The Modern ETRM/CTRM Platform That Prioritizes Security
Security is the most important aspect of Molecule’s trading risk management software — in both our application and as part of our daily operations.
We designed and built our product with security at its core, and we operate our company to meet or exceed the highest security standards in the industry. Our priority is to ensure Molecule is one of the most reliable and secure ETRM/CTRM systems ever built.
Our Security Measures
Molecule maintains security of your trading data in a variety of ways, using seven different security measures:
Application Security
SDLC
Molecule maintains Software Development Life Cycle (SDLC) policies that govern the design and implementation of any application and infrastructure changes.
Patching
Our patch management policy ensures that operating systems, software, frameworks, and libraries used in Molecule’s infrastructure are regularly updated to the latest versions.
Secrets Management
Application secrets are managed through specialized secrets management software. Access is restricted internally.
Best-In-Class Tooling
Molecule is built on industry-standard technologies including Ruby on Rails, Python, and PostgreSQL.
Account Security
Login + Signup
Molecule uses Auth0 to support web authentication. Customers can opt to manage user access through Single Sign-On (SSO) authentication using an external identity provider, or via user-configured passwords.
Password + Session Policies
Molecule encrypts all passwords, in transit and at rest. It also requires strong passwords, strongly recommends two-factor authentication (2FA), and supports a variety of Single Sign-On (SSO) providers, such as Okta, Azure AD, Google Workspace, and more.
Sessions on Molecule have a finite duration. Molecule also has automatic user cool-down and lock-out functionality built in, and we add additional security functionality constantly.
Customer/Account Permissions
All Molecule data is tagged with an account ID, so users can only access data that belongs to their account (and this is tested automatically and manually on a regular basis).
Our team tests every new release to ensure every user only sees what they are authorized to see. Even master data is designed to not reveal anything you don’t want revealed.
User Permissions
An account administrator can grant permissions to govern the actions users can perform in the system and the screens and types of data users can see.
API Permissions
API access requires a username and token. The token is one-way encrypted and easy to revoke.
Audit Trails
Molecule retains access logs of every use of our application, and can make them available upon request.
Infrastructure Security
Physical AWS security
Molecule uses Amazon Web Services (AWS) as its primary cloud hosting provider. More information can be found on the AWS Compliance center here.
Network Security
Molecule has defined strict network security rules. Only the portions of the application we specify are available outside Molecule’s internal network.
Communication within the data center is secured by Amazon’s anti-packet sniffing and anti-promiscuous mode technology.
Staging Environment
Molecule has multiple staging environments that are isolated from our production environment. Any change made to the infrastructure/application is first deployed and tested in staging environment(s) before rolling it out to production.
Production Access
To access our production environment, engineers are required to use AWS client VPN which establishes a secure connection between the AWS network and endpoint device. More information can be found here.
Access to the AWS Console is restricted to necessary personnel. SAML and 2-factor authentication are required to log into the console.
Data Security
Multi-tenant Architecture
Molecule’s E/CTRM is built as a pure multi-tenant SaaS application. At the data layer, all customer accounts are logically isolated with data access limited to the account’s users.
Testing on Every Release
Automated testing ensures that account security is maintained as features are added and changed. Molecule employs a modern array of testing techniques.
The app also runs a robust set of checks on itself daily.
Backups
Data is periodically backed up in near real-time. Nightly cold backups are also taken, of all databases. Backups are tested weekly, and offsite backups are also updated at short intervals.
Encryption at Rest
All customer data is stored within AWS and encrypted at rest, providing an added layer of security. Protecting data at rest reduces the risk of unauthorized access, with encryption and access controls.
Find Out More Here
Encryption in Transit
All customer data is encrypted in transit using the Transport Layer Security (TLS) protocol. Insecure protocols, such as HTTP, are either redirected to HTTPS or blocked using AWS security groups.
Find Out More Here
Reliability
99.9% Uptime
Ever since its inception, Molecule has consistently met or exceeded a 99.9% uptime, while ensuring access to projects and tasks for customers without any interruptions. 99.98%+ uptime annually is routine.
BCP + DR Process
Molecule runs a BCP (Business Continuity Process) drill and DR (Disaster Recovery) simulation regularly. An internal audit is conducted to ensure both BCP and DR are seamless in case of any unforeseen circumstances.
Multi-AZ Deployments
Our application is deployed across multiple availability zones (AZ) in AWS. This ensures that our application can still recover even in case of unforeseen incidents affecting an entire AZ.
Monitoring
Molecule has monitors in place to alert our team immediately in case of service degradations to any of Molecule’s features. When a component underperforms, our engineers receive an alert within seconds. A dedicated ops team keeps a tab on these alarms.
No Downtime Deployments
New software rollouts at Molecule follow a ‘rolling deployment’ strategy, ensuring customers receive new changes without disruption.
Endpoint Security
All Laptops Are Encrypted + Managed by MDM
A Mobile Device Management (MDM) solution automatically installs all security components and allows Molecule to remotely wipe devices if they are compromised.
Employees who have access to our production infrastructure and data are mandated to have anti-malware software installed in their systems, which is reviewed monthly to address any shortcomings.
Penetration Testing
Automated penetration testing and vulnerability scans are run weekly, and white hat penetration testing is conducted at least annually by a third party. Based on their recommendations, updates and fixes are incorporated. Molecule has consistently received the highest possible score on our penetration tests.
Compliance
Independently Audited for AICPA SOC
Molecule meets the standards of AICPA SOC 1 Type II and SOC 2 Type II, and is audited annually to ensure compliance at the highest possible level. Our policies and system controls are audited for both effectiveness and design.
GDPR
Molecule is GDPR compliant and data residency in the EU or North America is available. All security processes are identical in each cluster. We also provide a standard data processing agreement (DPA) in accordance with GDPR requirements.