Platform Security and Compliance Policy

ArtAML™ is a cloud application that provides software as a service. Our platform provides a solution to walk you through AML and compliance requirements.

Our platform accessible via https://artaml.app is designed to continuously keep input material secure. We are mindful of personally identifying information collected for AML and compliance purposes, and internally limit access to all personally identifying data on a need-to-know basis.

ArtAML employs the best security practices, thereby retaining a minimal amount of personal data and operating with the fewest privileges necessary to provide a great experience to users.

Data Encryption

All connections from the browser to the ArtAML™ platform are encrypted in transit and corresponding certificates are generated by Let’s Encrypt following state-of-the-art security configuration.

All data is encrypted at rest.

User passwords are stored with one-way encryption so that passwords are not accessible to anyone including ArtAML™ team members.

Physical Infrastructure

The ArtAML™ application is hosted on DigitalOcean, which continually manages risk and undergoes recurring assessments to ensure compliance with industry standards. DigitalOcean is certified with the international standard ISO/IEC 27001:2013. By achieving compliance with this globally-recognised information security controls framework which is audited by a third party, DigitalOcean has demonstrated a commitment to protecting sensitive customer and company information. That commitment doesn’t end with a compliance framework, but is a necessary baseline for security. Digital Ocean’s ISO/IEC 27001:2013 certificate can be viewed here.

For additional information see:
https://www.digitalocean.com/legal/

Vulnerability Management

We keep our systems up to date with the latest security patches and monitor for new vulnerabilities. This includes automatic scanning of our code repositories for vulnerable dependencies. The services are configured with tight network security constraints to further limit any potential risk. Digital Ocean regularly conducts internal vulnerability assessments and patches the underlying systems.

There are no cookies that store personal information or that can identify a user employed on the platform. Cookies are limited to those required for functionality, which are GDPR-compliant and do not require consent.

Authentication

JSON Web Tokens (JWTs) are used for authentication and authorisation.

Password Policy

User passwords are required to meet the following criteria:
– Minimum 8 characters in length;
– Use at least one of each: Lower case (a-z), upper case (A-Z) and numbers (0-9)
– Use at least 1 special character: !@#$%^&*

Audit Trail

We record an audit trail of which user provided the latest answer to a question. This is in addition to having a snapshot of how a questionnaire was answered upon completion.

Incident Response Plan

Identification
ArtAML routinely monitors our external services and open source libraries for security issues and has executed Data Processing Addendums (DPA) with our vendors to ensure prompt notification of data breaches. ArtAML™ continuously scans ArtAML™ for service interruptions, performance degradation, and security vulnerabilities with automated tools to immediately alert our engineers when an incident has been detected. Users may also report security issues to [email protected].

Containment
Whenever our engineering team is alerted to a security issue, the team determines what systems are affected and quickly contains the problem. Because all of our services run on servers that isolate processes, memory, and file system, they are easily replaced and updated in their entirety inhibiting further escalation.

When our engineering team is alerted to an issue relating to use of the platform, we will only access data available in the servers that might contain personally identifying information of your clients (who are ArtAML™ users and have accepted our Privacy Policy and Data Processing Policy) after you have expressly given permission. The sole purpose of accessing this data is to rectify an issue and the information will not be used for any other purpose.

Recovery
If data was found to be affected, it is restored from clean backup files, ensuring that no vulnerabilities remain. Secondary backups are also stored using Backblaze B2 Cloud Storage*. Systems are monitored for any recurrence. Ephemeral services are patched and redeployed eliminating any chance of malware persistence.

Retrospective
The ArtAML engineering team analyses every operations incident and how it was handled, making recommendations for better future response and for preventing any recurrence.

Change Management Plan

New releases to the ArtAML™ Platform are thoroughly reviewed and tested to ensure high availability and great customer experience. Changes to our codebase are required to include unit tests, integration tests, and end-to-end tests. Changes are also run against our continuous integration server. This enables us to automatically detect any issues in development.

Once a changeset is completed, it is evaluated and manually tested end-to-end.

After a changeset is released, we continue to monitor application exceptions and log exceptions. These exceptions are regularly reviewed and triaged for resolution. Performance impacts of the changeset are monitored through several monitoring services.

Team Member Screening and Policies

All ArtAML™ team members with access to the ArtAML™ code are required to have passed a DBS check in the past three years. This certification is to be renewed three years at the latest after the most recent DBS pass certificate has been issued.

ArtAML™ team members are required to use modern password management software for all accounts associated with ArtAML™, with each password unique to each application / account.

ArtAML™ team members with access to our user management platform are required to have multi-factor authentication enabled.

More information on ‘Security Instructions’ required of team members is available upon request.

Compliance

UK GDPR Compliance
ArtAML™ is committed to GDPR compliance. Servers are based in Amsterdam and adhere to the General Data Protection Regulation.

It is permissible for ArtAML™ users to collect information required by the UK Money Laundering Regulations 2017 (and equivalent for other jurisdictions) as required by law. As stated by Section 41 of the ML Regulations 2017: “Any personal data obtained by relevant persons for the purposes of these Regulations may only be processed for the purposes of preventing money laundering or terrorist financing.”

It’s worth noting that UK GDPR is a broad regulation and there is no certification process. Therefore, no company can legitimately claim that they are UK GDPR-compliant. ArtAML™ makes a good-faith effort to be compliant with GDPR, both now and as future developments come along.

ICO
ArtAML™ Ltd. is registered with the Information Commissioner’s Office (ICO). The associated registration number is ZA566966.

Official Certification

HMRC (the supervisory body for Art Market Participants in the UK) does not approve any AML service provider or adviser for sectors that they regulate, including Art Market Participants. (The only approved list is certified software for Making Tax Digital- or MTD.)

The Financial Conduct Authority (FCA) does not approve any AML solution that sits outside of the financial sector. Art Market Participants fall out of the financial sector and as ArtAML is a specialist AML / compliance solution for the art market, the business falls out of the FCA’s remit and thus cannot be approved.

Therefore, it is essential that we provide assurances and consistently demonstrate best practices, such as with this Security and Compliance Policy, other legal policies (see below), our team members (the Co-Founders being specialists in the art market and technology, and software developers all being at ‘senior engineer’ level) and our Advisory Panel, underpinned by a robust insurance policy provided by HISCOX.

Legal Policies

ArtAML™ Privacy and Cookie Policy (cookies only relating to artaml.com and not artaml.app): https://artaml.com/privacy-policy/
ArtAML™ Data Processing Policy: https://artaml.com/data-processing-policy/
ArtAML Terms of Business: https://artaml.com/terms-and-conditions-of-supply-main-agreement/

*Secondary backup: Backblaze

Backblaze’s B2 Cloud Service is solely employed for redundant backups. Rigorous security measures are in place, which achieve the same standards for Physical Infrastructure as DigitalOcean. These are, namely, ISO/IEC 27001:2013; SOC 1 Type II; Soc 2 Type II and PCI-DSS. This service is SSL-enabled and the server is encrypted at rest. All files are transmitted using an encrypted SSL connection.