At Firespring, we put our clients at the center of everything we do. The security of your data is a pillar of this philosophy. We take the privacy and security of your data very seriously and make significant efforts to protect it. Our security program is designed to make security part of our services, software and company DNA.
SOC 2 Type 1 Assessment
Firespring has successfully completed a SOC 2 Type 1 audit for the trust services principle of security (our report is available upon request). To complete this audit, Firespring has partnered with A-LIGN, Inc. an industry leading cybersecurity and compliance firm. Here’s a statement from our auditors following the completion of our SOC 2 Type 1 assessment:
Firespring has recently completed its System and Organization Controls 2 (SOC 2) examination as of November 30, 2018. The examination was performed by an independent accounting and auditing firm. Completion of the SOC 2 Type I examination indicates that selected Firespring processes, procedures and controls have been formally evaluated and tested by an independent accounting and auditing firm. The examination included the company’s controls related to the Trust Services Criteria of Common Criteria/Security.
A SOC 2 examination is performed in accordance with attestation standards established by the American Institute of Certified Public Accountants (AICPA). SOC 2 is designated as an acceptable method for a user entity’s management to obtain reasonable assurance that the service organization’s service commitments and system requirements were achieved based on the applicable trust services criteria.
A SOC 2 examination is widely recognized, because it represents that a service organization has been through an evaluation of their control activities as they relate to the applicable Trust Services Criteria. A Type I report includes the service organization’s system description, as well as a detailed testing of the design of the service organization’s controls to provide reasonable assurance that Firespring, Inc’s service commitments and system requirements were achieved based on the trust services criteria relevant to Common Criteria/Security set forth in TSP section 100, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (AICPA, Trust Services Criteria).
A-LIGN, (Cybersecurity and Compliance Firm)
For additional information about Firespring’s SOC 2 Report or general security practices, please contact email@example.com.
Firespring has comprehensive policies for ensuring the security of all client data in our possession. Our data access policies observe the principle of least privileged access. All sensitive data must be encrypted in transit and enterprise firewalls filter traffic and only allow approved connections (deny by default). Additionally, Firespring only interacts with third-party software vendors using encrypted protocols. Encryption practices for all vendors are vetted by IT as part of our vendor assessment policy. All code and infrastructure changes for Firespring’s application environment are tested in a QA or development environment before deployment. No client data is allowed to be used in the test environments.
Access, Onboarding and Offboarding
Remote access to internal networks must go over encrypted VPN tunnels and requires two-factor authentication. Firespring maintains comprehensive procedures for regularly evaluating access levels and for immediately terminating the access of former team members. We’ve defined policies for data system lifecycle management and partnered with a secure recycling firm to ensure that old data is 100% completely destroyed at the end of its life. In addition to partnering with industry leading cloud service provider, AWS for our hosted applications, we take the physical security of our headquarters seriously, as well. All unmonitored entrances are equipped with access control; guests check in and check out logs are maintained and security cameras monitor our internal server and network facilities.
Firespring has implemented comprehensive policies outlining security related functions and these policies define who in our organization is responsible for compliance activities. We have defined roles in our organization for all recurring HR, IT, data security and compliance activities. All Firespring team members receive annual security training and are made aware of all policies. Background checks are conducted on all team members and contractors. Additionally, we have formalized our procedures for reporting compliance activities to management.
We use and monitor virus and malware protection on our computers. In addition to well-defined patch management procedures, we conduct regular vulnerability scanning of all internal networks. We prioritize the use of single sign-on and two-factor authentication when supported by software systems either internally or via third-party software vendors. And when it comes to taking payments, Firespring has partnered with industry leading, PCI-certified credit card processing companies to ensure that payment card data can be processed and protected without ever touching Firespring’s systems. Finally, all Amazon Web Services accounts managed by Firespring adhere to the Amazon Web Services Foundations CIS Benchmark.
Nonprofit Website Builder and PrinterPresence
The first thing you need to know is that we utilize Amazon Web Services (AWS) as our data center provider. Doing so allows us to scale and innovate quickly, while benefiting from the industry defining security standards that AWS has implemented across their cloud services. You can read more about AWS security here.
In addition to leveraging AWS as a hosting provider, Firespring has implemented some of the following security practices for your website:
- Data is either continuously replicated to multiple geographic regions or backed up via encrypted snapshots.
- All data is encrypted both in transit and at rest.
- Only essential personnel are granted access to internal networks.
- Access credentials are protected with 2FA.
- Our engineers operate within a Secure Development Lifecycle (SDL) policy that outlines operational controls.
- Code is deployed via well-defined and tightly controlled processes to ensure positive outcomes that minimize disruption.
- Infrastructure is managed as code so that changes are easily rolled back.