At Gain Compliance, keeping client data safe and ensuring secure system access are key to building trust and staying compliant with regulations. We’re committed to security, using tools like SOC (Security Operations Center), SSO (Single Sign-On), MFA (Multi-Factor Authentication), and secure login processes. These measures protect both our systems and our clients, helping everyone stay compliant with industry standards. By making sure only the right people have access to important information, we reduce the risk of data breaches and keep our services reliable.
If you see suspicious email activity - please forward your email to [email protected]
❓Question: What browsers or devices are supported for logging in?
Answer: We highly encourage Google Chrome. Our application's functionality is best supported in Google Chrome.
❓Question: How do I change my login credentials (email/password)?
Answer: Please reach out to [email protected] to update your email address. To update your password, you will need to go through the Forgot Password steps on the login page.
❓Question: "Please provide security documentation on how the solution manages passwords complexity requirements, password expiration settings, session timeouts and 2-factor authentication capabilities."
Answer: Thanks for reaching out about our password policies. Gain Compliance subscribes to industry-best practices with regards to passwords: Passwords must have a minimum of 8 characters and at least one lower case, upper case, number and special character. Passwords are checked against a list of the 10,000 most common passwords. Authenticated sessions are limited to the length of the browser session. Password resets are allowed via a self-serve interface, users must receive an email at the address associated with their account to reset their password. We do not require changing passwords at regular intervals.
We do have multi factor authentication (MFA) available.. The current implementation is using Google’s Authenticator App. If this is something that you are interested in, please reach out to your Customer Success Manager.
❓Question: Are we able to access the Gain URL before we have live access to our documents for filing? We need it for documentation.
Answer: Best practice is for Gain to provide the customer access to the application once all of their documents are fully set up. The link can be provided but the application may not be accessible until Users have been added to the Customers Organization.
❓Question: Does Gain offer 2-Factor/Multi Factor Authentication?
Answer: Multi Factor Authentication is available and can be turned on per request. Specific instructions on how to set this up for your team can be provided by the Customer Success Manager.
❓Question: How does the access provisioning and deprovisioning process work?
Answer: The administrator(s) of your organization in Gain can add and remove users via the triple bar menu (“hamburger icon”) located in the upper left of the application, under the title ‘Users’.
❓Question: Does Gain provide roles, or base permissions on “role grids?”
Answer: Yes, administrators can assign roles and permissions to each of their users via the triple bar menu (“hamburger icon”) located in the upper left of the application, under the title ‘Users’.
Supplemental Compensation Exhibit roles can be given to Admins or Managers at this time, and can be added by contacting [email protected].
❓Question: User access lists and logs – Can the vendor provide listings of who has access? Is it current point in time only or can they provide info regarding the adding or removal of access for an ID?
Answer: You can access your own user list via the triple bar menu (“hamburger icon”) located in the upper left of the application, under the title ‘Users’. This is a list of current users at the current point in time.
❓Question: Session time-outs – Will the session automatically time-out for non-use? If so, how long does it take?
Answer: Sessions expire after 24 hours, but will extend if you’re active at that time.
❓Question: Can we provide a report for customers that shows when users last changed their password?
Answer: Yes, please contact [email protected].
❓Question: Password changes – Do they require password changes and, if so, at what frequency? Or is it that, once you are set up, it never expires?
Answer: Based on NIST recommendations, we do not require changing passwords at regular intervals.
❓Question: Data encryption – Is encrypted both in motion and at rest?
Answer: All data is encrypted in-transit and at rest. Gain Compliance data is stored on Google Cloud Platform (GCP) which has the following encryption standards: All data stored in Google Cloud is encrypted using AES256 or higher encryption.
❓Question: Data encryption, okay I really want to know the details – Is encrypted both in motion and at rest? (start with the simple answer above, what follows is for SOC2 auditing purposes)
Answer: All data is encrypted in-transit and at rest. Gain Compliance data is stored on Google Cloud Platform (GCP) which has the following encryption standards:
Google uses several layers of encryption to protect customer data at rest in Google Cloud products.
Google Cloud encrypts all customer content stored at rest, using one or more encryption mechanisms.
Data for storage is split into chunks, and each chunk is encrypted with a unique data encryption key. These data encryption keys are stored with the data, encrypted with ("wrapped" by) key encryption keys that are exclusively stored and used inside Google's central Key Management Service. Google's Key Management Service is redundant and globally distributed.
All data stored in Google Cloud is encrypted at the storage level using AES256.
Google uses a common cryptographic library, Tink, which incorporates our FIPS 140-2 validated module, BoringCrypto, to implement encryption consistently across almost all Google Cloud products. Consistent use of a common library means that only a small team of cryptographers needs to implement and maintain this tightly controlled and reviewed code.
❓Question: What city is our Data stored in?
Answer: Gain Compliance stores customer data across distributed and redundant data centers across the United States to provide fast, resilient, and secure access for everyone of our customers.
❓Question: What version am I on in the Gain Application?
Answer: Gain Compliance uses a continuous release strategy. As a Software-as-a-Service (SaaS) solution we manage all of the updates ourselves – our customers only need to open https://app.gaincompliance.com to get the most up-to-date version.
Our software is updated frequently to provide improvements and fixes. It is also composed of many different services and components. Due to the frequency and complexity of our system, we do not use traditional version numbers.
❓Question: What Certificate does Gain Compliance have?
Answer: Gain Compliance is SOC 2 certified, which means we've gone through a thorough check to make sure our systems and processes keep customers' data safe, private, and available when they need it. Think of it as an extra layer of trust—our setup meets industry standards for keeping everything secure and reliable.
❓Question: How can I receive Gain Compliance’s SOC 2 report or a SOC Bridge Letter?
Answer: We are able to share those documents with you at your request. Please contact your Customer Success Manager or [email protected].
❓Question: How do I fill out a Security or Risk Assessment?
Answer: If you have a security or risk assessment that you need Gain Compliance to fill out on your behalf, please contact your Customer Success Manager directly.
❓Question: Is Gain SOC1 certified?
Answer: SOC1 Audit is looking at data accuracy and topics outside of data security. Gain Compliance is recertified twice annually by the NAIC to ensure our data model, validation rules, and export files conform to the NAIC rules, guidance, and compliance.