As cloud-based visitor management providers, our team fully understands market needs for features that improve company security, safety, and branding.
But far too often, we’ve seen such new features arise in the industry at the expense of visitors’ data privacy.
At Proxyclick, protecting visitors’ rights, and particularly their right to data privacy, is at the forefront of everything we do.
It’s part of our culture, and we believe that no visitor management product should be designed in a way that sacrifices its visitors’ data. It does not have to be a win-lose situation, where we win on security, but lose on privacy.
But we see data privacy as an overarching mindset at our company. Ensuring data privacy shouldn’t just be reflected in a company’s product offerings, but should also be reflected in how the company operates as a whole.
Our latest data privacy attestation: the ISAE 3000 Type I Assurance Report
That’s why we get our latest data privacy attestation delivered by third-party auditors: the International Standard on Assurance Engagements (ISAE) 3000 Type I Assurance Report, or privacy attestation.
We not only thought it was important to validate our product, but also make sure that all of our processes were in line with leading international privacy regulations and framework.
We’re proud to announce that, following the renewal of our SOC 2 Type 2 certification, we’ve become the first visitor management system to receive this privacy attestation as of February 2020. (Contact firstname.lastname@example.org for the report, under NDA.)
So what exactly does it mean for our organization and our customers? Let’s break it down.
The ISAE 3000 Type I Assurance Report: What is it, and what does it mean for Proxyclick?
First, there are two types of ISAE 3000 reports: Type I and Type II. Here’s how they differ:
The Type I report includes the opinion of an external auditor on a service organization’s system. The auditor describes the suitability of the design of the company’s privacy controls in operation, at a specific moment in time.
The Type II report involves an auditor examination of the suitability of the design and existence of privacy controls at a service organization, and on the operating effectiveness of these controls in a predefined period.
For Proxyclick, the process for receiving the 60-page Type I report meant undergoing a true test in the quality and legitimacy of our privacy process (and our product). Therefore, all of our company’s data processing documentation was examined by an independent auditor.
After about 6 months of work with the auditor, we’re happy to report that receiving this privacy attestation confirms that Proxyclick has complete documentation of our organization-wide internal processes and 100+ privacy controls.
We’ve clearly defined policies and procedures in place to ensure we can comply with our obligations related to data processing. These include dealing with data subjects’ requests, managing and informing the clients in the event of a personal data breach, and ensuring Proxyclick employees are regularly trained with respect to personal data processing.
What does this mean for our global enterprise customers?
As the independent auditor assessed our processes against leading privacy frameworks from around the world (described below), they can put further trust in Proxyclick’s data privacy measures.
A true global privacy framework for ISAE 3000 reports
ISAE 3000 reports attest that the above-described requirements were met in accordance with the Privacy Control Framework (PCF) published by NOREA.
This PCF allows for independent auditors to issue privacy control reports that align with local and global regulations and requirements. To establish the PCF, the following 5 leading international practice frameworks were considered and integrated:
EU: General Data Protection Regulation (GDPR)
USA: The National Institute of Standards and Technology (NIST)’s Privacy Control Catalog
EU: NOREA’s Raamwerk Privacy Audit
EU: EuroPriSe’s European Privacy Seal
USA: The American Institute of CPAs (AICPA)’s GAPP Principles
Where we’re headed next
In keeping with our data privacy mindset, Proxyclick is always working to strengthen and add to our data privacy certifications to ultimately achieve the highest data privacy standards in our industry.
So as a critical next step in our efforts, we’re undergoing the process to receive our ISAE 3000 Type II Assurance Report.
Receiving this second attestation will confirm that the internal control of our organization, and the effective operation of our privacy controls, are in accordance with the predefined processes and controls.
In the meantime, we’re keeping our internal systems and controls operating efficiently and securely, and will continue to improve the integrity of our processes in the future.
More information about our current data privacy and security measures can be found here.