FP Complete Security Protocols

As a core part of our work at FP Complete, staff members have privileged access to both internal FP Complete systems and customer systems. This ranges from email and document access, to control of deployed services, and in some cases to sensitive production databases.

The purpose of this document is to give general guidelines for ensuring secure treatment of this privileged access. No single document can handle all possible cases, and this document does not attempt to do so. In all cases of uncertainty, use your best judgment for determining security practices, and when warranted, ask for guidance and support from your manager or other FP Complete team members.

Communications

Secure communications are the basis for all other security practices. If your communications channels are compromised, all other security practices can be thwarted. Secure communications apply to communicating with:

  • Other FP Complete team members
  • Customers and partners
  • Potential new customers and team hires

With secure communications, you need to ensure that:

  1. You are communicating with the right person
  2. The communications channel itself is secure

Especially since entering the web3 space, there has been a significant uptick in spoofing and impersonation attacks, especially on Telegram. Be careful about any unsolicited contacts, especially on social media and messaging platforms. Whenever communicating, do not assume that an account, display name, email address, or chat profile is sufficient proof of identity on its own.

For any request involving credentials, MFA resets, access grants, sensitive documents, production access, payment instructions, wallet addresses, or unusual urgency, you must independently verify the request using a known-good channel. Use contact information already known to be valid, not contact information provided in the message itself.

For example:

  • When you receive an email, verify that the domain name is the correct domain name for the contact in question.
  • On Slack, ensure you are connected to the correct Slack instance.
  • When meeting a new contact, establish some external validation of the contact. For example, verify through a common third party.
  • Specifically on Telegram, do not treat Telegram as a trusted channel for identity or for sharing secrets. An email from a valid domain may help establish affiliation, but it is not by itself sufficient for high-risk actions.

Be careful when using new communications platforms, especially platforms that require installing software on your desktop. Try to keep communications within Slack, email, and other FP Complete-controlled systems whenever possible. If you're uncertain, ask a project manager or company executive on Slack for guidance.

Red flags in communications

If you notice any of these kinds of behaviors in communications, treat them as suspicious and take extra caution:

  • Requests that bypass normal processes (e.g., "I'm not at my computer, can you SMS me the credit card number to this phone number?")
  • Slightly altered email domains or usernames
  • Messages that "feel" off in tone or timing
  • Unexpected requests from senior leadership
  • New accounts claiming to be existing contacts
  • Requests to move conversations to new platforms
  • Unreasonable urgency added to a message

Credentials management

  • Do not share passwords between multiple accounts.
  • Enable two-factor authentication wherever possible.
  • Use a password manager with a high-quality passphrase.
    • Use either Bitwarden or another password manager that, at minimum, provides end-to-end or zero-knowledge encryption, supports strong MFA for the vault account, supports secure credential sharing, and has appropriate account recovery controls.
    • For details on recommended tools, see preferred tech stack.
  • Use your password manager to generate random passwords.
  • When possible, use Passkeys to bypass many common security vulnerabilities (e.g., domain phishing, password reuse).
  • Do not send passwords, recovery codes, private keys, seed phrases, or other authentication secrets over ordinary chat or email. When credential sharing is necessary, use an approved secure mechanism such as a password manager sharing feature or Bitwarden Send.

Physical protection

Ensure physical protection of your devices. Within your house, ensure your devices have reasonable lock times and secure screen locks. When traveling, keep your devices in secure locations at all times. We have had incidents of physical tampering at conferences, for instance.

If a device used for FP Complete work is lost, stolen, tampered with, or believed to be compromised, report it immediately.

Devices

FP Complete is primarily a Bring Your Own Device (BYOD) company. Team members are responsible for provisioning and securing their own devices, both computers (desktop or laptop) and phones.

Any device used for FP Complete work must, at minimum:

  • Use a screen lock
  • Use device or full-disk encryption where supported
  • Be kept up to date with security patches
  • Use standard platform security protections
  • Not be rooted, jailbroken, or otherwise configured to bypass normal platform security controls

If you're using Microsoft Windows, be especially careful of malware. Install and enable standard Microsoft protection software, and be exceedingly careful when installing desktop software. Whenever possible, use web versions of applications from third parties. Compromised desktop software has been a concrete attack vector in the past.

Mac, Linux, Windows, iOS, and Android devices can all be used securely, but only if they are properly maintained and kept updated.

Third-party integrations

Be careful when enabling third-party integrations, especially those that will gain access to our corporate Microsoft or Slack accounts. If you are uncertain about a third-party integration, ask for guidance on whether it is sufficiently secure.

Do not authorize a third-party integration that requests broad access to corporate or customer systems unless it is needed for work and you understand what access it is receiving.

Personal vs company accounts

Our company policy explicitly allows use of personal accounts to access FP Complete data. This includes cases like using a personal Google account to work on Google Drive documents, or a personal GitHub account for access to source code repositories. You are also free to create dedicated accounts using your FP Complete credentials if preferred.

Any personal account used for FP Complete work is in scope for this policy and must be secured accordingly, including unique passwords, MFA where available, secure recovery methods, and immediate reporting of suspected compromise.

Incident reporting

If you believe you may have been hacked or otherwise compromised, report the incident immediately. If you're not certain, err on the side of caution and report it. In almost all cases, early reporting can prevent significant damage to our systems.

Initial reporting should normally go to company leadership or another designated internal security point of contact using a known-good channel. If you believe a normal communication channel may be compromised, use the safest available independent channel to re-establish trust before sharing details.

Be sure to preserve any relevant evidence you can for these kinds of reports, e.g.:

  • Screenshots
  • Emails
  • Message logs