At Custify, we take the security of our customers’ data very seriously. That’s why we’ve made sure that our internal data handling processes comply with key data security standards and regulations.
SOC 2 Type II
Cusitfy has been certified as SOC 2 Type 2 compliant following a comprehensive evaluation by an independent auditor.
Developed by the American Institute of Certified Public Accountants (AICPA), SOC 2 is the leading framework for secure customer data management. It is based on the following five key principles, also known as the “trust service principles” (TSPs):
- Security: Whether the system (in our case, the Custify platform) is protected against unauthorized access, misuse, theft, or alteration of information.
- Availability: Whether the system is accessible as defined by the conditions of a contract or service level agreement (SLA).
- Processing integrity: Whether the system delivers on its purpose and functions reliable, accurately, and in a timely manner.
- Confidentiality: Whether the confidential information within the platform can only be accessed by an authorized party.
- Privacy: Whether the platform’s handling of customers’ personally identifiable information (PII) complies with the AICPA’s Generally Accepted Privacy Principles (GAPP).
An SOC 2 certification is awarded by an independent third-party evaluator following a lengthy audit of the company’s data security practices. There are two types of SOC 2 audits and, respectively, certification:
- Type 1, which evaluates an organization’s data security practices at a given point in time. A Type 1 audit is usually performed to establish whether the organization has any data security measures in place to begin with.
- Type 2, which evaluates an organization’s data security practices over a certain period of time (usually between 3 and 12 months). A Type 2 audit is a superior standard compared to Type 1 and established whether the organization’s data security measures are functioning as intended.
ISO/IEC 27001
Custify is fully compliant with the ISO/IEC 27001 standard of information security management.
Created by the International Organization for Standardization (ISO) in collaboration with the International Electrotechnical Commission (IEC), ISO/IEC 27001 is the world’s most prominent information security standard.
The purpose of an ISO/IEC 27001 is to establish whether an organization has implemented an information security management system (ISMS). An ISMS is a combination of hardware, software, and internal processes that enables the organization to protect sensitive information, including customer data.
This includes rigorous guidelines for:
- Collecting data
- Storing data
- Using data
- Assessing and mitigating data security risks
- Continuously improving data security practices
Just like with SOC 2, an ISO/IEC 27001 certification is issued to an organization by an independent third-party auditor based on 93 parameters. A successful certification means that the organization fulfills the key three principles of the ISO/IEC 27001 standard:
- Confidentiality: The information is only accessible by authorized stakeholders.
- Integrity: The information can only be altered by authorized stakeholders.
- Availability: The information can be accessed by authorized stakeholders on demand.
GDPR
Custify maintains an active compliance with General Data Protection Regulation (GDPR) in full accordance with EU legislation.
Implemented in 2018, GDPR outlines the data privacy and security requirements across the entire European Economic Area (EEA).
GDPR compliance is mandatory for every organization that targets or collects data from EEA citizens or residents, regardless of where the organization is based.
Google / Microsoft 365 SSO
Custify supports enforceable single sign-on (SSO) for both Google Workspace and Microsoft 365 in an extra effort to mitigate data risks.
Single sign-on is a feature that allows employees or users to access an organization’s online apps and services with a single set of login credentials. It also allows the company to easily manage or remove access if needed.
Role-Based Access
Custify offers flexible role-based access control for enhanced data security.
In Custify, admins can control what data their teammates can access based on their roles in the organization. More specifically, they can set up specific roles with custom permissions and assign them to individual users.
This follows the Confidentiality principle of the SOC 2 standard and helps ensure that sensitive information is only accessible to authorized users.
Get in touch
At Custify, we aim to continuously improve and strengthen our internal data security processes. The safety of our customers’ data is our top priority, and our team works hard to ensure it.
If you have any further questions about how we handle your data, feel free to refer to our Privacy Policy and GDPR Data Protection Addendum. Or, reach out to us at contact[at]custify.com.
