delivery of Our Software
2. Software Development Operations
3. On-Demand Support
4. Onboarding
5. Software Development
6. Business Administration
7. Sales
8. Project Management
9. Marketing

Company & Software

We have architected our applications to facilitate automatic scaling or adjustment (fail-over). This keeps our applications running as seamlessly as possible, and limits downtime and recovery time, in the event of a disaster. We have also taken steps to ensure adequate data backup (See Data Backup Policy), rapid data recovery, and geographically diverse systems and personnel.

Responsibilities & Roles

LoanPro Software has well-defined roles for our team members, in the event of a disaster, to ensure efficient recovery of the application. These roles and responsibilities are in force even outside times of disaster. They cover the following areas: Preparation, Testing, Identification, Assessment, Containment, Eradication, Recovery, Post Mortem.

Customer Notification

In the event of a disaster that has an impact on the LoanPro Software application our organization will provide updates on the third-party provided Status page.

Software Application

Our software operates inside of the AWS (Amazon Web Services) Cloud platform. This provides us with significant disaster recovery options. We operate with a “hot standby” database which continuously mirrors data from the primary database and a “pilot light” system to enable more server power on the fly when needed for queued job processing and web traffic. AWS servers and databases are available in various geographically-diverse zones to insure against a localized disaster. This can all be managed remotely through an AWS dashboard allowing for quick deployment and automated scalability as needed. On the EC2 platform the current AWS service commitment is to provide 99.9% monthly uptime.

We utilize Amazon’s world class data centers, which are highly secure data centers equipped with state-of-the-art electronic surveillance and multi-factor access control systems. Data centers are staffed 24x7 by trained security guards, and access is authorized strictly on a least privileged basis. Environmental systems are designed to minimize the impact of disruptions to operations. Data centers located across multiple geographic regions (Availability Zones) allows for the effective mitigation and management of disasters. In the worst case scenario, we have architected system deployment which includes the streamlined ability to deploy the application to a new AWS region if necessary in a matter of hours.

Support & Phone System

We utilize VoIP phone systems with a fallback to landlines (or cell) in case of power or internet outages. In addition, at all of our support centers we operate with multiple internet providers and onsite backup generators in case of power outages. If a disaster were to disable our office for an extended period of time, we have the ability for support staff members to work remotely until the disaster is resolved. This allows us to continue to serve our clients throughout the disaster.

Geographic Diversification

We have diversified operations in multiple locations, including our headquarters in Farmington, Utah, USA. In addition to our headquarters we have small offices in Phoenix, Arizona, USA, and Hermosillo and Guadalajara, México. This diversification ensures that a local disaster will not affect our entire team. We also utilize servers across two continents that are backed up in geographically separate locations. This will ensure that at least part of our team has Internet access to be able to continue providing assistance and support to our clients. Our headquarters operates with redundant internet providers to ensure constant connectivity to provide service to our Clients.

Non-Time-Critical Recovery

PCI Wallet has insurance to cover our building, furniture, computers, etc. at our offices. Luckily due to a stellar software architecture design in the AWS Cloud recovery time for impacted items to our clients should be very limited, in the event of a disaster our physical office is not required in order to have the application fully functional.

LoanPro has implemented measures to mitigate the threat of disaster.

Database Failure - In the event that one or more of our primary databases fails, we employ a synchronized backup database, in a separate geographic location, that will take over. Should every primary database and corresponding hot standby fail, we keep 30 days worth of daily server backups, which are stored on Amazon's S3. Every 30 days, these data backups are stored in a magnetic format that can be put into service in 24-hours if all other backups fail. See Data Backup Policy for more details.

Server Failure - LoanPro has spent significant time structuring our code to make it possible to add new server instances on the fly. If any server fails, we can automatically create a new server and bring it into service. In addition we employ a dynamic load balancer to route traffic automatically which will result in limited/no impact to our clients in the event of a server failure.

Security Breach - LoanPro employs the latest security measures and testing to keep unauthorized users out of our software. Customer databases are separated to keep users from unauthorized data access. LoanPro stores personally identifiable information with a minimum of 256-bit encryption, making data that was illegally accessed very difficult, if not impossible, to use. Please review our data security breach policy for more details on how such an event would be handled.

Significant Loss of Personnel - LoanPro employs personnel in multiple countries across many geographic areas. While a reasonable number of them work at our main office, many of them, including a portion of our key personnel, work in satellite offices of sufficient distance that they would not all be affected by a localized disaster. Our company has policies and procedures in place that allow us to conduct normal business even if we suffer a significant loss in personnel.

Loss of Key Personnel - In the event that LoanPro loses a significant number of key personnel, there is an established hierarchy in place that dictates seniority among existing officers. LoanPro has also worked hard to document its policies, procedures, relationships, and code base to enable new and existing employees to carry on company operations if key personnel are lost. We have implemented a company knowledge base that includes documentation on every area of the business in an attempt to decentralize information and eliminate "islands of knowledge".

System Monitoring - We have both automatic 24x7 system monitoring as well as a rotating on-call Development Operations team monitoring the software application at all times. This business policy results in very short response times to address any disasters that may occur.

Data Security Breach & Incident Management Policy

Data Security Breach & Incident Management Policy

Last Updated August 02, 2019

Overview

LoanPro Software enforces rigid security protocols to prevent data security breach. These controls cover data access by all parties, and data-storage procedures including encryption, rotation of keys, firewalls, and other security measures. The purpose of this document is to outline our policies and procedures in the event that our data security is breached.

Security Measures

At a minimum, LoanPro Software uses industry-standard practices to protect our customers' information. Sensitive information is protected using the most secure methods that are reasonably available.

Payment Profile Information — LoanPro Software integrates with PCI Wallet, a sister product, for the storage of payment information and payment processing. PCI Wallet is PCI compliant and maintains a PCI-DSS Level 1 Attestation of Compliance (AOC). LoanPro is integrated according to PCI standards and never directly interacts with payment data.

Data Access — Data access is restricted by username and password authentication. LoanPro offers a multi-factor authentication option to further protect against unauthorized access.

Our personnel have access to client data only the client authorizes the access by providing a support code. Records are kept for each support transaction, that include information about the authorizing party and the authorized support representative. All data access by LoanPro Software personnel is restricted to within our offices through IP filtering. A record is kept of any changes made inside a client account by LoanPro personnel. Our hiring process includes a full background check of any new employee.

Employees are granted access to information on a need-to-know basis. Employees are regularly trained on our security and privacy practices to avoid security breaches through social engineering. Changes to privacy and security policies are also disseminated immediately through staff meetings and memoranda.

Employees who are authorized to access LoanPro databases must have their IP address whitelisted in order to do so. Access is only permitted through a secure shell (ssh). Permissions to hardware, environments, and data are configured per user, using the principle of least privilege. All servers are housed in Amazon data centers, which use the latest in firewall and other security technology.

Please see our Privacy Policy for more details on security measures.

Incident Management

LoanPro will take the following steps in the event of a data breach: identify and close vulnerabilities, reinforce, report.

In the Event of Data Breach

identify and Address Attack Points

If a security breach occurs, our first action will be to identify the vulnerability that allowed the breach to occur. Once a point of vulnerability is identified, our team will implement the necessary configuration, code, or controls to limit and/or close it. This includes the reinforcement of security protocols. For more information on identifying incidents, see the Incident Identification Policy.

We have self-contained and external monitoring that continuously runs on our system. The primary responsibility to identify and address vulnerabilities falls on the on-call personnel in each department of our software division. Once a vulnerability has been identified, our entire software division is responsible for identifying and mitigating vulnerabilities. Departments responsibilities are as follows:

Responsibility Department(s)
Identify Vulnerability Software Development, Development Operations
Eliminate/Mitigate Vulnerability Software Development, Development Operations
Test Vulnerability Fix Software Development, Development Operations, Quality Assurance

Provide Notice

LoanPro Software will provide timely and appropriate notice to affected parties, when there is reasonable belief that a breach in the security of private information has occurred. A breach in security is defined as an unauthorized acquisition of information from LoanPro Software. If it is determined that an external notification to the affected individuals is warranted, the following procedures will apply:

  1. Written notice will be provided to the affected individuals through the postal service, unless the cost is excessive or insufficient contact information exists. The evaluation of cost and the determination that cost is excessive will be the decision of the LoanPro Software CIO and its legal counsel.
  2. If written notice to the affected individuals is not reasonably possible, one or both of the following methods will be use to provide notice:
    • Email
    • Status Website
  3. Investigation

    Security breach incidents are investigated fully after a fix for these events is put in place. Our internal and external monitoring keep a detailed log of all events. Access to these logs is also tracked. Access to the logs is given to personnel on a least-privilege basis. The tracking of access to logs serves as the chain of custody documentation for evidence of a breach incident.

    If the breach was the result of actions of Simnang personnel, and the breach was not malicious in nature, a formal reprimand will be included in the individuals personnel file. If the same individual causes three breaches, without malicious intent, the individual’s employment or association with Simnang will be terminated.

    Report to Authorities

    Any attempt to circumvent data security is a violation of the SaaS Agreement. All attacks on LoanPro Software IT resources are infractions constituting misuse, vandalism or other criminal behavior. If the perpetrator of a security breach incident is identified, their information will be reported to law enforcement. When an incident is identified, it is the duty of any Simnang employee or contractor to report the incident to his or her direct supervisor.

    If a LoanPro client or affiliated party suspects or can confirm an information security breach, the breach should be reported to LoanPro Software, either via email to security@simnang.com or by calling (800) 559-4PRO. LoanPro Software will investigate each report. Once the incident is dealt with, the reporting party will be notified of its conclusion.

    Private Information

    If the data in question is defined as personally identifiable and was not in an encrypted format, a public notification may be warranted. For the purposes of this policy data is defined as personally identifiable if it includes a name (first and last name or first initial and last name) in combination with any of the following: Social Security Number, Bank Account Number, Credit, or Debit Card Account number with security access, or password that would permit access to the account. Personal information that is publicly and lawfully available to the general public, such as address, phone number, and email address, are not considered private information for the purposes of this policy.

    Incident Types

    Unauthorized Physical Access

    Identification

    Our office is relatively small and employees are able to easily recognize a non-employee. Any visitor who has access to more than our reception area is also required to wear a visitors badge and provide identification. If unauthorized access is gained, Simnang adheres to a clean-desk policy, which requires all information on paper, white boards, etc. to be destroyed before the end of each day.

    Passwords are required for all Simnang computers. System access and access to sensitive data also require authentication through passwords. On top of this, no customer data are stored directly on computers located on our premises, but are housed in the cloud.

    Additionally, our office entrances are monitored by cameras 24 hours a day. These cameras continuously record everyone entering the office. If motion is detected after hours, an alert is sent to key personnel informing them of what is happening. The cameras provide the option of a live stream that can be viewed remotely by our personnel. Recordings from these cameras are kept for 30 days.

    Recovery & Remediation

    If unauthorized physical access is discovered, the proper authorities will be notified and provided footage from our in-office cameras. An assessment will be made to determine if anything was stolen, or if information could otherwise have been taken.

    Passwords for our software applications, company GSuite accounts, Monday.com, and Zendesk will be administratively reset to ensure they aren’t used to gain unauthorized access to sensitive data.

    Notification

    Because unauthorized physical access does not guarantee unauthorized access to information, notification about a physical breach will occur when unauthorized access to information has occurred or seems reasonably likely.

    LoanPro Software will provide timely and appropriate notice to affected parties, when there is reasonable belief that a breach in the security of private information has occurred. A breach in security is defined as an unauthorized acquisition of information from LoanPro Software. If it is determined that an external notification to the affected individuals is warranted, the following procedures will apply:

    1. Written notice will be provided to the affected individuals through the postal service, unless the cost is excessive or insufficient contact information exists. The evaluation of cost and the determination that cost is excessive will be the decision of the LoanPro Software CIO and its legal counsel.
    2. If written notice to the affected individuals is not reasonably possible, one or both of the following methods will be use to provide notice:
      • Email
      • Status Website

    Information System Failure

    Identification

    We employ Pingdom and SumoLogic to continuously monitor our system an check for system failure. Our systems continuously monitor available disk space, CPU, RAM and Network load. For more information on system monitoring, see Operating Procedures.

    Recovery & Remediation

    When the system fails, our on-call developers or are our method of first response. On-call programmers are available 24x7x365. Our on-call development staff is responsible to make adjustments or fixes, where needed in order to bring the system back online.

    Remediation and recovery may also require help from our business personnel to make sure the customer data is updated in a timely manner. Updates to customer data will always occur, but if there is a system outage, it can help if our system updates loans in a specific order.

    Notification

    If customers will be affected by a system outage, they are always notified via email as soon as possible. This notification may occur in the middle of the night, which is why email is the preferred method of notification. These notifications usually contain information about the outage, what is being done to fix it, and what the customer can or should do, if anything, to help the situation.

    Malware Activity

    Identification

    Anti-virus scans are performed on a weekly basis on all workstations. Anti-virus software is updated continuously to ensure that all the latest known malware is scanned for. The system also logs information on the following:

    • Web Application Firewall
    • IDS/IPS
    • File Integrity Monitoring (FIM)
    • Application Exceptions
    • Web Server
    • Database Server

    These logs are reviewed daily through Sumo Logic.

    Recovery & Remediation

    All Simnang products employ backups of both the code base and customer data. If Malware is found on any of the workstations, the typical procedure is to eradicate the malicious software, assess the impacts and recover the data or roll back the code if necessary.

    Notification

    If customer data is effected, or if the system will be down for any period of time, a post will be made to our status page and an email sent to the administrative user for affected customers.

    Denial of Service

    Identification

    We employ Pingdom and SumoLogic to continuously monitor our system an check for system failure. Our systems continuously monitor available disk space, CPU, RAM and Network load. For more information on system monitoring, see Operating Procedures.

    Recovery & Remediation

    If the source of the denial of service is internal, the procedure is to fix the issue within our own system. If it’s an external attack, we will employ additional servers, where needed, while the source of the attack is identified and dealt with.

    Notification

    Denial of service notifications will be made through our status page.

    Incomplete or Inaccurate Data

    Identification

    Our systems monitor file integrity and notify us of any issues. Logs of this monitoring can be queried to investigate any issues.

    Notification

    If we discover data problems, notification will be made to affected customers after the root cause of the loss of data integrity is discovered. Notification will most often occur via email.

    Confidentiality Breach or Loss

    Identification

    Our systems are continuously monitored for potential unauthorized access. If confidentiality has been breached and an Simnang employee has allowed access to our systems by an outside party, suspicious activity will be detected based on the accessing IP address.

    Recovery & Remediation

    If access to the user interface has been obtained by an unauthorized party, their activity in the software will stamped with their user information. This makes it possible to identify and undo the changes they have made in the software.

    If access has been gained to our code base or databases, our logs will show the activity taken by unauthorized parties. This activity can then be undone using our data backups or code base backups.

    Notification

    If customer data has been stolen as a part of the breach, our customers will be notified with as much information as is available about what was taken.

    System Exploit

    Identification

    System exploits are identified through weekly penetration testing. We run OWASP ZAP tests and document test results.

    We also perform monthly testing to identify new vulnerabilities. If these vulnerabilities are introduced by a third party library, plugin, or application, they are thoroughly researched in order to understand and mitigate their effects.

    Finally, we perform yearly internal penetration testing to identify vulnerabilities in our own system security.

    Recovery & Remediation

    When a system exploit is found, the vulnerability is patched by our development and/or development operations team.

    Notification

    If a system exploit allowed possible access to customer data, or affected customers in other ways, customers will be notified of the breach via email. The email should include a description of the exploit and measure that the customer can take to guard against its effects, if any.

    Unauthorized Logical Access

    Identification

    We perform a weekly review of user access and activity in the AWS Console and servers.

    Recovery & Remediation

    If access has been gained to our code base or databases, our logs will show the activity taken by unauthorized parties. If the activity was destructive, it can be undone using our data backups and code base backups. If sensitive information was taken, a report of the information will be made to the proper authorities.

    Accounts and access are reviewed quarterly to ensure that access is not being granted where it shouldn’t and that inactive accounts are deleted.

    Notification

    All potentially-affected customers will be notified of unauthorized access and its potential effects via email. The email will be sent to the administrative user for each Simnang account.