Last update: August 7, 2020
At Zapproved, we understand how important data security and privacy is to our customers, and we do not take our responsibility to secure and protect this data lightly. We work hard to ensure that data security and privacy is a top consideration in all of our business operations. Here are some of the ways we protect your data.
Compliance & Regulatory
SOC II Audit
Zapproved has established controls to comply with the gold standard in SaaS audit frameworks. Our AICPA SOC II, Type II audit is performed annually by a leading national audit firm. Our controls are mapped and tested against AICPA standards including:
- Documented security policies and standards
- Corporate risk assessment processes
- Incident response procedures
- Employee/contractor onboarding process, background checks, confidentiality agreements, and security/privacy training
- System standards, logging, and monitoring controls
- Vulnerability management processes
- Secure development and release management controls
Our SOC II audit also includes a mapping of our internal controls to the Security Rule of the Health Insurance Portability and Accountability Act (HIPAA).
Zapproved has completed all requirements of the U.S./EU Privacy Shield framework for the collection, use, and retention of personal information transferred from the European Union and Switzerland to the United States. We support key compliance privacy regulations including the General Data Protection Regulation (GDPR) and user privacy rights of access, erasure, rectification, data portability, notification, objection, and rejection.
Secure Data Hosting
AWS Cloud Platform
All Zapproved applications and databases containing customer data are hosted in U.S. data centers which adhere to industry-standard best practices including ISO 27001, SOC 2, FedRAMP, HIPAA, and others. Zapproved follows industry best practices for securing production services and requires strict authentication and authorization controls, including MFA, for access.
Data Classification and Disaster Recovery
Zapproved classifies all customer data as its most sensitive and critical information. Customer data is only processed and stored in accordance with customer agreements. We retain customer data solely at the discretion of customers and provide secure data disposal upon request.
We maintain frequent backups of all customer data, which is securely stored in multiple geographically dispersed data centers to provide prompt recovery in the event of an outage.
In addition to our internal code-level and system-level vulnerability scanning, we engage with third-party security experts to perform extensive vulnerability and penetration testing on our production services. These assessments combine multiple techniques to look for OWASP Top 10, SANS 25, and other common security vulnerabilities.
Our security risk management program identifies and prioritizes risks to our services, and provides a prompt response to remediate high risk threats and vulnerabilities. Risks are tracked and reported to executive management on a regular basis.
Potential security events or vulnerabilities can be reported to Zapproved by contacting us at firstname.lastname@example.org.
Information Security Program
Industry Best Practices
Zapproved Information Security program ensures the confidentiality and integrity of all customer information under its care. Established policies, based on industry best practices, govern Zapproved’s data classification, personnel practices, data retention and encryption, data access, application development, change management, disaster recovery, and incident reporting and response processes.
Customer data is encrypted at all times while in-transit and at-rest. We use secure protocols such as TLS 1.2 to encrypt data while in-transit and AES-256 or higher to encrypt data at-rest. We have secure processes for managing and rotating encryption keys used in our environment.
Zapproved supports SFP and DKIM security for all email communication in our platform. Our email servers also support TLS for secure email transmission.
Zapproved supports secure authentication into its services and provides customers the opportunity to use SAML 2.0 or OAuth2/OIDC for user authentication. User authentication and authorization is required for access to customer data, and our services enforce common password standards such as NIST 800-63.
Secure Software Development
We practice security by default by integrating security best practices into our development lifecycle. We have built security checkpoints in our development and testing processes, and we perform security testing for all releases. We integrate Open Web Application Security Project (OWASP) Top Ten standards into our development and testing methodologies.
Zapproved maintains an Incident Response Plan that outlines our internal procedures for security and privacy incidents. We notify customers promptly if a security or privacy incident impacts their data or services. Security and privacy incidents are tracked by our security incident team for resolution and root cause analysis.
Employee Screening & Training
Access to customer data is restricted to personnel who need access in order to support our services. New employees and contractors undergo multiple levels of screening including background checks. All personnel are required to sign non-disclosure and confidentiality requirements and undergo regular security and privacy training.