EIC Trust Center
At Economic Impact Catalyst, we’re serious about security and have adopted the industry standards for security across our platforms. Learn more about the measures we take to protect user data and defend the Startup Space platform and customer data. As a technology company, we understand the importance of implementing robust cybersecurity measures to safeguard sensitive information. We utilize encryption, access controls, vulnerability testing, and other best practices to help prevent breaches and reduce risks. Our information security team stays up-to-date on emerging threats and regularly reviews policies to identify areas for improvement. We also provide training to employees on security protocols and safely handling data. Protecting client and user privacy is a top priority, and we’re committed to being transparent about our security posture. If you have any additional questions about our security program, please don’t hesitate to reach out.
Security Practices
Keeping customer data safe and secure is a huge responsibility and a top priority. We work hard to protect our customers from the latest threats. Your input and feedback on our security is always appreciated.
SOC 2 Type 2 compliant
We are committed to providing strong security, availability, processing integrity, confidentiality, and privacy. To demonstrate this commitment, we have undergone SOC 2 Type 2 certification with the help of Vanta.
Encrypting data at transit
Whenever your data is in transit between you (or your users) and us, everything is encrypted, and sent using HTTPS. During a user agent’s (typically a web browser) first site visit, startupspace.app sends a Strict Transport Security Header (HSTS) to the user agent that ensures that all future requests should be made via HTTPS even if a link to Startupspace.app is specified as HTTP. Cookies are also set with a secure flag.
Encrypting data at rest
Data backups are encrypted. Files uploaded by users are stored and encrypted at rest.
Hosted by AWS
Startup Space is hosted on AWS. Our database is designed and maintained ensuring redundancy, high availability and trustworthy, automated, encrypted backups. AWS is certified for a growing number of compliance standards and controls, and undergoes several independent third party audits to test for data safety, privacy, and security. Read more about the specific certifications on the AWS compliance page.
Organizational practices
We operate under the principle of least privilege: Employees are assigned the lowest level of access that allows them to do their work. Two-factor authentication is enforced in all sensitive systems. All employees are required to use 1Password to generate and store strong passwords that are never reused. All employees are required to encrypt local hard drives and enable screen locking for device security. All access to application admin functionalities is restricted to a small subset of EIC staff. We never store customer data on personal devices (like laptops).
Penetration testing
On top of our development-related continuous testing, we also conduct periodic third-party manual penetration testing of both our application and infrastructure. For more information, you can email us at security@eicatalyst.com.
We protect your billing information
All credit card transactions are processed via Stripe using secure encryption—the same level of encryption used by leading banks. Card information is transmitted, stored, and processed securely on a PCI-Compliant network.
We protect your data
All data is backed up daily and stored in multiple locations. Files that our customers upload are stored on servers that use modern techniques to remove bottlenecks and points of failure.
Your users' data never leaves our servers
We distinguish between data about your users and data about you, yourself. While, for example, your billing information is shared with Stripe, and your profile is accessible to us in our help desk software, any data about you or other users are never shared with any external providers, and never leaves our server cluster hosted with Amazon Web Services (AWS).
We don't collect information from your users' browsers
By default, we only track the time a user spends on a page to prevent unauthorized activity. No other information is collected from users’ browsers.
Threat detection and intrusion prevention
We employ threat detection and intrusion prevention systems from AWS to identify and prevent malicious threats.
Development practices
All code changes are thoroughly tested in a staging environment before deploying to production. We use automatic security vulnerability detection tools to alert us when our dependencies have known security issues. We are aggressive about applying patches and deploying quickly. We use several tools and services to automatically monitor uptime and site availability. Key employees receive automatic email and SMS notifications in the case of downtime or emergencies.
Regularly updated infrastructure
Our software infrastructure is updated regularly with the latest security patches. Our products run on a dedicated network which is locked down with firewalls and carefully monitored. While perfect security is a moving target, we work with security researchers to keep up with the state-of-the-art in web security.
Have a concern? Need to report an incident?
Have you noticed abuse, misuse, an exploit, or experienced an incident with your account? Send urgent or sensitive reports directly to security@eicatalyst.com. We’ll get back to you as soon as we can, usually within 24 hours. Please follow up if you don’t hear back. For requests that aren’t urgent or sensitive: submit a support request via info@eicatalyst.com