Is Zingtree compliant with industry standard security and privacy regulations?
Yes. Zingtree has been awarded its SOC2/Type2 and HIPAA third-party compliance attestation.
Zingtree’s policies and processes also satisfy the compliance standards for GDPR and CCPA privacy regulations.
Does Zingtree base its security program on a reputable industry standard?
Zingtree uses the National Institute of Technology and Standards’ (NIST) risk management standards (RMF)/Cybersecurity Framework (CSF) and the associated security policies and controls, as presented in its SP 800-53, r5.
In support of this privacy framework, Zingtree has developed the requisite policies and processes to be compliant with an array of international and domestic privacy regulations, such as GDPR, CCPA, etc.
These include safeguards surrounding governance, security/privacy compliance, industry best practices, and culture. Zingtree likewise stays proactive on the industry's latest security and privacy challenges and responses, in order to minimize potential exposure.
Does Zingtree do third-party security and privacy assessments, such as penetration testing?
Yes. In addition to conducting its own internal audits, Zingtree periodically engages qualified third parties to conduct compliance audits, vulnerability scanning, penetration testing, legal compliance reviews, GDPR Article 27 representation, and a variety of other security and privacy services.
What type of information does Zingtree store and process, and how sensitive is it?
Zingtree stores and processes Protected Health Information (PHI) and personal data (including Special Category). Credit card information is handled via a third-party (ie, Stripe).
How does Zingtree transmit information?
All information gets transmitted by HTTPS/SSL and/or secure API.
Does Zingtree have a designated Security/Privacy official?
Yes, Zingtree has appointed Mark R. Beckmeyer, D.Sc., CISSP as the Senior Director, Security/Privacy. Mark has over 30 years of experience in information assurance, has earned a D.Sc. (Doctor of Science) in cybersecurity, MA (Master of Arts) in Security Management, is an active member of ISC2's (Information System Security Certification Consortium) Northern Virginia Chapter, and is a CISSP (Certified Information Systems Security Professional).
What security and privacy policies has Zingtree enacted?
Zingtree has developed and published a comprehensive set of 48 security and privacy policies, which are annually approved by Zingtree's executive management and third-party auditors. All Zingtree's employees are required to annually review and acknowledge these policies.
Does Zingtree have a security awareness training program?
Yes, Zingtree has implemented comprehensive security and privacy awareness training, including:
– Security/privacy briefings for new hires
– Annual company-wide security/privacy training
– Periodic company-wide messages about security
Where is Zingtree hosted and how is it secured?
Zingtree is hosted on Amazon Web Services (AWS) in multiple geographic regions including the US East (Northern Virginia) and Europe (Ireland). Security and Compliance is a shared responsibility between AWS and Zingtree. AWS is responsible for the “Security of the Cloud” and Zingtree is responsible for the “Security in the Cloud”. Please see AWS' Shared Responsibility Model.
Is there a Disaster Recovery Program?
Yes, Zingtree has implemented a comprehensive disaster recovery program (DRP), which is based on NIST SP 800-34, r1. Moreover, Zingtree conducts a formal business impact analysis (BIA) annually, and periodically tests the DRP for failover and backup/restore performance.
Does Zingtree have a security incident response program?
Yes, Zingtree has implemented a comprehensive security incident response (SIR) plan, which is based on NIST SP 800-61, r2.
Does Zingtree have a change management program?
Yes, Zingtree has implemented a formal change management program, which includes a comprehensive policy that consists of procedures to be followed and documented.
Is there an access control policy?
Yes, Zingtree has implemented a comprehensive access control policy, which includes:
– Unique user ID’s
– Role-based assignment of user accounts, with manager and security approval
– Complex passwords and periodic forced changing
– Periodic user entitlement reviews
