SupportPay

Menu Close

Enterprise Security Policy

Table of Contents

Auditing and Fraud Prevention (SOC Audit)

Yes, we have conducted a SOC audit on our operations. This audit was carried out to assess the effectiveness of our internal controls related to security, confidentiality, and privacy, as per the SOC 1 and SOC 2 standards. The audit involved a thorough examination of our operational processes, including access controls, data handling procedures, and risk management practices. The results of the audit confirmed that our operations align with industry best practices and meet the requirements for safeguarding client data and ensuring operational resilience.

Yes, we have performed a SOC audit on our data center. This audit specifically evaluated the physical and logical security measures in place, including network security, data encryption, disaster recovery plans, and access control policies. The audit was conducted by an independent third-party firm to ensure transparency and impartiality. The results indicated that our data center adheres to SOC 2 standards, ensuring that we meet the necessary requirements for protecting customer data and maintaining system availability and confidentiality.

Yes, we recently completed a SOC 2 Type II audit on both our operations and data center. The audit was issued as part of our partnership with Morgan Stanley & MetLife in early 2024, with quarterly audits taking place throughout the year. The independent auditors provided a clean opinion, indicating that our controls were effectively designed and operating as intended to meet the Trust Service Criteria for security, availability, confidentiality, and privacy. We plan to continue conducting regular SOC audits on an annual basis to ensure ongoing compliance and operational excellence.

Yes, in addition to SOC audits, we conduct regular internal and external security audits, penetration tests, and vulnerability assessments. Our internal security team performs quarterly vulnerability scans, while external third-party vendors conduct annual penetration tests. Additionally, we engage in bi-annual comprehensive risk assessments to identify potential vulnerabilities in our systems and address them proactively. We also conduct annual reviews of our disaster recovery and business continuity plans to ensure that we remain prepared for potential disruptions.

We have a dedicated compliance team that is responsible for ensuring our systems and services remain compliant with applicable Federal, State, and local legislative requirements. This team closely monitors changes to laws and regulations affecting data privacy, cybersecurity, and operational practices, such as GDPR, CCPA, HIPAA, and other relevant legislation. Our compliance team works with legal experts to assess the impact of any regulatory changes and adjusts our policies and procedures accordingly to maintain compliance. Additionally, we regularly conduct internal reviews to ensure our systems align with updated legal requirements.

No, this will be implemented as our company continues to grow. 

Yes, we have an established compliance monitoring program that enables us to stay updated on changes to regulatory requirements across all relevant jurisdictions. This program involves regular review of regulatory updates from sources such as government agencies, industry associations, and legal advisors. We leverage automated tools and platforms that track changes to regulations and alert our compliance team to potential impacts on our security and operational procedures. When regulatory changes are identified, we immediately assess the impact on our security controls, update our policies and training programs as needed, and ensure that all necessary adjustments are made to stay compliant with evolving legal requirements.

We have a data breach process to inform users if any data breaches occur. In addition, we regularly update our privacy policy and terms of use to meet new regulatory requirements.

Security & Fraud Protection

Yes, our organization conducts an annual security review to ensure that all data types, including personal and sensitive client information, are adequately secured. This review includes assessments of our data storage, access controls, and any visual presentation of data, whether in dashboards, reports, or other client-facing applications. The review identifies any potential vulnerabilities and ensures that appropriate encryption, authentication, and access restrictions are in place to protect client data from unauthorized access or exposure.

Yes, our organization has a dedicated Data Protection Officer (DPO) who is explicitly responsible for implementing safeguards to protect client data. The DPO oversees the development and enforcement of data protection policies, ensures compliance with relevant privacy regulations (such as GDPR and CCPA), and works closely with IT and security teams to identify and mitigate risks related to data access, storage, and transmission.

Yes, we maintain a documented inventory of the level of access that our organization and staff have to client data. This inventory is part of our access control management system and outlines the specific permissions granted to individuals based on their role, job responsibilities, and need-to-know principles. Access levels are regularly reviewed and updated to ensure that only authorized personnel have access to sensitive client data.

Yes, our organization utilizes offshore third-party resources for certain services that may have access to client data, such as customer support, data processing, and software development. We ensure that these third parties comply with our data protection and security standards through rigorous contracts, security audits, and compliance assessments. All offshore third parties are subject to the same security controls, confidentiality agreements, and regulatory compliance requirements as our internal teams.

Yes, we maintain a comprehensive inventory of all business associates, third-party vendors, and contractors to which we outsource infrastructure, data processing, storage, or receipt of client data. This inventory is regularly reviewed and updated to ensure that all third-party relationships are properly documented, and that security and compliance requirements are met.

Yes, we maintain an inventory of all tools, applications, and platforms (both internal and third-party) used by our staff and business associates that are external to our secured and controlled environment. This includes tools like Google Docs, Box, and other cloud services. We regularly audit this inventory to ensure that appropriate security measures, such as data encryption, access control, and monitoring, are in place to mitigate risks related to the use of external tools.

Yes, we have documented standards in place to ensure the secure removal of client data from electronic media before the media is made available for reuse. These standards specify that all client data must be securely wiped or destroyed using industry-standard methods such as data wiping software or physical destruction, in accordance with data retention and disposal policies. Our practices ensure that no residual data remains accessible.

Yes, we have comprehensive documentation that describes our Information Security Management Program (ISMP). The ISMP outlines our organization’s approach to managing information security, including our risk management processes, security policies, technical controls, and incident response procedures. It serves as a foundation for ensuring the confidentiality, integrity, and availability of both client data and internal information.

Yes, we provide tenants with relevant portions of our Information Security Management Program (ISMP) upon request. This may include our data protection policies, incident response procedures, and any other documents that demonstrate our commitment to maintaining a secure environment for their data. We ensure transparency while protecting sensitive internal details of our security operations.

Yes, we restrict, log, and monitor access to our information security management systems, including hypervisors, firewalls, vulnerability scanners, network sniffers, and APIs. Access to these critical systems is granted based on role-based permissions and is logged for audit purposes. We continuously monitor activity within these systems to detect any unauthorized access attempts or suspicious activity, and implement real-time alerts for immediate action when necessary.

Yes, all operating systems, including those on staff computers and application servers, are hardened as part of our baseline build standard. This includes configuring systems to allow only necessary ports, protocols, and services required to meet business needs. We also implement technical controls such as antivirus software, file integrity monitoring, and system logging to protect against unauthorized changes and vulnerabilities.

Yes, we have strict controls in place to restrict and monitor the installation of unauthorized software on our systems. These controls include endpoint protection solutions, application whitelisting, and network-level filtering. Any attempts to install unapproved software are logged and flagged for review, and unauthorized installations are blocked to prevent potential security risks.

Yes, we maintain a complete inventory of all critical assets, including hardware, software, and infrastructure, located at all sites and geographical locations. Each asset is assigned ownership, and the inventory is regularly updated and audited to ensure accuracy. This inventory is used for asset tracking, risk management, and to ensure that appropriate security measures are in place to protect each asset.

Information Security: Application & Interface Security

Yes, our organization adheres to industry standards such as the OWASP Software Assurance Maturity Model (SAMM) and ISO 27034 to ensure that security is integrated throughout our Software Development Lifecycle (SDLC). We incorporate secure coding practices, conduct regular security reviews during development, and perform threat modeling to identify vulnerabilities early. Security requirements are included in the design, coding, testing, and deployment phases, and we continuously improve our processes based on these standards to mitigate risks associated with software development.

Yes, all identified security, contractual, and regulatory requirements for customer access are addressed and remediated contractually before granting customers access to any data, assets, or information systems. Our legal and compliance teams ensure that customer agreements include clear terms related to security controls, data protection, access management, and regulatory compliance, and we implement necessary safeguards before access is granted to protect both our organization and our customers.

Yes, all requirements and trust levels for customer access are clearly defined and documented. This includes establishing the specific roles and responsibilities of users, as well as the access levels granted to customers based on their relationship with us, the sensitivity of the data they can access, and their need to know. We regularly review and update these access controls to ensure they align with the most current business and security requirements.

Yes, our data management policies and procedures require regular audits to verify the integrity of both data input and output routines. These audits are designed to ensure that all data entering and exiting our systems is accurate, complete, and properly validated. We employ automated tools as well as manual review processes to check for any discrepancies or errors, and our data integrity checks are continuously improved to address new potential risks.

Yes, our Data Security Architecture is designed in compliance with industry standards, including the CDSA, MULTISAFE, CSA Trusted Cloud Architectural Standard, and FedRAMP. These standards guide our approach to securing client data, ensuring that we implement appropriate encryption, access controls, and compliance measures to safeguard data both in transit and at rest. Our architecture is regularly reviewed to stay aligned with evolving security best practices and regulatory requirements.

Yes, we have implemented adequate security safeguards, such as Two-Factor Authentication (2FA), for all end-user logins to our Internet-facing products and solutions. This additional layer of security helps prevent unauthorized access to sensitive systems and data, even if login credentials are compromised. We also offer other security measures, such as IP whitelisting and session timeouts, to further protect user accounts.

For our Internet-facing products, we implement multiple security safeguards, including:

  • Two-Factor Authentication (2FA): Required for all users to access sensitive systems, providing an extra layer of security through a combination of passwords and time-based one-time passcodes (TOTPs).
  • SSL/TLS Encryption: All user connections to our systems are encrypted using SSL/TLS protocols to prevent man-in-the-middle attacks and ensure the confidentiality of data in transit.
  • Role-Based Access Control (RBAC): Access to different features and data is restricted based on users’ roles and permissions.
  • Session Management: We enforce session timeouts and use secure cookies to minimize the risk of unauthorized access through session hijacking.

Yes, our product includes granular role-based access controls (RBAC). We define specific roles and responsibilities for users, and grant access to data and functionality based on the principle of least privilege. This ensures that users only have access to the data and tools necessary for their tasks, reducing the risk of unauthorized actions or data breaches. Access levels can be customized to align with business needs and security requirements.

Yes, our product supports centralized access management and integrates with LDAP, SAML, and other single sign-on (SSO) standards such as Kerberos and X.509 certificates. This integration allows for seamless, secure user authentication across systems while simplifying the user management process. By leveraging SSO, we can ensure that users only need to authenticate once to access multiple systems, improving both security and user experience.

Yes, our product performs comprehensive audit logging of all user activity, including add, changes, deletes, and views of information across the application, operating system (OS), and database levels. These logs are generated in real-time and provide an immutable record of user actions. We use these logs for monitoring, troubleshooting, and detecting potential security incidents, as well as for ensuring compliance with audit and regulatory requirements.

Yes, we isolate client data from other clients’ data in all hosted, cloud, or ASP (Application Service Provider) model components of our architecture. We implement logical and physical separation techniques, including the use of dedicated virtual environments, data encryption, and access control mechanisms, to ensure that each client’s data remains secure and inaccessible to other clients. This isolation protects data privacy and ensures compliance with industry regulations.

Yes, we regularly engage an accredited third-party security firm to perform penetration testing against our infrastructure, applications, and operations. These tests are designed to identify vulnerabilities and weaknesses that could potentially be exploited by attackers. The results are reviewed by our security team, and any identified issues are promptly addressed through remediation efforts.

Yes, the results of our penetration tests are available to tenants upon request. We provide a summary of findings and the actions we have taken to address any identified vulnerabilities. For transparency, we share relevant details without compromising sensitive internal information or security measures.

Yes, we enforce comprehensive password policies that include requirements for minimum length, complexity, age, and history to ensure strong password security. Additionally, we implement account lockout policies to prevent brute-force attacks. After a certain number of failed login attempts, accounts are temporarily locked, and users are required to go through a secure process to regain access.

Yes, we have mechanisms in place to unlock accounts that have been locked out. These include self-service options such as secure email-based recovery or predefined challenge questions, as well as manual unlock procedures through our support team. This ensures that users can regain access to their accounts in a secure manner while minimizing downtime.

Information Security: Business Continuity Management & Operational Resilience

Yes, our organization has a comprehensive and documented plan for both business continuity management (BCM) and disaster recovery (DR). This framework includes multiple backup data storage sites, ensuring that critical data is protected and can be quickly restored in the event of an outage. We also conduct regular disaster recovery drills to simulate real-world scenarios and ensure our team is prepared to respond effectively. Additionally, we have internal data security auditors who routinely review our disaster recovery plans and business continuity measures to ensure they remain aligned with industry best practices and evolving business needs.

Our disaster recovery plan is designed to ensure the rapid restoration of operations following any disruption, whether due to natural disasters, cyber incidents, or hardware failures. The plan includes:

  • Data Redundancy: We use geographically distributed backup data centers to ensure redundancy. These sites are synchronized in real-time, minimizing the risk of data loss.
  • Critical Systems Restoration: We have predefined recovery steps for restoring critical systems and applications, with recovery time objectives (RTO) and recovery point objectives (RPO) for each system clearly documented.
  • Testing Frequency: Our disaster recovery plan is tested at least annually through full-scale recovery exercises, where we simulate disaster scenarios to verify that all systems and processes are functional. We also conduct quarterly tabletop exercises to ensure team readiness.
  • Review and Updates: The plan is reviewed and updated quarterly by the BCM and IT teams to ensure it remains current with technology changes and evolving risks.

Yes, we use industry-standard frameworks, including ISO 22301 (Business Continuity Management) and NIST 800-34 (Contingency Planning Guide for Federal Information Systems), to assess the impact of potential disruptions and determine the criticality of services. Key components of our approach include:

  • Criticality Assessment: We categorize services and systems based on their importance to business operations and client delivery.
  • Recovery Priorities: We have established recovery priorities, ensuring that mission-critical services are restored first.
  • Disruption Tolerance: We conduct regular risk assessments to define the maximum tolerable downtime (MTD) for various systems.
  • RPO and RTO: Our recovery point objectives (RPO) and recovery time objectives (RTO) are clearly defined for each critical system and data set, ensuring timely recovery in the event of a disruption.

Yes, we have implemented backup and recovery mechanisms that align with relevant regulatory, statutory, contractual, and business requirements. This includes:

  • Data Backup: We perform regular, automated backups of all critical systems and data, adhering to data retention requirements defined by industry regulations such as GDPR, HIPAA, and SOX.
  • Encryption: All backups are encrypted, both in transit and at rest, to protect sensitive data from unauthorized access.
  • Audit and Compliance: We ensure our backup processes are audited regularly to verify that they meet the legal and contractual obligations set forth in customer agreements and regulatory frameworks.
  • Geographic Redundancy: Our backup systems are geographically distributed to comply with requirements for data residency and disaster recovery, minimizing the risk of localized failures impacting regulatory compliance.

Yes, we test our backup and redundancy mechanisms at least annually to ensure that data can be reliably restored in the event of an outage. These tests involve:

  • Full Data Recovery: We conduct full recovery tests to verify the integrity of backup data and confirm that it can be restored within the required RTO and RPO.
  • Redundancy Failover: We simulate failover scenarios to ensure that our systems can seamlessly switch to backup infrastructure without service disruption.
  • Evaluation of Backup Procedures: Each backup test is followed by a thorough review of procedures and results to identify any gaps or areas for improvement.
  • Documentation: The results of each test are documented, and any identified issues are addressed immediately to improve our disaster recovery readiness.

Information Security: Change Control & Configuration Management

Yes, our organization has established comprehensive policies and procedures for management authorization regarding the development or acquisition of new applications, systems, databases, infrastructure, services, operations, and facilities. These policies ensure that any new initiative, whether in the form of software development, infrastructure upgrades, or service procurement, undergoes a rigorous approval process before moving forward. Key elements of the process include:

  • Business Justification: A formal business case outlining the need for the new application, system, or service, including anticipated benefits, costs, and resource requirements.
  • Risk Assessment: An evaluation of the potential security, operational, and regulatory risks associated with the new initiative.
  • Management Review: A thorough review and approval by senior management, with the involvement of relevant stakeholders, including security, IT, legal, and compliance teams.
  • Alignment with Business Goals: Ensuring the new acquisition or development aligns with our overall business strategy and meets all compliance and regulatory requirements.

This ensures that all new projects are vetted and approved in a controlled manner to minimize risk and ensure alignment with organizational objectives.

Yes, our policies and procedures for change management, release, and testing are clearly defined and effectively communicated to all external business partners. This includes:

  • Formal Change Management Process: External partners are required to follow our documented change management process, which includes submitting requests for changes, undergoing impact assessments, and obtaining necessary approvals before implementing any changes.
  • Release and Testing Procedures: We provide detailed guidelines on release management and testing procedures, ensuring that external partners understand the need for rigorous testing, validation, and pre-release sign-off to prevent disruptions to production environments.
  • Documentation and Training: We regularly share updated policies, process documentation, and training materials with external partners to ensure they are aware of the standards and requirements. We also conduct periodic reviews and audits to ensure compliance.
  • Collaboration: We collaborate closely with external partners to manage changes effectively, and provide them with the tools and access they need to comply with our change management standards, ensuring transparency and accountability throughout the process.

Yes, we have robust technical measures in place to ensure that all changes in production environments are properly registered, authorized, and comply with our existing Service Level Agreements (SLAs). These measures include:

  • Change Management System: All changes to production systems are logged in a centralized change management system. Each change request undergoes an approval process, where it is reviewed for impact on operations, security, and compliance.
  • Authorization Workflow: Changes are only implemented once they have been formally authorized by the appropriate stakeholders, including IT, security, and business management.
  • Version Control and Documentation: We utilize version control systems to track and document all changes to code, configurations, and infrastructure. This ensures full traceability and accountability for each change made to the production environment.
  • SLAs Compliance: Each change request is reviewed against the relevant SLAs to ensure that it meets operational expectations, timelines, and performance benchmarks. Any changes that could impact service delivery or performance are given priority and handled in accordance with SLA terms.
  • Audit and Monitoring: We maintain a detailed audit trail of all changes made to production environments, including timestamps, the identity of the individuals who made the changes, and the approvals received. We also have real-time monitoring in place to detect any unauthorized or unexpected changes, ensuring that deviations from standard operating procedures are quickly identified and addressed.

Information Security: Data Security & Information Lifecycle Management

Yes, our organization actively inventories, documents, and maintains comprehensive data flows for all data that resides—either permanently or temporarily—within our services’ applications and infrastructure network and systems. This includes:

  • Data Flow Mapping: We maintain detailed mappings of data flows that illustrate how data moves across applications, services, and systems, from collection and storage to processing and disposal.
  • Asset Inventory: Our data inventory includes classification of data types (e.g., personal data, sensitive data, transactional data), ensuring that all data within our systems is tracked and categorized for risk management and compliance purposes.
  • Data Lifecycle Management: We document how data is created, used, stored, and eventually archived or deleted, ensuring that we maintain full visibility of data throughout its lifecycle, including all transfers, processing stages, and locations within the infrastructure.

This documentation helps us monitor data movement, prevent unauthorized access, and identify potential vulnerabilities.

Yes, we have the technical and organizational measures in place to ensure that data does not migrate beyond its defined geographical residency. These measures include:

  • Data Residency Controls: We utilize geofencing, IP whitelisting, and data center location restrictions to ensure that data is stored and processed only in the approved geographical locations.
  • Compliance with Local Laws: Our systems and policies are designed to comply with data residency laws, such as GDPR (which mandates that data must remain within the European Union unless specific conditions are met) or similar data localization laws in other regions.
  • Data Transfer Restrictions: We enforce strict controls on data transfers, ensuring that any cross-border data movement is handled through secure, legal channels and in compliance with regulatory requirements. This includes using encryption and adhering to frameworks such as EU-U.S. Privacy Shield or Standard Contractual Clauses (SCCs) when transferring data between jurisdictions.

Our data residency policy is continuously reviewed to align with evolving global regulations and to ensure that data remains within the designated regions.

Yes, we have well-defined policies and procedures for data labeling and handling to ensure the security of both data and objects that contain data. These policies include:

  • Data Classification Scheme: Data is classified into categories such as public, internal, confidential, and restricted, based on its sensitivity and regulatory requirements. Each data classification comes with specific handling requirements to ensure appropriate security measures are applied.
  • Labeling Standards: All sensitive data, whether digital or physical, is labeled accordingly to indicate its classification and handling requirements. This includes encryption standards, access controls, and procedures for secure storage and transmission.
  • Training and Awareness: Employees and contractors are regularly trained on data handling procedures, including the proper labeling and storage of sensitive information to ensure compliance with security policies.

This helps to mitigate the risk of data exposure and ensures that proper precautions are taken when handling, storing, or transmitting sensitive data.

Yes, we back up all critical data on a daily basis to ensure business continuity and disaster recovery. Our backup procedures include:

  • Automated Daily Backups: We have automated systems in place that ensure backups occur daily without manual intervention, reducing the risk of human error.
  • Data Redundancy: Data is backed up to geographically dispersed storage locations to ensure redundancy, enabling quick recovery in the event of a local failure or disaster.
  • Testing and Validation: We regularly test and validate backup integrity to ensure that data can be restored quickly and reliably, and that it meets our Recovery Point Objective (RPO) and Recovery Time Objective (RTO) requirements.

This backup routine helps safeguard against data loss due to hardware failure, accidental deletion, or other disruptions.

Yes, we have strict procedures in place to ensure that production data is not replicated or used in non-production environments. These procedures include:

  • Data Segmentation: We enforce strict separation between production and non-production environments to prevent the unauthorized transfer of production data to development, testing, or staging environments.
  • Data Masking/Anonymization: Where necessary, we apply data masking or anonymization techniques to production data used in non-production environments. This ensures that sensitive information is obfuscated while still allowing for realistic testing and development.
  • Access Control: Only authorized personnel have access to production data, and access to non-production environments is tightly controlled to ensure that production data is not accidentally or maliciously replicated or accessed.
  • Auditing and Monitoring: We regularly audit non-production environments to ensure compliance with these procedures, and monitoring tools are in place to detect any unauthorized use of production data.

These procedures help reduce the risk of exposing sensitive production data in non-secure environments.

Yes, we have documented policies and procedures in place to ensure adherence to data retention periods as specified by legal, statutory, or regulatory compliance requirements. These include:

  • Data Retention Policy: Our data retention policy outlines the specific retention periods for different types of data, based on legal, regulatory, and contractual obligations. For example, financial records may need to be retained for a specific period (e.g., 7 years for SOX compliance), while personal data under GDPR may require a review to determine if it should be deleted or anonymized after a certain period.
  • Automated Retention Mechanisms: We use automated systems to enforce data retention policies, ensuring that data is only kept for as long as necessary. Once the retention period expires, the data is securely deleted or archived.
  • Compliance Audits: Regular audits are conducted to ensure compliance with retention policies, and any exceptions or deviations are addressed promptly. Additionally, we work closely with our legal and compliance teams to stay up to date on any changes to applicable data retention laws.

These policies ensure that we handle data in accordance with relevant legal requirements, helping to avoid legal or regulatory penalties associated with improper data retention practices.

Information Security: Encryption & Key Management

Yes, data will be encrypted when it is in transit over networks. This includes all communication channels such as:

  • Web Services: We use TLS (Transport Layer Security) to encrypt data in transit for all web-based services, ensuring that any data exchanged between clients and servers is protected from interception or tampering.
  • File Transfer Services: For file transfers, we use SFTP (Secure File Transfer Protocol) or FTPS (FTP over SSL/TLS), both of which provide encryption to safeguard data during transfer over networks.
  • Email: All email communications containing sensitive data are encrypted using S/MIME (Secure/Multipurpose Internet Mail Extensions) or PGP (Pretty Good Privacy) for end-to-end encryption, ensuring that email content is secure during transit.
  • Instant Messaging: We use encrypted messaging platforms that employ end-to-end encryption, ensuring that chat messages are secure while in transit.

These measures protect sensitive data from unauthorized access during transmission over the network, mitigating risks associated with man-in-the-middle (MITM) attacks and eavesdropping.

Yes, all sensitive data at rest on the server side will be encrypted. This includes:

  • Database Files and Columns: We use AES-256 (Advanced Encryption Standard) to encrypt entire database files as well as specific database columns containing sensitive or personally identifiable information (PII). The encryption is applied at the storage level, ensuring that the data remains protected even if unauthorized access to the server occurs.
  • File Storage: All sensitive data stored in file systems or object storage services is encrypted using AES-256 or equivalent strong encryption algorithms. We ensure that encryption is applied both to files and any associated metadata to prevent unauthorized access.
  • Key Management: We utilize a secure, centralized key management system (KMS) to handle encryption keys, ensuring that keys are rotated regularly and stored separately from the data they encrypt, further securing the data at rest.

This encryption at rest ensures that sensitive data remains protected in case of server breaches or unauthorized access attempts.

Yes, data will be encrypted when it is at rest on end-user devices such as laptops, tablets, and mobile phones. This includes:

  • Laptops and Tablets: We implement full disk encryption (FDE) using industry-standard encryption algorithms such as BitLocker for Windows-based laptops and FileVault for macOS-based laptops. This ensures that all data on the device, including system files and user data, is encrypted.
  • Mobile Phones: All mobile devices used to access organizational data are secured with AES-256 encryption at the device level, and we enforce mobile device management (MDM) policies to ensure encryption is enabled by default. In addition, we use features such as Android’s full disk encryption and iOS device encryption to ensure data remains protected even if the device is lost or stolen.

By encrypting data at rest on end-user devices, we mitigate the risk of data exposure from theft or unauthorized access in the event of device loss or compromise.

Yes, we utilize platform and data-appropriate encryption that employs open, validated formats and standard algorithms. This includes:

  • TLS/SSL: For data in transit, we utilize TLS (Transport Layer Security) with TLS 1.2 or 1.3, which are widely recognized and validated encryption protocols. This ensures secure communication between clients and servers, protecting data during web and API interactions.
  • AES-256: For data at rest, we use AES-256 encryption, which is a standard, widely validated, and highly secure algorithm, compliant with regulations such as FIPS 140-2 (Federal Information Processing Standard). AES-256 is utilized across our infrastructure to ensure strong data protection.
  • Open Standards: We strictly adhere to encryption standards that are widely accepted in the industry, such as RSA for public-key cryptography and SHA-256 for hashing. We ensure that encryption methods are well-documented and comply with industry best practices to guarantee robust security.
  • Validated Formats: We use validated cryptographic modules that have been tested and certified by trusted bodies such as the National Institute of Standards and Technology (NIST) and FIPS. These validated formats provide assurance that our encryption methods meet the highest security standards.

By using these industry-standard, validated encryption protocols and algorithms, we ensure that data is securely encrypted and meets compliance requirements while maintaining robust protection against potential vulnerabilities.

Information Security: Governance & Risk Management

Yes, our organization has a formalized risk assessment plan that incorporates comprehensive consideration of data residency, legal and statutory requirements for data retention periods, and data protection and classification. This plan includes:

  • Data Residency Considerations: We evaluate the geographical locations where data is stored, processed, and transmitted, ensuring compliance with local and international data residency laws. This includes adherence to regulations such as GDPR (General Data Protection Regulation) for data processing within the European Union, and other jurisdiction-specific data residency requirements.
  • Legal and Statutory Retention Periods: As part of the risk assessment, we review legal and statutory requirements to define appropriate data retention periods for various types of data (e.g., financial records, healthcare data, etc.). Our policies are aligned with requirements such as HIPAA, SOX, and industry-specific regulations to ensure we retain data for the required duration and securely delete or anonymize it afterward.
  • Data Protection and Classification: We classify data based on sensitivity (e.g., public, internal, confidential, restricted) and ensure that appropriate security controls are applied according to the data classification. This includes implementing encryption, access control, and audit logging for higher-classified data. We also conduct regular risk assessments to identify potential threats and vulnerabilities that could compromise data protection.

This holistic risk assessment plan helps us manage potential risks, comply with relevant laws, and ensure that sensitive data is handled securely in line with applicable data protection regulations.

Yes, the results of our risk assessments are reviewed at least annually to ensure that our security policies, procedures, standards, and controls remain relevant and effective. This process includes:

  • Annual Risk Review: Each year, we conduct a thorough review of the findings from our most recent risk assessments, identifying any emerging threats, vulnerabilities, or changes in the regulatory landscape that may require updates to our security policies.
  • Continuous Improvement Process: Based on the risk assessment results, we make adjustments to our security policies, standards, and procedures as needed. This includes updating controls to address new security challenges, strengthening data protection measures, and incorporating lessons learned from incidents or near-misses.
  • Compliance and Regulatory Updates: As part of the annual review, we ensure that any updates to relevant legal, regulatory, or contractual requirements are reflected in our security policies. This may include changes to data protection regulations, retention period laws, or new industry standards.
  • Stakeholder Involvement: The review process involves key stakeholders from risk management, security, legal, compliance, and IT teams to ensure that all areas of the organization are aligned on security priorities and that necessary updates are made to keep our security posture strong.

This annual review ensures that our risk management framework stays current and effective, helping us proactively address new risks and maintain compliance with evolving regulations.

Information Security: Human Resources

Yes, all employment candidates, contractors, and involved third parties are subject to background verification prior to gaining access to scoped systems and data. This verification process includes:

  • Background Checks: We conduct comprehensive background checks in compliance with local laws, regulations, and contractual requirements. These checks typically include criminal history, employment history, educational verification, and identity verification, depending on the role and access level.
  • Third-Party Screening: Contractors and third-party vendors who will have access to sensitive data or systems are also subject to similar background checks. We verify their qualifications, criminal history, and any other relevant factors to ensure they meet our security and ethical standards.
  • Role-Based Access: Access to scoped systems and data is granted only after successful completion of the background check and role-specific requirements, with additional scrutiny for individuals with access to sensitive or high-risk data.

This approach ensures that only trusted and qualified personnel are given access to critical systems and data, minimizing the risk of internal threats or data breaches.

Yes, all of our employment agreements include provisions and terms that adhere to our established information governance and security policies. These provisions typically include:

  • Confidentiality and Non-Disclosure: Employees are required to sign confidentiality agreements that explicitly state their responsibility to protect sensitive information, including trade secrets, client data, and proprietary business information.
  • Security Policy Acknowledgement: Employment contracts include clauses that require employees to acknowledge and comply with the organization’s security policies, including data protection, information governance, and incident reporting protocols.
  • Access Control and Data Handling: Agreements specify the appropriate handling of data and systems, including restrictions on unauthorized access, use of personal devices, and the secure handling of sensitive information.
  • Compliance with Legal and Regulatory Requirements: Employees are informed of their obligation to comply with applicable laws, regulations, and contractual agreements related to data security and privacy, such as GDPR, HIPAA, or SOX, as relevant to their role.

By embedding these provisions within employment contracts, we ensure that all employees understand their responsibilities in maintaining information security and compliance.

Yes, we have documented policies, procedures, and guidelines in place to govern changes in employment and/or termination, including:

  • Access Termination Procedures: Upon employment change (e.g., promotion, role change) or termination (voluntary or involuntary), a formal process is followed to revoke or modify access to systems, data, and physical locations. This includes immediate deactivation of accounts, retrieval of company assets (laptops, phones, badges, etc.), and access removal from sensitive data repositories.
  • Exit Interviews and Security Handover: For departing employees, an exit interview is conducted to ensure they understand their ongoing confidentiality obligations, and they must return all company-owned devices and data. A thorough handover is conducted to transfer any responsibilities or knowledge to another employee.
  • Documentation of Changes: All employment status changes are documented, and any access changes are logged and reviewed to ensure no security gaps exist.
  • Audit and Compliance Checks: Termination processes are subject to internal audits to ensure that no unauthorized access is granted post-termination and that all steps are followed correctly.

These policies ensure that all changes in employment or termination are handled securely and that access to sensitive data is properly managed.

Yes, policies and procedures are established and measures are implemented to strictly limit access to sensitive data and tenant data from portable and mobile devices. These include:

  • Mobile Device Management (MDM): We use MDM solutions to enforce security controls on all portable and mobile devices (e.g., smartphones, laptops, tablets). MDM ensures that only compliant devices are permitted to access sensitive data and that all devices are encrypted, password-protected, and remotely wipeable in case of loss or theft.
  • Access Controls: Sensitive data is restricted from being accessed on mobile or portable devices unless the device meets specific security criteria, such as encryption, strong authentication, and up-to-date security patches.
  • Virtual Private Network (VPN): Access to sensitive data from mobile devices is only permitted through a secure VPN that encrypts data in transit, ensuring data protection when accessed remotely.
  • Data Loss Prevention (DLP): DLP tools are implemented to monitor and restrict the transfer of sensitive data to and from portable devices, preventing data leakage via email, cloud storage, or other unauthorized methods.

These measures help mitigate the risks associated with mobile and portable device access and ensure sensitive and tenant data is securely handled.

Yes, all personnel are informed of their responsibilities for maintaining awareness and compliance with published security policies, procedures, standards, and applicable regulatory requirements. This is achieved through:

  • Onboarding and Training: New employees are required to complete security awareness training as part of the onboarding process. This training covers our security policies, data protection requirements, and how to recognize and report security incidents. Training is refreshed regularly to ensure ongoing awareness.
  • Regular Awareness Campaigns: We conduct periodic campaigns to remind employees of their security responsibilities, such as phishing simulations, security newsletters, and mandatory policy reviews.
  • Employee Acknowledgement: Employees are required to acknowledge their understanding of security policies and procedures, often through formal sign-offs or certifications, particularly when policies are updated.
  • Role-Specific Training: Employees in roles with access to sensitive data or critical systems undergo additional, role-specific security training, which includes compliance with industry regulations (e.g., GDPR, HIPAA) and secure data handling practices.

By providing continuous education and clear expectations, we ensure that all personnel are well-informed and remain compliant with our security standards and regulatory obligations.

Information Security: Identity & Access Management

Yes, we have strict controls in place to ensure the timely removal of systems access that is no longer required for business purposes. These controls include:

  • Automated Access Removal: We utilize an automated identity and access management (IAM) system that triggers the deactivation of user accounts based on predefined criteria, such as role changes, termination, or completion of specific projects. This system helps ensure that access is promptly revoked when no longer necessary.
  • Role-Based Access Control (RBAC): Employees and contractors are granted access based on their job role. When their role changes or if they no longer require access for business purposes, their permissions are immediately updated or removed.
  • Exit Procedures: Access removal is an integral part of the formal offboarding process. Upon termination or resignation, the HR and IT teams work in tandem to ensure all system access is revoked before the individual departs, preventing any unauthorized access to systems or data.
  • Periodic Access Reviews: We conduct regular reviews of user access rights to ensure that all active accounts are still associated with business needs. Any access that is found to be unnecessary is promptly removed or adjusted.

These measures help us mitigate the risk of unauthorized access due to outdated or unnecessary permissions.

Yes, we have comprehensive policies and procedures in place for access control, including the use of Multi-Factor Authentication (MFA) for accessing internal networks from external networks. Our approach includes:

  • MFA for Remote Access: All employees and third-party users who need access to our internal systems from external networks are required to authenticate using MFA. This includes a combination of factors such as something the user knows (password), something the user has (security token or mobile device), or something the user is (biometric authentication).
  • VPN Access and MFA: Remote access to our network is only allowed through a secure Virtual Private Network (VPN), which is further protected by MFA. This ensures that only authorized users with proper authentication can access internal resources from outside the corporate network.
  • Access Control Policies: Our policies clearly define access control guidelines, including user authentication mechanisms, session timeouts, and the circumstances under which elevated access privileges can be granted. These are enforced across all remote access points to mitigate potential security risks.
  • Continuous Monitoring: All remote access is continuously monitored for unusual behavior or anomalies, and access is immediately revoked if suspicious activity is detected.

These policies ensure that external access is tightly controlled and secure, reducing the risk of unauthorized or compromised access.

Yes, we manage and securely store the identity of all personnel who have access to the IT infrastructure, along with their corresponding access levels. This is accomplished through:

  • Identity and Access Management (IAM) System: We use an IAM system to centrally manage the identities of all employees, contractors, and third-party vendors who require access to our IT infrastructure. This system ensures that access levels are accurately assigned and continuously monitored based on job roles and responsibilities.
  • Access Level Classification: Each user is assigned specific access rights according to the principle of least privilege, ensuring that they have the minimum level of access necessary to perform their job functions. Access rights are categorized into various levels (e.g., admin, user, read-only) and are regularly reviewed to ensure they remain appropriate.
  • Access Reviews and Audits: We conduct regular audits of user identities and access levels to verify compliance with security policies. Any discrepancies or unnecessary access permissions are immediately addressed and rectified.
  • Role-Based Access Control (RBAC): Access is granted based on predefined roles within the organization, and changes in job function or responsibilities are reflected in real-time through the IAM system to ensure that employees have access to the correct systems and data.

This system ensures that we have complete visibility into user access and can promptly update or revoke access as needed.

Yes, timely deprovisioning, revocation, or modification of user access is implemented whenever there is a change in the status of employees, contractors, customers, business partners, or third parties. This process includes:

  • Automated Deprovisioning Workflow: When an employee’s status changes (e.g., termination, role change, or temporary leave), our system automatically triggers the deactivation or modification of their access to relevant systems and data. This workflow ensures that no user retains access beyond their business need.
  • Offboarding and Role Changes: Access to systems, information assets, and data is promptly revoked when employees leave the organization or transition to a different role. In the case of contractors or third-party partners, access is terminated as soon as the contracted work is completed or their engagement is no longer required.
  • Account Monitoring: We continuously monitor all accounts for unusual or unauthorized access. If an account is detected as being misused or its associated user’s role changes, access is modified or revoked in a timely manner to mitigate risks.
  • Audit Logs and Notifications: All access changes are logged, and notifications are sent to relevant stakeholders, such as HR, IT, and security teams, to ensure that any changes in status or access are tracked and verified in real-time.

This approach minimizes the risk of unauthorized access and ensures that user access is always aligned with their current role and status within the organization.

Information Security: Infrastructure & Virtualization Security

Yes, our organization has both Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) implemented on the networks that house systems with client data. These systems serve as a critical part of our multi-layered security architecture, providing real-time monitoring, threat detection, and automatic responses to unauthorized activities.

  • IDS/IPS Deployment: Our IDS and IPS solutions are strategically deployed across critical network segments, including areas where client data is stored, processed, or transmitted. These systems analyze network traffic for potential threats such as malware, unauthorized access attempts, and suspicious behavior.
  • Real-Time Monitoring and Alerts: Both systems are configured to monitor for abnormal patterns and generate real-time alerts for our security team when potential security incidents are detected. This allows us to respond quickly to mitigate any risks to client data.
  • Automated Responses: The IPS component can automatically block malicious traffic or unauthorized access attempts, providing an additional layer of protection for sensitive systems and data.

These measures ensure that we can detect and prevent intrusions that could compromise client data or other critical systems.

Yes, our organization has Data Loss Prevention (DLP) capabilities implemented to protect sensitive client and organizational data from unauthorized access, leakage, or loss. Our DLP strategy includes:

  • DLP Software: We deploy DLP software across endpoints, email systems, cloud applications, and file servers to monitor and control the movement of sensitive data within and outside the organization.
  • Policy-Based Controls: DLP policies are enforced based on the classification of data (e.g., personal identifiable information (PII), financial records, proprietary data). These policies ensure that sensitive data is not inadvertently shared, downloaded, or transferred to unauthorized parties.
  • Incident Response and Auditing: In the event of a potential data breach or unauthorized data transfer, our DLP system generates alerts and logs the incident for further investigation. This allows us to take immediate action to contain any data loss.
  • Endpoint Security: DLP is integrated with endpoint protection to prevent unauthorized data transfer to external devices (USBs, external drives) or cloud storage services without proper authorization.

These capabilities provide proactive protection against the accidental or intentional loss of sensitive information.

Yes, our organization has a well-defined security architecture for all elements of our products or solutions delivered in a hosted, cloud, or ASP model. This architecture is designed to ensure that data security, compliance, and availability are maintained across all deployment models, including SaaS, PaaS, and IaaS environments. Key components of this security architecture include:

  • Multi-Tiered Security: Our architecture is built on multiple security layers to protect against external and internal threats. This includes firewalls, encryption, access controls, and intrusion detection/prevention systems.
  • Data Segregation and Isolation: Data from different clients is logically segregated, ensuring that each tenant’s data is isolated from others within the hosted environment.
  • Compliance with Industry Standards: The architecture is designed to comply with relevant regulatory and industry standards (e.g., GDPR, SOC 2, ISO 27001, PCI DSS) to meet both security and privacy requirements.

This defined security architecture helps us deliver a secure and compliant hosted solution for our clients.

Yes, our architecture includes a comprehensive mix of preventive and detective controls to ensure the security of our systems and data:

  • Preventive Controls:
    • Firewalls: We use both network and application-level firewalls to protect our infrastructure from unauthorized access and to enforce security policies that limit traffic to only trusted sources.
    • Application Controls: We implement strict controls on application code and behavior, ensuring that only authorized users and applications can interact with sensitive systems. This includes secure coding practices, input validation, and protection against common vulnerabilities like SQL injection and cross-site scripting (XSS).
    • Access Control: We employ Role-Based Access Control (RBAC) and least privilege principles to ensure that only authorized personnel have access to critical systems and data.
  • Detective Controls:
    • Logging and Monitoring: All security-critical actions (e.g., login attempts, data access, configuration changes) are logged in real-time and stored for audit purposes. These logs are continuously monitored to detect any unusual or unauthorized activities.
    • Intrusion Detection Systems (IDS): IDS tools monitor network traffic and system activities for signs of potential attacks or compromises.
    • Security Information and Event Management (SIEM): A SIEM solution is in place to aggregate, analyze, and correlate log data from multiple sources, allowing us to detect threats and respond swiftly.

These preventive and detective controls work together to ensure that our environment is secure, compliant, and resilient to attacks.

Yes, for our SaaS and PaaS offerings, we provide tenants with separate environments for production and testing processes. These environments are isolated to ensure that:

  • Data Security: No production data is used in test environments, and test environments are designed to simulate production conditions without exposing sensitive client information.
  • Environment Isolation: Production and test environments are logically or physically separated, with access controls in place to prevent unauthorized access to the production environment from the testing or development environment.
  • Environment-Specific Controls: Different security measures are applied to each environment. For example, production environments are subject to stricter access controls, monitoring, and audit logging than test environments.

This segregation helps prevent issues in test environments from affecting live services and ensures compliance with data protection regulations.

Yes, our system and network environments are protected by both physical firewalls and virtual firewalls to ensure that all access is appropriately controlled and that we comply with legal, regulatory, and contractual requirements. These firewalls provide:

  • Access Control and Filtering: Firewalls restrict unauthorized inbound and outbound traffic, ensuring that only authorized users, devices, and applications can access network resources.
  • Compliance Enforcement: Our firewalls are configured to meet the specific requirements of industry standards (e.g., PCI DSS, SOC 2) and regional laws (e.g., GDPR). This includes blocking access to non-compliant IP addresses, filtering out untrusted protocols, and enforcing encryption policies.
  • Network Segmentation: Firewalls are used to segment networks, ensuring that critical systems (e.g., those containing sensitive data) are isolated from less secure environments.

This firewall protection is a fundamental part of our approach to compliance and data security.

Yes, we have implemented strong measures to ensure the appropriate isolation and segmentation of tenants’ access to infrastructure, system, and network components. This includes:

  • Logical Isolation: Tenants’ data and applications are logically separated to ensure that no tenant has access to another tenant’s data or systems. This is achieved through virtual private networks (VPNs), virtual machines (VMs), and software-defined networking (SDN).
  • Network Segmentation: We implement network segmentation to isolate different parts of the infrastructure, ensuring that tenant data is only accessible by authorized users and systems. This segmentation is in place to comply with regulatory requirements such as GDPR and PCI DSS.
  • Compliance with Data Residency Laws: The segmentation ensures compliance with data residency laws by restricting tenant data to specific geographical regions.

These measures ensure that tenant data is kept secure and isolated, complying with legal and regulatory obligations.

Yes, both system and network environments are protected by firewalls and virtual firewalls to ensure the protection and isolation of sensitive data. These measures include:

  • Firewall Protection: Firewalls are placed at critical network entry points to block unauthorized access and restrict traffic to only trusted sources.
  • Segregation of Sensitive Data: Firewalls help segment sensitive data from less critical data within our infrastructure, ensuring that sensitive information is isolated and protected from unauthorized access.
  • Encryption of Sensitive Data: We enforce encryption of sensitive data in transit and at rest to protect it from unauthorized exposure, ensuring that firewalls complement our broader data protection strategy.

Yes, we ensure that secured and encrypted communication channels are used during the migration of physical servers, applications, or data to virtual servers. This includes:

  • Encryption of Data in Transit: All data transferred during migration is encrypted using TLS or AES-256 to ensure that sensitive information is protected while being moved between physical and virtual environments.
  • Secure Migration Tools: We use secure tools and protocols for server migrations, such as SSH for secure file transfers and VPNs for secure network communication, ensuring that no unauthorized access occurs during the migration process.
  • Audit Trails: All migration activities are logged and monitored to provide visibility into the process and ensure that no data is exposed or compromised during migration.

Yes, we have established robust policies and procedures to protect the wireless network environment perimeter and to restrict unauthorized wireless traffic. These measures include:

  • Wireless Network Security Policies: Our policies define the minimum security standards for wireless networks, including the use of strong encryption (e.g., WPA3) and authentication protocols.
  • Access Control Lists (ACLs): We configure ACLs to ensure that only authorized devices and users can access the wireless network.
  • Wireless Intrusion Prevention Systems (WIPS): We deploy WIPS to detect and prevent unauthorized access attempts or rogue devices attempting to connect to the wireless network.

These measures ensure that unauthorized wireless traffic is blocked, and the integrity of our wireless network is maintained.

Yes, we have policies and procedures in place to ensure that wireless security settings are configured with strong encryption for authentication and data transmission. Specifically:

  • Strong Encryption Standards: We require that all wireless networks use WPA2 or WPA3 encryption protocols, replacing default encryption settings with custom, strong encryption keys and passwords.
  • Secure Device Configuration: All wireless devices and access points are configured with strong security settings, including unique SSID settings and complex encryption keys. We disable unused ports and services and ensure that SNMP community strings are changed from their default settings.
  • Regular Audits: Our network security team conducts regular audits of wireless configurations to ensure compliance with these standards and that no weak or default security settings remain.

These mechanisms ensure that our wireless network is secure and that unauthorized access is prevented.

Information Security: Supply Chain Management, Transparency & Accountability

Yes, our organization selects and monitors outsourced providers in full compliance with the laws and regulations of the countries where data is processed, stored, and transmitted. This includes:

  • Due Diligence and Compliance Checks: Before engaging with any third-party service providers, we conduct a thorough risk assessment and compliance review to ensure they meet the legal, regulatory, and contractual obligations specific to the jurisdictions where the data will be processed or stored. This is a part of our vendor selection process, which includes ensuring compliance with international data protection laws like the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and other relevant privacy laws.

  • Contracts and Data Protection Agreements: We require that all outsourcing agreements are governed by contracts that include appropriate data protection clauses, such as Data Processing Agreements (DPAs). These agreements ensure that our providers comply with the applicable data protection laws and that any data handling, processing, or storage is done in accordance with the legal requirements of the jurisdictions involved.

  • Ongoing Monitoring: After the selection of outsourced providers, we continuously monitor their performance to ensure compliance with agreed-upon standards. This includes regular audits and assessments to verify that data protection and security practices remain compliant with relevant laws.

  • Cross-Border Data Transfers: When working with providers in different geographic regions, we ensure that any cross-border data transfers are in full compliance with the relevant regulations governing such transfers (e.g., Standard Contractual Clauses (SCCs), Privacy Shield, etc.).

These measures ensure that our outsourced providers uphold the necessary legal and compliance standards required for the protection of client data.

Yes, we have a robust data recovery capability that allows us to recover data for specific customers in the event of a failure or data loss. This includes:

  • Backup and Redundancy Mechanisms: Our organization maintains regular, encrypted backups of customer data in multiple secure locations to ensure that, in the event of data loss or system failure, we can quickly restore the data to its original state. Backups are performed daily (or more frequently, depending on customer needs) and stored in geographically dispersed data centers to ensure data redundancy and availability.

  • Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO): We define clear RTOs and RPOs for each customer to ensure that data can be recovered within the agreed-upon time frame and that minimal data is lost in the event of a failure. These objectives are tailored to the customer’s business requirements and the criticality of their data.

  • Disaster Recovery Testing: We conduct regular disaster recovery (DR) tests to validate the effectiveness of our recovery procedures and ensure that we can meet the established RTO and RPO targets. These tests simulate different failure scenarios, including data corruption, hardware failure, and regional outages.

  • Customer-Specific Recovery Procedures: In addition to our general recovery processes, we provide clients with tailored recovery plans that address their specific data types and storage requirements. These plans are regularly reviewed and updated in collaboration with the customer.

In the event of data loss or system failure, we can quickly restore a customer’s data from the most recent backup and minimize operational disruptions.

Yes, we have the capability to restrict the storage of customer data to specific countries or geographic locations, ensuring compliance with data residency requirements and regulations. This includes:

  • Geographic Data Segmentation: We offer the ability to configure our infrastructure so that customer data is stored in specific geographic regions. Customers can choose to store their data in a particular country or region, and we ensure that data residency requirements are adhered to, whether for compliance with GDPR, CCPA, or other national and international data protection laws.

  • Multi-Region Data Centers: We operate data centers in multiple regions and countries, providing flexibility for customers to select the most appropriate storage location for their data. This ensures that data is handled in compliance with local laws governing data residency and cross-border data transfers.

  • Geo-Fencing and Data Location Policies: We implement geo-fencing and other technical controls to enforce data storage policies. For example, we use geolocation-based access controls to ensure that data cannot be stored or processed in regions that violate contractual or regulatory agreements. This includes restricting access to data from unauthorized geographic locations.

  • Compliance with Data Sovereignty Laws: Our platform is designed to comply with data sovereignty laws, ensuring that data is stored and processed within the required jurisdictions and that data access is restricted according to the rules governing data residency in those regions.

These measures allow us to fully support our customers’ data residency and sovereignty requirements while ensuring compliance with local laws and regulations.

Information Security: Service Level Agreements & Technical Support

Yes, our organization has comprehensive policies, procedures, and technical measures in place to ensure that complete, accurate, and relevant agreements—such as Service Level Agreements (SLAs)—are maintained between providers and customers (tenants). These include:

  • Formal Agreement Process: We have a well-defined process for drafting, reviewing, and finalizing SLAs with our customers. This process ensures that both parties’ expectations regarding service availability, performance metrics, support, and escalation procedures are clearly documented.
  • Periodic Review and Updates: SLAs are reviewed and updated regularly to ensure they remain accurate, relevant, and aligned with customer needs, changes in service delivery, and evolving legal or compliance requirements. This also ensures that new services, features, or changes to infrastructure are accurately reflected in the agreement.
  • Service Monitoring and Reporting: We use monitoring tools to track the performance of our services against the terms outlined in the SLAs, including metrics such as uptime, response times, and incident resolution times. This allows us to maintain accurate records and provide transparent reports to our customers.
  • Automated Alerts and Escalations: Technical systems are in place to automatically generate alerts if service metrics fall below the agreed thresholds, triggering appropriate corrective actions. This ensures that service delivery remains in line with the SLAs and that customers are notified promptly if any performance issues arise.

These policies and procedures help ensure that all agreements are maintained effectively and that customers’ expectations are met consistently.

Yes, we have a well-defined process for handling technical support during implementation to ensure a smooth deployment of our services or products for new customers. This includes:

  • Dedicated Onboarding Support: During the implementation phase, customers are assigned a dedicated implementation manager or technical support team to guide them through the setup process. The team assists with system configuration, data migration, and integration with existing infrastructure, ensuring that the implementation meets the customer’s specific requirements. This support is available 365 days a year.
  • Customized Implementation Plans: We work with each customer to develop a customized implementation plan that includes timelines, milestones, and key deliverables. This ensures a clear understanding of the process and facilitates smoother coordination between our technical support team and the customer.
  • Knowledge Transfer and Training: As part of the implementation process, we provide customers with necessary training sessions on the platform, including user access, system features, and troubleshooting steps. This enables customers to fully leverage the solution from day one.
  • Issue Resolution During Implementation: Our technical support team is readily available to address any issues that arise during implementation. This includes troubleshooting configuration problems, addressing integration challenges, and providing on-demand technical assistance.

Our goal is to provide the technical support and resources necessary to ensure a successful and timely implementation.

Yes, we provide comprehensive day-to-day technical support to our customers through a well-structured system that ensures consistent service quality and quick response times. This includes:

  • 24/7 Support Availability: Our technical support team is available around the clock to assist with any issues that may arise. Customers can reach support through multiple channels, including phone, email, and live chat.
  • Tiered Support Structure: We utilize a tiered support model that helps streamline issue resolution. For routine inquiries, customers can work with Tier 1 support agents who handle general questions and simple troubleshooting. For more complex technical issues, customers are escalated to Tier 2 or Tier 3 experts with deeper knowledge of our products and services.
  • Support Portal and Knowledge Base: We offer a self-service support portal where customers can access documentation, FAQs, troubleshooting guides, and other resources to resolve issues independently. This portal also allows customers to submit support tickets and track the status of ongoing requests.
  • Proactive Monitoring: Our team monitors systems and services in real time to proactively identify and resolve potential issues before they affect customers. This includes automated alerts for system downtimes, performance degradation, or security incidents.
  • Service-Level Agreements (SLAs) for Support: We provide clear SLA terms regarding response and resolution times for different types of support requests. These SLAs ensure that customers know what to expect in terms of service availability and issue resolution speed.

This structured approach ensures that technical support is efficient, responsive, and readily available to meet the needs of our customers on a daily basis.

No, our IT infrastructure is all hosted in the United States, and we ensure that all data processing and storage complies with applicable laws, customer contracts, and security requirements.

Information Security: Regulatory Accountability

Yes, our system and network environments are protected by firewalls and virtual firewalls to ensure that business and customer security requirements are met. This includes:

  • Perimeter Firewalls: We deploy enterprise-grade firewalls at the perimeter of our network to protect against unauthorized access, malicious traffic, and external attacks. These firewalls monitor incoming and outgoing traffic and enforce strict access control policies to safeguard both internal and customer-facing systems.

  • Internal Network Segmentation: Inside our infrastructure, we use virtual firewalls and segmentation to create isolated environments for different types of systems (e.g., production, development, testing) to prevent lateral movement in the event of a breach. This segmentation ensures that sensitive data and critical systems are isolated from less critical infrastructure, providing an additional layer of defense.

  • Advanced Threat Detection: Our firewalls are integrated with intrusion detection and prevention systems (IDPS) that monitor network traffic for suspicious activity, potential threats, or attacks (such as Distributed Denial-of-Service, or DDoS attacks) and respond in real time to block malicious traffic.

  • Granular Access Controls: We configure firewalls with granular access control lists (ACLs) that define which devices, services, and users are allowed access to specific network segments. This limits exposure to only those with legitimate access needs and reduces the attack surface.

  • Firewall Rules and Audits: Our firewall configurations are regularly reviewed and updated in accordance with industry best practices and security policies. We also conduct periodic security audits to ensure the firewalls are operating as expected and that any vulnerabilities are promptly addressed.

These measures ensure that our system and network environments are robustly protected against external threats while meeting customer security requirements.

Yes, our systems for monitoring privacy breaches and notifying tenants expeditiously are fully designed to meet the GDPR and CCPA standards for data privacy and breach notification. This includes:

  • Real-time Monitoring for Privacy Breaches: We have implemented real-time monitoring systems that detect potential privacy breaches, unauthorized access, or any unusual activity involving personal data. These systems are designed to detect anomalies that could indicate a data breach, such as unauthorized access to sensitive customer information or unapproved data transfers.

  • Incident Response Plan: In the event of a suspected privacy breach, we have a comprehensive incident response plan in place that follows the steps required by both GDPR and CCPA. This plan includes immediate containment of the breach, investigation of the cause, assessment of the impact, and notification procedures. Our dedicated response team is available to investigate and address breaches promptly.

  • Breach Notification Compliance:

    • GDPR Compliance: In accordance with GDPR Article 33, we ensure that any data breach that is likely to result in a risk to the rights and freedoms of individuals is reported to the relevant supervisory authority within 72 hours of discovery. Additionally, if the breach could affect customers’ personal data, we notify affected tenants without undue delay, as stipulated in Article 34.
    • CCPA Compliance: Under CCPA regulations, we provide customers with notifications if their personal data has been compromised due to a breach of our systems. This notification is provided within the time frame required by the law, and it includes clear information about the nature of the breach, the data involved, and the steps customers can take to protect themselves.

  • Automated Breach Notification System: We utilize automated systems that immediately alert the designated internal teams in the event of a potential privacy incident. These alerts allow us to act swiftly to mitigate any risks and ensure compliance with the legal requirements for timely notifications.

  • Tenant Communication: In the case of a confirmed breach, tenants are informed expeditiously, typically within the legally required timelines, via email and other secure communication channels. The notification includes all relevant information, such as the nature of the breach, data involved, potential impact, and any remediation steps we are taking.

  • Training and Awareness: Our team is regularly trained on the latest privacy laws and breach notification procedures, ensuring that we maintain an up-to-date approach to compliance with GDPR, CCPA, and other relevant regulations.

These systems and procedures ensure that we meet the stringent privacy breach monitoring, reporting, and notification requirements mandated by GDPR and CCPA, and that our tenants are promptly informed if their data is impacted.

Information Security: Threat & Vulnerability Management

Yes, we conduct application-layer vulnerability scans regularly as prescribed by industry best practices to ensure the security and integrity of our applications and systems. This includes:

  • Regular Scanning Schedule: We perform application-layer vulnerability scans on a quarterly basis as part of our ongoing security efforts. In addition to this regular schedule, we conduct additional scans following significant changes to applications, such as updates or new feature deployments.

  • Automated Vulnerability Scanning Tools: We utilize industry-leading automated vulnerability scanning tools to detect vulnerabilities within our applications. These tools are configured to assess all layers of the application stack, including web application vulnerabilities, API vulnerabilities, and underlying infrastructure configurations.

  • OWASP Top Ten Testing: Our vulnerability scanning process is aligned with industry frameworks, including the OWASP Top Ten guidelines, to ensure we assess and address the most common and critical security risks to web applications.

  • Manual Review and Penetration Testing: In addition to automated vulnerability scans, we perform periodic manual penetration testing to identify complex or less obvious vulnerabilities that may not be detected by automated tools. This testing is carried out by external security experts who simulate real-world attacks to find vulnerabilities in the application layer.

  • Remediation Process: Vulnerabilities identified through these scans are prioritized based on their severity, and remediation efforts are initiated promptly. We work to address high-risk issues as a priority and ensure that all vulnerabilities are addressed before they can be exploited.

This proactive and comprehensive approach ensures that our applications are continuously assessed for security vulnerabilities and that any issues are swiftly identified and mitigated.

Yes, we have a robust patch management system in place that allows us to patch vulnerabilities across all of our computing devices, applications, and systems. This includes:

  • Centralized Patch Management System: We utilize an automated, centralized patch management platform that monitors all of our systems, devices, and applications for available updates or security patches. This system enables us to deploy patches across our entire environment in a controlled and efficient manner.

  • Comprehensive Coverage: Our patching capability covers all computing devices (such as laptops, servers, and endpoints), applications (including third-party software), operating systems, network devices, and cloud infrastructure. This ensures that every layer of our IT ecosystem is patched and updated consistently.

  • Patch Testing and Validation: Before deploying patches into production, we rigorously test all patches in a staging environment to ensure they do not introduce compatibility issues or disruptions. This helps mitigate the risk of unintentional system outages or performance degradation after patches are applied.

  • Monitoring and Auditing: We continuously monitor our systems for compliance with the latest patch requirements and maintain detailed audit logs of all patching activities. This allows us to quickly identify any systems that may have missed patches or failed to apply updates correctly.

By having a centralized and automated patch management system, we can efficiently ensure that all systems and applications are up-to-date and secure.

Yes, we ensure that critical vulnerabilities are patched within 30 days as part of our patch management and vulnerability remediation process. This includes:

  • Critical Vulnerability Identification: We define critical vulnerabilities as those that pose a significant risk to the security, integrity, or availability of our systems or customer data. These are vulnerabilities that, if exploited, could lead to a data breach, service disruption, or other severe consequences.

  • Patch Deployment Process: Once a critical vulnerability is identified, our team follows an expedited process to deploy a patch or remediation within 30 days of disclosure. This includes immediate testing in a controlled environment and a rapid deployment to production systems.

  • Emergency Patching: In cases where a critical vulnerability poses an immediate threat, we implement emergency patching protocols to apply fixes as quickly as possible—often within 72 hours or less, depending on the nature of the threat.

  • Compliance Monitoring: Our patch management system tracks and reports the status of patches, ensuring that critical vulnerabilities are addressed within the established 30-day window. Compliance with this timeline is regularly audited as part of our internal security reviews.

By adhering to this policy, we minimize the risk of exploitation of critical vulnerabilities and ensure that our systems remain secure and compliant with industry standards.

Compliance & Security Standards

Compliance & Security Standards
Are processes in place to ensure that all third party contractors (i.e. someone you have hired that is not an employee) are qualified and adhere to the organizations security policies? 
Yes
Audit Trails (GDPR)
Yes
SOC 2 Compliance
Roadmap
SOC 3 Compliance
Roadmap
ISO/IEC 27001:2013 Compliance
Yes
CCPA Compliance
Yes
GLBA Compliance
Yes
Prevent Unencrypted File Transfers (PCI DSS)
Yes
CIPA Compliance
Roadmap
PCI Compliance
Yes
Single Sign-On and Active Directory Integration
Yes
Whitelist Networks / IP Addresses
Yes
Deep SOD (Segregation of Duties) Analysis
Yes
Security Infrastructure 
Yes
Product Security
Yes
Business Continuity
Yes
Customizable User Identity Vector    
Yes

Data Privacy

Data Privacy
Privacy Controls    
Yes
Data Retention
Yes
User Permissions
Yes
Audit Controls
Yes
Can Participant Data be Shared with any Third Party Without Their Written Consent (Even Business Associates)?
No

Privacy Regulations

See our privacy policy and terms of service for more information: https://supportpay.com/privacy, https://supportpay.com/terms

Yes, we have a well-defined and established process for providing individuals with their personal data, in compliance with privacy regulations such as GDPR and CCPA. This process includes:

  • Data Access Requests: We have a clear, streamlined procedure in place for individuals to request access to their personal data. Requests can be made through secure channels such as email or a dedicated portal, and they are tracked to ensure timely responses.

  • Verification and Authentication: To ensure the security and privacy of the individual’s data, we implement identity verification mechanisms before processing access requests. This helps us confirm the identity of the individual making the request and prevents unauthorized access to personal data.

  • Timely Response: As per GDPR (Article 15) and CCPA (Section 1798.100), we commit to providing individuals with their requested data within 30 days of receiving the request. If additional time is needed (such as in cases of complex requests), we notify the individual within the initial time frame and provide an estimated completion date.

  • Comprehensive Data Retrieval: Our process includes retrieving all personal data related to the individual from various internal systems, including customer databases, applications, and third-party service providers. We ensure that the data provided is complete, accurate, and includes all relevant records, including any stored preferences, consent records, and transactional history.

  • Data Format and Delivery: We provide the requested data in a structured, commonly used, and machine-readable format, such as CSV or JSON, to facilitate easy access and portability. We ensure that the data is transmitted securely, and we work to ensure that the process is transparent and clear to the individual.

  • Record Keeping and Documentation: We maintain a detailed record of all data access requests, including the identity of the individual, the scope of the data provided, and the timeline of completion. This allows us to comply with regulatory auditing requirements and demonstrate our commitment to transparency and privacy protection.

Our process for providing individuals with their personal data is designed to ensure compliance with privacy laws and to maintain high standards of data protection.

Yes, we have updated our data-collection consent statement to fully comply with the regulatory requirements of both GDPR and CCPA. These updates ensure that individuals are properly informed about how their data will be used, processed, and stored. The key elements of our updated consent statement include:

  • Clear and Explicit Consent: In compliance with GDPR Article 6 and CCPA Section 1798.120, we now provide clear, specific consent options for individuals at the point of data collection. Consent is obtained in a manner that is both affirmative (e.g., through a checkbox or opt-in mechanism) and unambiguous, ensuring that individuals understand what data is being collected and how it will be used.

  • Transparency in Data Collection Practices: Our consent statement explicitly outlines the types of personal data being collected, the purposes for which the data will be used, the legal bases for processing (as per GDPR requirements), and the retention periods. We provide this information in clear, easy-to-understand language to ensure that individuals are fully informed.

  • Right to Withdraw Consent: As required by GDPR Article 7 and CCPA Section 1798.120, our updated consent statement includes information on how individuals can withdraw consent at any time, and how doing so will not affect the lawfulness of data processing before the withdrawal.

  • CCPA-Specific Requirements: For users in California, our consent statement includes specific disclosures required by CCPA regarding their rights to opt-out of the sale of personal information, request access to their personal data, and request deletion of their data. We also explain the process for submitting these requests in a clear and accessible way.

  • Purpose Limitation and Data Sharing: We include disclosures about how personal data may be shared with third parties, if applicable, and under what circumstances. We also clearly indicate that individuals have the right to limit the use and disclosure of their personal data to third parties, in accordance with both GDPR and CCPA.

  • Age Verification for Minors: In line with both GDPR and CCPA guidelines, we obtain verifiable parental consent before collecting personal data from individuals under the age of 13 (under CCPA, or 16 under GDPR if applicable). This ensures that we comply with regulations related to minors’ data.

  • Updated Privacy Policy: Our privacy policy has also been updated to reflect these changes, with clear references to the rights of individuals under both GDPR and CCPA, including the right to access, rectify, erase, restrict, or object to processing, as well as the right to data portability.

These updates ensure that we remain in compliance with the latest privacy regulations and provide individuals with transparent, accessible options for managing their personal data.