Brief Overview of Company
MARQUIS was founded in the mid-1980s, providing innovative solutions that solve some of the most compelling challenges facing financial institutions. With software, outsourcing, consulting services, and direct mail fulfillment specifically for banks and credit unions, MARQUIS takes the time to understand what clients need and then focuses efforts on delivering results. We truly believe that it is our job to make each client’s job easier. We provide solutions that get results through marketing and sales tools, compliance management, consulting and more. As an organization that serves financial institutions worldwide, we adhere to the security policies demanded by the industry and the regulators. We perform annual security audits to verify that our staff is following the procedures required to assure the privacy of all confidential data.
This Security Statement is aimed at providing you with more information about our security infrastructure and practices. Our privacy policy contains more information on how we handle data that we collect.
Information Security Policy
MARQUIS maintains a written Information Security Policy that extensively details the organization’s commitment and compliance with various security policies, including but not limited to Acceptable Use Policy, Encryption Policy, Data Backup Policy, and Disaster Recovery Plan. Additionally, MARQUIS’ Information Security Policy addresses Environmental Controls, Network Operations, and Physical and Electronic Access. MARQUIS actively participates and receives certification of Service Organization Control (SOC 2) reports as the result of an in-depth audit of the centers’ control objectives and control activities, including controls over information technology and all other related processes.
MARQUIS receives signed acknowledgement from each relevant party that they have read, understand, and agree to abide by the policies, before providing authorized access to MARQUIS information systems. This policy is periodically reviewed and updated as necessary.
Personnel Security
MARQUIS employees adhere to the organization’s guidelines, including those regarding confidentiality, business ethics, authorized usage, professional standards, and various employment policies. All newly hired MARQUIS employees undergo extensive onboarding training and education, as well as employees signing and acknowledging confidentiality obligations and the MARQUIS Handbook.
Physical and Environmental Security
MARQUIS has established policies, procedures, and infrastructure to handle both physical security of the storage of data as well as the environment from which the data is stored and accessed. All of the external doors to the MARQUIS’ office space are locked at all times and require key card authorization for entry. Additionally, a few offices have locksets to further restrict entry. The server and network equipment are accessible only with designated key cards. Access to areas where systems, or system components, are installed or stored are segregated from general office and public areas. These data storage facilities have completed a Service Organization Controls (SOC) 2 Type II audit. Security controls at data centers hosting MARQUIS cloud-based services are based on standard technologies and follow solid industry practices. The physical security controls are constructed in such a way as to eliminate the effect of single points of failure and retain the resilience of the computing center.
Business Continuity and Disaster Recovery
Although it is impossible to account for all potential risks, MARQUIS has enacted policies and procedures to minimize service interruption due to hardware failure, natural disaster, or other catastrophe, and we implement a disaster recovery program at all our data storage facilities, including ensuring similar compliance at all third-party or cloud-based facilities.
Data Overview
Maintaining the integrity and confidentiality of Customer Data is MARQUIS’ highest responsibility. To fulfill this responsibility, MARQUIS has several policies which cover Client Implementation, Data Transfer, Data Storage, Data Destruction and Data Transit.
Before MARQUIS will receive any data from a customer, MARQUIS must receive a signed Software or Services Agreement or a Non-Disclosure Agreement that includes the Privacy and Confidentially Statement. These agreements provide the baseline for the transfer of data in a safe and secure manner.
Data may be sent to MARQUIS by a client various times throughout an Agreement, using a variety of methods. Regardless of the method chosen, MARQUIS’ client is instructed to make every effort to encrypt, password protect, and otherwise secure its data prior to delivery to MARQUIS. When MARQUIS returns data back to the client, it is always encrypted.
During the course of a contracted project, which includes the setup phase for new clients, all of a client’s data is stored on a secure network. The secure network is organized by task and business line so that only employees involved in the processing of an institution’s data may have access to that institution’s data.
Once MARQUIS has completed the contracted project data provided to MARQUIS and all data generated by MARQUIS for the customer will be destroyed. Additionally, all reports will be deleted or shredded for the client’s protection. MARQUIS utilizes a credited destruction service. Proof of destruction will be provided at the client’s request.
Data Classification
MARQUIS treats all client data as confidential information and is committed to taking all reasonable action to protect this data appropriately. Data classification provides a framework for managing content. The goal of data classification policy is to allow users to identify, understand, better manage, and employ an appropriate level of security for the data. All data should be transmitted through secure methods, but more importantly should always be encrypted and password protected.
Sensitive Data Classification
Sensitive Data is data that allows access to a specific account or information that is not readily available via public sources. Sensitive Data also includes any data provided by external entities, particularly when provided as a subscription or contractually provided service, such as any data from Equifax, Datamyx, Experian, and other information vendors.
Insurance Standards
MARQUIS maintains commercially and industry appropriate levels of insurance, including Cyber and Umbrella policies.
Vendor Due Diligence
MARQUIS understands that some degree of due diligence may be required by your financial institution (“FI”) to contract with MARQUIS. If you are a prospective client, you should contact your Sales Representative who will then request MARQUIS legal counsel to complete the request. If such request is made, your FI and MARQUIS enter into a Non-Disclosure Agreement in order to share MARQUIS’ Due Diligence documents.
If you are an existing MARQUIS Client, please click here, and MARQUIS legal team will review your request and either (a) have your FI enter into a Non-Disclosure Agreement with MARQUIS, if there is no non-disclosure agreement between MARQUIS or Client or (b) MARQUIS’ legal team will send your FI’s compliance team the requested documents.