Trusaic has implemented the following two mechanisms for international data transfers.
The DPF establishes a binding adequacy decision. EU supervisory authorities must accept the adequacy decision as creating a valid mechanism for EU-U.S. data transfers in compliance with the transfer provisions of the GDPR. Trusaic maintains a certification under the EU-U.S. Data Privacy Framework (EU-U.S. DPF), (including the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework). For companies certified to the DPF, a transfer impact assessment (TIA) is not required. A TIA is a formal risk assessment to assess all applicable privacy risks and mitigating safeguards relating to those risks. Our customers can find the link to the DPF certification list here. We will maintain the certification throughout the term of any client agreement.
Trusaic encrypts all data across our systems in transit and at rest using secure, up-to-date protocols and key lengths.
Your data is protected, both from physical and environmental threats.
Trusaic requires unique user accounts and multi-factor authentication for all our software solutions.
Trusaic has a comprehensive logging infrastructure in place across our software solutions and systems to assist clients in monitoring user activity.
Trusaic undergoes independent security auditing, vulnerability scanning, and penetration testing. Trusaic’s software solutions undergo continuous vulnerability scanning and annual external application penetration testing. As part of the software development life cycle, the software solutions undergo industry standard quality assurance and regression testing.
In addition to Trusaic’s information security program and application scanning and testing, Trusaic benefits from Microsoft’s Azure cloud platform, a world class physical and environmental security. For more information on Azure’s security certifications see here.
Trusaic’s software solutions undergo continuous vulnerability scanning and annual external application penetration testing. As part of the software development life cycle, the software solutions undergo industry standard quality assurance and regression testing.
In addition to Trusaic’s information security program and application scanning and testing, Trusaic benefits from Microsoft’s Azure cloud platform’s world-class physical and environmental security. For more information on Azure’s security certifications see here.
Does Trusaic have service level commitment? ExpandYes. Trusaic will use commercially reasonable efforts to maintain availability of the software 24 hours a day, 7 days per week with no less than 99% uptime outside of scheduled maintenance. Planned maintenance that may affect the availability of Trusaic’s software solutions are generally at non-peak times with advanced notice.
Can Trusaic act as your data processor? ExpandYes. We leverage the principles of privacy by design and by default. The Trusaic platform enables customers to honor data subjects’ rights such as the right to access, correct, and delete data. We are also positioned to meet any local data retention and minimization requirements.
Trusaic is fully compliant with the new Standard Contract Clauses published by the European Commission and has created a standard Data Protection Agreement (DPA) contract addendum that can be incorporated into client agreements involving international data transfers. Trusaic is also in the process of rolling out EU data localization so that EU clients can choose to localize their data storage on EU data servers.
Does Trusaic support consent-based data processing? ExpandYes. Trusaic will only process your data for the services identified in your agreement and pursuant to the data processing terms and conditions of that agreement, which includes data subject rights such as the right to access, correct, and delete data. We do not share your data with advertiser-supported services.
Does Trusaic use data sub-processors? ExpandThere are limited situations where Trusaic will use data sub-processors. When we utilize subcontractors or sub-processors to perform tasks that require access to your data, they will only have access to the data necessary to perform the specific sub-function contracted for and they will always be bound by the same contractual privacy commitments as Trusaic.
A list of sub-processors and their contracted sub-functions is available upon request and will always be fully identified in any DPA or other privacy addendum to the agreement.
How does Trusaic respond to data requests? ExpandWe will always notify you prior to responding to any government, court, or law enforcement agency request. We will not disclose data except as directed by you or required by law.
If we receive a consumer data request related to data provided by you, we will always notify and work with you to ensure compliance with any local laws and regulations related to consumer data requests.
Trusaic is Trusted and Partnered with HCM Global Leaders