Compliance: Ensuring the Integrity and Confidentiality of Client Data

 

We go to great lengths to protect the confidentiality of the data maintained on behalf of our clients – providing our clients with the highest standard of care to maintain the integrity and confidentiality of each settlement.

Our distribution processes undergo an annual SOC 1 Type II audit that tests Analytics’ controls that ensure funds are distributed accurately – and in conformance with client directions.    Exceeding the requirements of SOC2, Analytics holds a FISMA-moderate “Authority to Operate” from the Securities and Exchange Commission and the Bureau of Consumer Financial Protection, and a “Authority to Use” from the Federal Trade Commission.

Regardless of a client’s compliance requirements, Analytics will exceed their expectations. With the Federal agency responsible for enforcing data privacy laws as a client, we provide the highest standard of care in protecting the integrity and confidentiality of the information we collect and manage.

In-depth Compliance Overview

NIST

NIST Special Publication 800-53 provides a catalog of security controls for all U.S. federal information systems. NIST 800-53 is the foundation of nearly all security requirements within the IT space.

Alignment to NIST 800-53 is performed within Analytics at all levels, from the requirements to use FIPS standards through the physical access requirements for data center access. Clients are encouraged to review our policies and processes to evaluate our alignments and help ensure alignment to their requirements

SOC 1 Type II

SSAE 18 Service Organization Control 1 (SOC1), reports on various organizational controls related to Anlytics’ services and information security performed by the AICPA as a third-party audit. SOC1 is not a state in time audit but a full review of performance to defined policies and processes looking backward.

Analytics has a SOC 1 Type II audit conducted annually to ensure that all services are independently evaluated and the proper controls are utilized.

EU-US Privacy Shield

The EU-US Privacy Shield is a framework for transatlantic exchanges of personal data for commercial purposes between the European Union and the United States. One of its purposes is to enable US companies to more easily receive personal data from EU entities under EU privacy laws meant to protect European Union citizens.

Analytics operates and fully conforms with the EU-US Privacy Shield framework ensuring that customer data is correctly maintained and handled, proper notification and privacy protections are in place and data sovereignty is enforced

PCI-DSS

The Payment Card Industry Data Security Standard (PCI-DSS) is a proprietary information security standard for organizations that handle branded credit cards from the major card schemes. The PCI Standard is mandated by the card brands and administered by the Payment Card Industry Security Standards Council.

Validation of compliance is performed annually for Analytics’ data centers as well as operations and business functions and a Self-Assessment Questionnaire (SAQ) is available for clients.

HIPAA

The Health Insurance Portability and Accountability Act’s Privacy Act Rule established a set of national standards for the protection of certain health information.  Building on the NIST platform, ongoing training ensures compliance with HIPAA privacy requirements.

Validation of compliance is performed annually for Analytics’ operations and data centers.