The security of the Transaction Commons platform depends on:

• Access to the Genuine Transaction Commons Site
• Proper Use of Confidential Login Credentials
• Transaction Commons’ Security Protocols
• Caution Around Third Party Interaction
• Additional Safeguards Suitable for the Situation

Access to the Genuine Transaction Commons Site

As the first step, CONFIRM THE URL that you are using to access Transaction Commons (“TC”).  It should be https://private.transactioncommons.com.  The only messages you will receive from Transaction Commons that provide a link to the TC login page will be the standard transaction activity notices.  You will not be able to access documents identified in those notices without going through the login process.

Proper Use of Confidential Login Credentials 

Transaction Commons imposes only basic password requirements and does not force periodic password changes.   Two-factor authentication is available, but is implemented only upon the request of the Transaction Administrators.  These approaches reflect decisions made by our customers on the trade-off between security and convenience.

With this background in mind, it is important that users follow a personal password process that takes into consideration these recommendations:

• Pick a strong password. Balance the strength of the password against the sensitivity of the information that exists on the service platform. Use a long password with a combination of numbers, letters, capitalization, and special characters.  Avoid dictionary words. THERE IS NO LIMIT ON HOW LONG A PASSWORD YOU MAY USE FOR TC.  Consider a complex phrase.
• Don’t use the same password for TC that you use for other platforms. Yes, this can add complexity and reduce convenience, but because of the sensitivity of the information likely to be on Transaction Commons this is an important rule to follow.    If you choose to use the same password across multiple service platforms, it is important that you change it periodically.  Avoid having your TC passwords saved/remembered by your device(s).  Consider using a password manager (like LastPass) that will assign a very strong TC login password.
• Enter your TC password only on trusted devices and be careful with public WiFi networks. Use only trusted devices that are running robust virus detection software.   Realize that keyboard tracking viruses can record websites visited and login information entered.   Especially with public WiFi networks, only enter the password you use for TC on secure service platforms (following the https protocol).
• Don’t share your password with anyone. Even if you trust them to not misuse it – do you trust them to follow the other guidelines outlined here? Will their reliance on the password make you reluctant to follow these guidelines?   For example, would you be less inclined to periodically change the “shared” password?
• Change your initial password. New Transaction Commons users receive an email with their registered email address and an initial password to login. Transaction Commons recommends that the system-generated initial password be changed upon the user’s first login to Transaction Commons. You can reset your password at any time by going to the Profile tab on the blue navigation bar.   Password requirements are described on that page.

Transaction Commons’ Security Protocols

Transaction Commons’ browser-to-server security safeguards are provided using Secure Socket Layer (SSL) security protocol.  All current versions of browsers supported by Transaction Commons have integrated SSL capability.  The URL access method “https” signifies connection to a server using SSL.

When an authorized user initially loads the main Transaction Commons page, Transaction Commons’ system generates a unique session key, which consists of random numbers and letters.  When a user enters his/her registered email address and password, the password is encrypted and compared to the stored password.  If the user-entered and stored passwords match, the user’s email address, password, and initial session key are combined to form a unique session key. This key is embedded on all pages returned to the user. If a user request comes to the server with a valid key, the request is honored. If the user is logged in but does not use Transaction Commons for more than a defined time period, the session key expires and the user must re-initiate the login procedures.  User passwords are stored on the Transaction Commons servers in encrypted form.

Transaction Commons’ servers are hosted at a third party data center.  Security at this data center includes a continually staffed security station and biometric access controls. Systems are protected by firewalls and encryption technology. All facilities have redundant power/back-up generators, environmental controls, and 24 hour monitoring.

Caution Around Third Party Interaction

No one from Transaction Commons “Support” will ever initiate a call to a TC user, and TC will never ask for your password.  TC recommends that you DO NOT discuss your use of Transaction Commons for a specific transaction with anyone outside the known transaction participants.  (You are welcome to tell others that you are happy with Transaction Commons in general!)

Additional Safeguards Suitable for the Situation

Two-factor authentication is available.  Please contact your transaction administrator if you believe that this higher level of password security is important for your transaction.

Finally, no security practices are infallible and TC recommends a further level of security at the document level for particularly sensitive documents, especially those containing personal information (such as Social Security numbers) that does not need to be shared in the context of the transaction or project.   Separate password protection of sensitive documents and redaction of sensitive information should be seriously considered by TC users and transaction administrators.