Click to Login

Capitalytics Information Technology Policies (as of 6 Feb 2013)


  1. Overview

    Capitalytics is a leading edge provider of information services to banks and financial services companies. We provide quantitative analysis of data from financial services companies to help providers better understand their markets and how they can profitably serve their clients. Given the focused nature of our services, we are currently (at the time of this writing) a closely held company; as such, many of the policies below are intended to provide Capitalytics with guidelines for how we interact with our clients, and grow the trust of new clients.

  2. Identified Risks

    In accomplishing our objectives, and maintaining the trust of our clients and others within our community, we recognize that Capitalytics may become privy to sensitive information, and we will use commercially reasonable measures to protect information entrusted to us. As required by The Gramm-Leach-Bliley Act (GLB), also known as the Financial Services Modernization Act of 1999, we intend to protect the confidentiality of all "Customer Information" (as defined by GLB as "... any record containing nonpublic personal information as defined in 16 CFR 313.3(n), about a customer of a financial institution, whether in paper, electronic, or other form, that is handled or maintained by or on behalf of you or your affiliates.") that is entrusted to us.

    Specifically, Capitalytics may be entrusted with "Confidential Information"; "Confidential Information" will include information such as (but not limited to) the aforementioned "Customer Information" (alternatively termed "Nonpublic Personal Information", as defined in Title V of the Gramm-Leach-Bliley Act (Public Law No. 106-102)), account holders' names, addresses, balances, transactions (including dates, payors/obligors, payees/obligees, and amounts), and credit rankings. Further, we may be entrusted with information considered strategic to financial service companies and other providers (including, as examples, specific investments, and portfolio information) . Capitalytics intends to handle this information in accordance with all written agreements (including our Terms and Conditions), and appropriate judgment based on the availability and capabilities of state-of-the-art technology, as well as the legal, ethical, and cultural climate within which we operate.

    In cases that Capitalytics may from time-to-time be enlisted to handle particularly sensitive information, processes, "know how", or other descriptions, Capitalytics will hold that information in confidence, and it will be shared internally only insofar as necessary to complete an agreed-upon objective. This point is intended to convey that, unless otherwise specifically acknowledged, Capitalytics will (a) keep all clients' Confidential Information as confidential and secure as lawfully possible; (b) restrict access to clients' Confidential Information to those individuals who are actively and directly participating in the fulfillment of an appropriate objective; (c) ensure as much as feasibly possible that all persons or entities who have access to a client's Confidential Information use the best and most responsible judgment in handling a client's Confidential Information; (d) not use a client's Confidential Information in any way that is not intended as part of a joint understanding between Capitalytics and its client; and (e) not disclose any agreement, information, marks, or the potential existence of any of the previously mentioned items without an explicit joint understanding between Capitalytics and its client.

    At all times, until specifically agreed to by an appropriate client of Capitalytics, all data remains the property of its clients. While Capitalytics derives much of its own value by creating/deriving information from account information that is provided by financial service providers, we expressly acknowledge the ownership of that account information by the financial service provider until permission is granted to use it for other purposes. In short, a financial service provider may request at any time to have information that it provides destroyed unless such rights have been expressly relinquished.

    In short, the guidelines for Capitalytics management of Confidential Information are the following.

    1. Capitalytics will implement and maintain reasonable state-of-the-art safeguards to ensure that Confidential Information is not accessed nor is accessible by non-Capitalytics personnel.
    2. Only Capitalytics personnel who have a "need to know" will be entrusted with the means to access Confidential Information; where possible, the "means to access Confidential Information" will be unique, trackable, and revocable.
    3. All Capitalytics personnel will be responsible in maintaining the security of their credentials and/or other means to access any Confidential Information to which they may be entrusted.
    4. Any issues with the maintenance of Capitalytics security, infrastructure, or credentials is of paramount importance, and will be recorded and rectified, with issues that affect the confidentiality, security and/or integrity of Confidential Information reported to the owner of the potentially affected Confidential Information.
    5. All Capitalytics personnel will be made aware of the trust placed in us as part of providing our services, with the understanding that violating that trust deliberately or through obvious negligence will have immediate consequences.


  3. Technology Service Providers

    Given the state of technology and the economic climate at the time of this writing, owning and operating a dedicated facility for hosting Capitalytics' computational resources is not an efficient use of manpower and financial resources. As such, Capitalytics will contract with one or more appropriate Technology Service Providers to provide Capitalytics' services to its clients. We assume the same definition of "[Technology] [S]ervice [P]roviders" as defined within GLB, specifically " ... any person or entity that receives, maintains, processes, or otherwise is permitted access to [C]ustomer [I]nformation through its provision of services ..."

    Capitalytics expects its Technology Service Providers to maintain minimal requirements for maintaining reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of customer information.

    • Any Technology Service Provider that Capitalytics uses for providing its offerings must maintain a SAS-70 Type II certification or equivalent (e.g., SSAE-16), and be willing to release opinion letters or other appropriate documentation to Capitalytics for dissemination under agreement to Capitalytics clients and other interested parties.
    • Any Technology Service Provider that Capitalytics uses will need to physically secure its facilities against intrusion at all times. Physical security is expected to include monitored security cameras, guarded building entrance and exit access points, and stringently controlled key card access to elevators, floors and roof areas. Fire suppression and prevention facilities would also be expected. Provisions for continued operation during the extended unavailability of electricity from standard providers (i.e., the availability of, e.g., solar or fuel-based generators) must be provided.
    • Any Technology Service Provider that Capitalytics uses will be required to provide protection from the loss of physical components (e.g., disk drives) that are necessary to provide our service, as well as diagnostics to indicate the potential failure of such components.


    Capitalytics will use one or more Technology Service Providers to ensure that its services are reliably available in case of a natural or man-made disaster at one of its Technology Service Providers' locations. Capitalytics intends to be able to recover from any disaster within a one hour period with no loss of non-recoverable data.

  4. Information Security

    Capitalytics will implement and maintain appropriate security measures to protect against unauthorized access to or use of Confidential Information; such measures shall include (without limitation), as applicable: (a) access controls on information systems, including controls to authenticate and permit access only to authorized individuals; (b) encryption of Confidential Information; (c) dual control procedures, segregation of duties, and (where deemed appropriate) national or federal criminal background checks for employees with responsibilities for, or access to, Confidential Information; and (d) appropriate training to implement necessary information security measures.

    Specifically, Capitalytics will require that its servers utilize state-of-the-art techniques to ensure the protection of the data on its servers. These techniques will include, but are not limited to, firewalls, encrypted communication channels, per-user passwords with appropriate requirements for periodic changes, and the continued maintenance of software dependencies in order to take advantage of the latest proven security techniques.

  5. Breach Management & Recording

    While Capitalytics will use every practical means at our disposal to ensure that our systems remain secure, there is always the possibility of intrusion in any computer systems. In the event that Capitalytics becomes aware that its systems have been breached, Capitalytics will notify potentially affected clients, and will use responsive and effective means (e.g., telephone, email, etc.) to notify clients of the details, extent, and potential exposure of a breach. Capitalytics will use every practical means at our disposal to reclaim data on behalf of our clients after a breach, where possible.

  6. Management of Confidential Information

    As mentioned above, Capitalytics is pre-eminently concerned about maintaining a high level of trust with its clients. A significant part of this concern revolves around how Capitalytics manages the Confidential Information that is provided by its clients as part of Capitalytics services.

    All Confidential Information is to be used only for the expressly agreed upon purposes between Capitalytics and its clients. Personnel are required to use multiple user-ids and passwords in order to access various secure (software and hardware) systems as part of providing Capitalytics services; in the event that Capitalytics personnel are terminated, their credentials are immediately changed and secured on, or removed from, all systems.

    While Capitalytics will appropriately respond to all court orders as directed by our counsel, at no time is any Confidential Information to be transmitted from any Capitalytics server for any unapproved, unintended, and/or unlawful purpose. Not exclusively, this statement includes transferring databases, files, records (current or otherwise), or data elements via protocol, email, print, photograph, facsimile, electronic device (e.g., portable storage drive) or any other means.

    Capitalytics policy for storing Confidential Information (i.e., preserving "data at rest") is to use state-of-the-art encryption where feasible, as prescribed by the application for using the data, and how quickly & how frequently the data must be made available. Current standards for data encryption as of this writing include AES256 encryption.

    Capitalytics policy for transmitting Confidential Information (i.e., preserving "data in motion") to/from secured system is to use an appropriately configured (prescribed by contemporary standards for information security) certificate exchange protocol that reasonably ensures the authenticity of both computers to opposite ends of the connection. Current standards for secure data transfer endpoint authentication and data transmission are currently SSLv3 and TLS technology using an appropriately issued certificate.

    The actual process for Capitalytics to send and/or receive information may require multiple steps of moving data between system for successive amounts of processing, but each step should entail transmitting and storing Confidential Information per the previous statements.