Cyberattacks continue to rise, increasing the need for robust data security. Global weekly attacks rose by 7% during the first quarter of 2023, versus the same quarter last year. Each organization is estimated to face on average 1248 cybersecurity attacks per week. Such is the concern that the White House announced the launch of a National Cybersecurity Strategy in March 2023.

If you are partnering with a workplace equity software provider, you must be confident that your data is secure. Choose a vendor that adopts best practices in data security, supported by robust technology and certifications.  

3 steps to ensure data security in your workplace equity software 

Workplace equity platforms contain highly sensitive data including confidential employee information and compensation details. The following steps will help you to assess a potential vendor:

  • Review the vendor’s certifications, security record, and plans with care. Prepare a list of questions and ensure you are happy with the answers. 
  • Assess the vendor’s data security plans. Do they carry out continuous vulnerability scanning and annual external application penetration testing as Trusaic does? As part of our software development life cycle, our software solutions undergo industry standard quality assurance and regression testing. 
  • Investigate your vendor: Can they provide examples of high-profile clients and trusted partnerships on request? Trusaic partners with and is certified by global HCM leaders, including SAP and Workday. 

Is a SaaS (Software as a Service) platform a safer option than on-premise?

SaaS systems provide organizations with continuously up-to-date, secure versions of critical software, without the need to maintain them. Most employers don’t have either the financial or staffing resources to provide the data security services that a SaaS platform offers.

In addition to our information security program and application scanning and testing, Trusaic benefits from Microsoft’s Azure cloud platform’s world-class physical and environmental security.  More information on its data security certifications is available here

Industry standard data security evaluation

Your workplace equity software provider should be able to provide evidence of industry audits and certifications, including:

SOC 2 Type II audits: SOC 2 is an auditing procedure that ensures your vendor can securely manage your data. A SOC 2 report focuses on how a provider implements and manages controls to mitigate risks. SOC 2 auditing is based on the five Trust Services Criteria which are, security, availability, processing integrity, confidentiality, and privacy. Security, referred to as the “Common Criteria” must be included with every SOC 2 report. Each organization should review its vendors to ensure they have conducted SOC 2 audits as it demonstrates their commitment to sensitive data protection. 

ISO 27001: ISO (International Organization for Standardization) and IEC (International Electrotechnical Commission) 27001 means an organization has implemented a system to manage data security risks that conforms to best practices of the International Standard. 

Be confident in your data security with Trusaic

Trusaic undergoes an independent audit of all five Trust Services Principles every year, conducted by BDO, LLP as part of our SOC 2 Type II certification process. A copy of the report is available to clients upon request. 

Our workplace equity platform is hosted on Microsoft Azure: Cloud Computing Services.

Customer data is physically protected by Trusaic’s cloud hosting provider which is SOC 2 and ISO27001 certified. You can be confident your data is protected both from physical and environmental threats.

In addition, continuous vulnerability scanning is integrated into our CI pipeline and annual external application penetration testing is conducted. As part of the software development life cycle, our software solutions also undergo industry standard quality assurance and regression testing.

Reviewing technical controls in your SaaS platform 

You must be confident in the technical controls your vendor uses to manage access to your data, which include: 

Encryption: Encryption protects your data from being stolen, changed, or compromised and it works by encoding “plaintext” into “ciphertext.” It is one of the simplest methods of ensuring sensitive data protection. 

Trusaic encrypts all data using secure, up-to-date protocols and key lengths, which include data encryption in motion (TLS 1.2+), and at rest (AES-256+). Encryption keys are properly secured using Microsoft-managed keys. Our data security also includes replication, backup, and disaster recovery planning. 

Password protection and access controls: Robust password protection has never been more important. In April 2023, 4.3 million records were compromised by cyberattacks across the world. Best practices include multi-factor authentication (MFA).

To ensure your data security, Trusaic requires unique user accounts and MFA for all our software solutions. Our access controls include:

  • Role-based access.
  • Access by the Trusaic team to the databases is on a need-to-know basis, following the principle of least privilege. Least privilege is a best practice in cybersecurity where users are only permitted the minimum levels of access required to fulfill their job functions. 
  • Access is removed promptly when no longer required.
  • Access rights reviews, approvals, and tracking are carried out on a regular basis.

Trusaic continually evaluates password protection as part of our data security certification processes. 

Security awareness training: As cybersecurity threats such as phishing become more sophisticated, security awareness training is vital for employees to safeguard data security. Trusaic has a program of rigorous data security training and awareness in place. 

Audit trails and comprehensive logging: An audit trail is a series of records about an operating system which monitors who accesses different data. Audit trails include details such as login ID, a summary of actions, and time stamps. 

To ensure your data security, Trusaic has a comprehensive logging infrastructure in place across our software solutions and systems to assist clients in monitoring user activity. Our processes include the following steps: 

  • Trusaic logs all users and network activity and responds rapidly to alerts of any abnormal activity.
  • Firewalls and host-based intrusion detection are in place.
  • Logs are reviewed weekly and on alert.
  • Security logs are retained indefinitely, and all other logs for 90 days.

Incident response: A response plan outlines the steps for an organization to take in the event of a data breach or other cybersecurity incident. The plan incorporates six steps, including preparation, detection, containment, investigation, remediation, and recovery. 

Trusaic’s incident response plans are an integral part of SOC 2 Type II audits and the ISO 27001 certification process. 

Compliance with GDPR, EU-U.S. DPF and CCPA data protection

As a best-in-class SaaS platform, Trusaic has implemented and maintains a comprehensive information security program that contains administrative, technical, and physical safeguards to secure your data. These are consistent with all data protection laws, including, but not limited to,  EU/UK GDPR and applicable federal and state law, including, but not limited to, California Consumer Privacy Act and, including the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and, as applicable, the UK Extension to the EU-U.S. DPF, and/or the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) .

We are also fully compliant with the EU’s Standard Contractual Clauses (SCC) and provide a standard Data Protection Agreement (DPA) contract addendum that our clients can incorporate into their agreements which involve international data transfers. We are also rolling out EU data localization so our EU clients can choose to localize their data storage on EU data services if they choose.

Prioritizing data security at Trusaic 

Data security is a high priority at Trusaic. We are committed to industry best practices and integrity in all that we do. 

We only process your data for the services identified in your agreement and pursuant to the data processing terms and conditions of that agreement, which includes data subject rights such as the right to access, correct, and delete data. 

Learn more about our workplace equity platform, and how we ensure the safety of your data. 

Speak to one of our experts.  

Download: Pay Equity Definitive Guide