As a leading provider of enterprise consent and preference management solutions, we understand how important it is to protect our customer’s data. Just as we go to great lengths to protect our client's privacy, we do the same to protect their data and provide a high level of system performance and reliability. We protect your data by implementing and following a strict protocol of security and compliance measures.
CompliancePoint’s Data Centers: Our highly secure data centers are hosted at QTS facilities with extensive physical and virtual safeguards in place.
Data Security Certifications and Policies: Our policies and practices are designed to provide our customers with peace of mind for regulatory compliance.
CompliancePoint understands that the confidentiality, integrity, security and availability of our customers' information are vital to their business operations and our own success. We have stringent standards and processes in place to ensure data safety and integrity while maintaining a high-level of performance.
CompliancePoint's services are hosted on dedicated platforms at highly secure data centers. We have a data center in Suwanee, Georgia and another in Irving, Texas (view links for data center specifications and details).
Highlights of the access security measures in place include:
- Visitors to the data center must present a photo ID, have their photo taken for a badge, and be escorted by authorized CompliancePoint personnel.
- CompliancePoint's data center has its own private security force. The data center is staffed 24/7/365.
- Numerous authentication factors are used to prevent unauthorized access including badge cards, biometrics and security guards for physical access, and access control devices for logical access.
- CompliancePoint servers are locked in a private cage accessible only by badged, authorized CompliancePoint personnel.
- Biometric access controls include fingerprints and iris pattern scanning for access to restricted areas.
Many of the additional security measures in place at the Suwanee, Georgia and Irving, Texas data centers are proprietary and confidential. To view QTS’s stated security measures, visit their site here. The following provides a high-level description of some of the additional security measures in place.
Hardware and Encryption
CompliancePoint's Data Center has CCTV monitored on a 24/7/365 basis and a private security force. There are no personal computers in the data storage area, only servers which are housed in a secure private cage. Any hardware brought into or removed from the data center is tracked and records are kept by Data Center Services (Quality Technology Services, the data center owner) and CompliancePoint's facilities manager.CompliancePoint's data center uses an environmentally-friendly power supply system that incorporates a steady stream of power from the local utility company and back-up power using constant power supply (CPS) and diesel generators. With the CPS system, there is no need for battery-powered UPS units.
CompliancePoint offers SSL for secure HTTP connections between a customer's computer and our servers in the data center. Any data that is sent encrypted remains encrypted. Additionally, intruder detection as well as fire detection and suppression systems are in place. Server, firewall, and critical system logs are reviewed, at a minimum, on a daily basis.
All customer data is stored in secure QTS data centers and is replicated over secure links to a disaster recovery data center. This design provides the ability to rapidly restore application services in the event of an outage or loss of a primary data center.
CompliancePoint's network components and servers use a redundant configuration to help ensure availability. All customer data is backed up daily with incremental backups made hourly. Backups are made to disk and disks are archived monthly off-site by Iron Mountain in their secure facility.
Network Security Measures
CompliancePoint's Systems Department is charged with securing all network resources, both centralized and decentralized, and has the responsibility and authority to monitor network traffic to confirm that security practices and controls are adhered to and are effective. All security monitoring shall be executed in accordance with CompliancePoint Information Security policies. CompliancePoint maintains certain privacy and security certifications as well as policies `that apply to all information handling processes.
Data Security Certifications & Policies
CompliancePoint recognizes that our customers are subject to laws that govern the handling of personal information. We seek to support our customers' compliance with such laws by providing a comprehensive privacy and security program that includes certifications (e.g. PCI DSS), policies, practices, people, and technology. CompliancePoint does not specifically store, process and/or transmit cardholder data as a part of our business transactions but we have chosen to maintain our environment in compliance with PCI DSS.
Security Training & Communication
CompliancePoint’s comprehensive privacy and security program includes communicating with personnel and customers about current issues and best practices.
Upon hiring, each employee undergoes training on CompliancePoint's Information and Data Security policies and must sign a statement that they have received such training. Updates to the Information and Data Security training are conducted as necessary throughout the employee's tenure at CompliancePoint.
CompliancePoint strongly encourages all customers and users to adopt industry-standard solutions to secure and protect their authentication credentials, networks, servers, and computers from security attacks. CompliancePoint contacts customer administrators about specific security issues when warranted. Additionally, all CompliancePoint personnel are required to follow CompliancePoint's confidentiality, privacy, and information security policies.
Default Privacy and Security Features
Application features that protect customer data:
- Connections to the CompliancePoint services are via secure socket layer/transport layer security (SSL/TLS), ensuring that our customers have a secure connection to their data. Individual user sessions are uniquely identified and re-verified with each transaction.
- Application logs record the individual who created each record, the creator, last modifier, timestamps, and IP address for every transaction completed.
Logical separation of customer data:
- Hardware and software configurations are designed to provide secure logical separations of customer data that permit each customer to view only its related information.
- Multi-tenant security controls include unique, non-predictable session tokens, configurable session timeout values, password policies, sharing rules, and user profiles.
Network security measures include:
- Network and host-based firewalls
- Intrusion-detection sensors
- Security event management system
- External vulnerability scanning