Security and Privacy Statement
Revised May 17th, 2023
Data protection and individual privacy rights are of paramount importance to TrueConfirm. We are committed to the safekeeping of our client’s data and adherence to all applicable data and privacy protection laws and security best practices.
TrueConfirm is unwavering in its commitment to confidentiality, integrity, and availability.
-
Confidentiality: Our commitment to data security forms the backbone of our policies, illustrating how we use, process, and protect the confidentiality of personal data.
-
Integrity: We pride ourselves in providing consistent, accurate, and trustworthy data throughout its entire lifecycle.
-
Availability: We relentlessly maintain all hardware, software, and infrastructure to ensure industry-leading uptime and availability.
Security Program
TrueConfirm implements and sustains a comprehensive information security program, encompassing a robust set of policies and procedures that align with best practices for handling confidential data. Regular meetings are held by TrueConfirm's executive management to review and approve these policies and procedures.
Security Framework Compliance
TrueConfirm strives to comply with several industry-recognized cybersecurity frameworks, including but not limited to:
-
ISO/IEC 27001, 27002, 27005, 27017, and 27018
-
NIST Cybersecurity Framework
-
FISMA
-
SANS/CIS Critical Security Controls
-
Cloud Security Alliance's (CSA) Security Guidance
-
OWASP Security Knowledge Framework
-
SOC 2 Type II Security Trust Service Criteria
-
PCI-DSS 3.2.1
Privacy Program
TrueConfirm respects individual privacy and is firmly committed to ensuring the security of any information we obtain. We develop and maintain a comprehensive privacy program that includes a wide array of formal policies and procedures in alignment with best practices for individual privacy and confidentiality protection. Again, regular meetings are held by TrueConfirm's executive management to review and approve these policies and procedures.
We do not resell, distribute, or disclose any obtained data beyond the intended business use of our verification services. Our privacy policy is available online at:
https://www.trueconfirm.com/privacy
Privacy Regulation Compliance
TrueConfirm is compliant with widely recognized privacy laws and regulations, including but not limited to:
-
Fair Credit Reporting Act (FCRA)
-
California Consumer Privacy Act (CCPA)
-
Virginia Consumer Data Protection Act (CDPA)
-
European Union General Data Protection Regulation (GDPR)
-
SOC 2 Type II Privacy Trust Service Criteria
Specific Safeguards
The purpose of this section is to provide an overview of TrueConfirm’s commitment to data security and privacy. If more detailed information on any aspect of our security or privacy is required, we are prepared to provide it upon request.
Employee Responsibility
-
TrueConfirm provides its employees with ongoing interactive information security training to elevate awareness and reinforce best practices for confidential data handling.
-
We evaluate our employees' security awareness through a phishing and security-training and compliance service.
-
We evaluate our employees' security awareness through a phishing and security-training and compliance service.
-
TrueConfirm's workforce, including software development and customer support roles, is entirely domestic.
Encryption
-
TrueConfirm encrypts all information at rest in the database, complying with our data encryption policy.
-
We encrypt all web application traffic using TLS 1.3+ (HTTPS), having disabled weak protocols (like SSL) and ciphers (like RC4) at the server level.
-
Workstations use full drive encryption.
-
TrueConfirm employs a HIPAA-compliant fax service to receive all inbound faxes as encrypted and password-secured PDF files.
Server Infrastructure
-
TrueConfirm exclusively stores confidential data in data centers with independent third-party SOC examination reports, certifying the effectiveness of key compliance controls and objectives.
-
We require our data center vendor partners to uphold stringent physical security controls, such as key cards, biometric authentication, security patrols, closed-circuit video, all supported by 24/7 monitoring.
-
Our web environment adopts widely recognized best practices for data security, including segmentation, audit logging, and input validation.
-
Secure FTP (SSH) process utilizes private authentication keys and strong transport encryption. The SFTP server is configured to solely accept inbound files and does not permit downloading.
-
TrueConfirm’s data centers are entirely domestic, negating the need for offshore data storage or processing.
Backup and Uptime
-
TrueConfirm employs fully resilient systems and continuous data backups to minimize downtime and data loss in the event of a hardware or communications failure.
-
We maintain industry leading service-level agreements (SLAs) with our vendors to ensure service availability.
-
While TrueConfirm is not considered a critical service, we maintain a minimum rated uptime availability of 99.5% for our combined server and systems infrastructure.
Malware Defense
-
TrueConfirm utilizes next-generation antivirus technology on our perimeter network security controls.
-
We administer centrally managed workstation antivirus/malware software, continuously updated to thwart malware infections.
-
TrueConfirm scans all incoming and outgoing emails through multiple filtering mechanisms to deter malware, spam, and phishing.
-
TrueConfirm production and server infrastructure is cloud based and entirely separate/isolated from employee workstation infrastructure.