Trust Center

The company requires authentication to production datastores to use authorized secure authentication mechanisms, such as unique SSH key.

System access restricted to authorized access only

The company restricts privileged access to databases to authorized users with a business need.

The company restricts privileged access to the production network to authorized users with a business need.

The company's production systems can only be remotely accessed by authorized employees possessing a valid multi-factor authentication (MFA) method.

The company's production systems can only be remotely accessed by authorized employees via an approved encrypted connection.

The company uses an intrusion detection system to provide continuous monitoring of the company's network and early detection of potential security breaches.

The company utilizes a log management tool to identify events that may have a potential impact on the company's ability to achieve its security objectives.

The company's network is segmented to prevent unauthorized access to customer data.

The company reviews its firewall rulesets at least annually. Required changes are tracked to completion.

The company uses firewalls and configures them to prevent unauthorized access.

The company has electronic media containing confidential information purged or destroyed in accordance with best practices, and certificates of destruction are issued for each device destroyed.

The company deploys anti-malware technology to environments commonly susceptible to malicious attacks and configures this to be updated routinely, logged, and installed on all relevant systems.

The company requires contractor agreements to include a code of conduct or reference to the company code of conduct.

The company managers are required to complete performance evaluations for direct reports at least annually.

The company requires passwords for in-scope system components to be configured according to the company's policy.

The company has a mobile device management (MDM) system in place to centrally manage mobile devices supporting the service.

The company's datastores housing sensitive customer data are encrypted at rest.

The company performs control self-assessments at least annually to gain assurance that controls are in place and operating effectively. Corrective actions are taken based on relevant findings. If the company has committed to an SLA for a finding, the corrective action is completed within that SLA.

The company maintains cybersecurity insurance to mitigate the financial impact of business disruptions.

Complete a description of your system for Section III of the audit report

The company has established a formalized whistleblower policy, and an anonymous communication channel is in place for users to report potential issues or fraud concerns.

The company's board of directors or a relevant subcommittee is briefed by senior management at least annually on the state of the company's cybersecurity and privacy risk. The board provides feedback and direction to management as needed.

The company's board of directors has a documented charter that outlines its oversight responsibilities for internal control.

The company's board members have sufficient expertise to oversee management's ability to design, implement and operate information security controls. The board engages third-party information security experts and consultants as needed.

The company's board of directors meets at least annually and maintains formal meeting minutes. The board includes directors that are independent of the company.

The company notifies customers of critical system changes that may affect their processing.

The company maintains an organizational chart that describes the organizational structure and reporting lines.

The company has an external-facing support system in place that allows users to report system information on failures, incidents, concerns, and other complaints to appropriate personnel.

The company communicates system changes to authorized internal users.

The company's security commitments are communicated to customers in Master Service Agreements (MSA) or Terms of Service (TOS).

The company provides guidelines and technical support resources relating to system operations to customers.

The company provides a description of its products and services to internal and external users.

The company's risk assessments are performed at least annually. As part of this process, threats and changes (environmental, regulatory, and technological) to service commitments are identified and the risks are formally assessed. The risk assessment includes a consideration of the potential for fraud and how fraud may impact the achievement of objectives.

The company has written agreements in place with vendors and related third-parties. These agreements include confidentiality and privacy commitments applicable to that entity.