We’re a company that takes data security and privacy very seriously. And, we realize that our information security practices are important to you, too. While we don’t like to expose too much detail around our practices (since that could enable the very people we’re protecting ourselves against), below you’ll find some general information to give you confidence in how we secure the data entrusted to us. As you engage with us, we’ll be more than happy to walk you through the details surrounding our security and compliance.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a law that mandates privacy practices for businesses handling personally identifiable information. There’s no certification for HIPAA compliance, but we’ve completed the self-assessment as part of Cloud Security Alliance best practices.
We’ve created an Information Security & Management System in accordance with ISO 27001 guidelines. This security standard is a systematic approach to managing sensitive company information so that it remains secure, using a risk management process to evaluate people, processes, and IT systems.
We’ve completed a SOC 2 examination of our controls relevant to security, availability, processing integrity, confidentiality and privacy. We have a SOC 2 Type I report completed by an independent service auditor.
The Sharpen platform is hosted in Amazon Web Services (AWS), and uses the Shared Responsibility Model. We commit to the responsibility of this model through continuous audits and corporate security policies addressing corporate, development and operational security. AWS engages with external certifying bodies and independent auditors to provide customers with considerable information about the policies, processes, and controls established and operated by AWS. AWS is FedRAMP and HIPAA compliant, ISO 9001 and ISO 27001 certified, PCI DSS Level 1 Compliant, and publishes a SOC Type II report.
We provide PCI-compliant functionality for payments in the platform through Sharpen Payments. We have an attestation of compliance from a qualified third-party service assessor. While you’re responsible for the ownership of the data, and it’ll remain in your ownership, our data processing agreement and protection policy detail that we’ll be a responsible steward of your data and work with you to maintain compliance to your regulations.