Laserfiche WebLink
SOLICITATION # CH16012 <br />• DOD IT RMF/DIACAP (MAC 1/II/III Sensitive & Public) <br />• HIPAA-HITECH-Omnibus <br />• PCI-DSS <br />• ISO/NATO <br />• CNSS/ICD/DCID/NISPOM <br />SAP <br />Ariba <br />We are audited and certified by independent third -party auditor <br />PricewaterhouseCoopers (PwC) for compliance with ISAE 3402 SOC1 Type II, <br />SOC2 and SOC3 every six months. Upon completion of the audit, an attestation <br />letter is issued, stating our compliance. In addition, our primary hosting facility <br />(Equinix) infrastructure is audited for compliance with SSAE 16 SOC1 Type II. <br />The Service Organization Controls report (SOC) is aimed at three different <br />audiences. SOC1 (aimed at financial auditors) is the same type of report as the <br />SAS70 but also includes an attestation letter signed by both our company and the <br />auditor. SOC2 is aimed at IT and security practitioners. The SOC3 is the publicly <br />viewable web seal to show that we have been audited. <br />In addition, we have attained PCI (Payment Card Industry) - DSS (Data Security <br />Standard) certification as a Level 1 Service Provider and compliance with the Visa <br />USA Cardholder Information Security Program (CISP) and MasterCard Site Data <br />Protection (SDP) program. These programs were created specifically for <br />merchants and service providers who process, store, or transmit cardholder data. <br />The PCI DSS is a set of comprehensive requirements for enhancing payment <br />account data security which was developed by the founding payment brands of the <br />PCI Security Standards Council, including American Express, Discover Financial <br />Services, JCB International, MasterCard Worldwide and Visa Inc. It was developed <br />to help facilitate the broad adoption of consistent data security measures on a <br />global basis. The PCI DSS is a multifaceted security standard that includes <br />requirements for security management, policies, procedures, network architecture, <br />software design, and other critical protective measures. This comprehensive <br />standard is intended to help organizations proactively protect customer account <br />data. CISP and SDP reflect Visa's and MasterCard's respective longstanding <br />commitment to information security. <br />Fieldglass <br />SAP Fieldglass has achieved the following certifications: <br />• ISO 27001 <br />• SSAE 16 SOC 1 and SOC 2 <br />HIPPA <br />Fieldglass does not store Protected Health Information (PHI) on its system and is <br />not required to comply with the Health Insurance Portability and Accountability Act. <br />PCI <br />The Fieldglass application does not process credit card information. <br />We are not and are not required to be PCI compliant. <br />Hanna <br />Please see response to 8.6.1 <br />Hybris <br />The Savvis datacenter located in Boston, MA is SSAE16 Type II SOC I Compliant. <br />This replaces the older SAS70 Type II audit standard. <br />SuccessFactors <br />We have been audited to the SOC 2 Trust Services Criteria. This signifies that our <br />control objectives and control activities have been examined by an independent <br />accounting and auditing firm, and that these controls fairly presented the controls in <br />operation as of a specific date and were suitably designed to achieve the control <br />objectives. Our SOC 2 audits are conducted semi-annually (May, November) by <br />PricewaterhouseCoopers (PwC). We also hold US Federal FISMA Moderate <br />carahsoft 56 carahsoft <br />