Skip to Main Content
Main Menu
Legal Center

Technical and Organizational Measures

Executive Summary

This Technical and Organizational Measures (“TOMS”) document sets out an overview of TrustArc’s privacy, security, governance, and compliance commitments. Specifically, TrustArc maintains robust global privacy and security programs which provide administrative, physical, and technical safeguards that are designed to protect Customer Data from loss, misuse, unauthorized access, disclosure, alteration, and destruction, as well as maintain compliance with applicable laws and regulations, including data protection and privacy laws. Such measures include:

  • Encryption of Customer Data:
    • In-Transit Transport Layer Security (TLS) v1.2.
    • At-Rest Advanced Encryption Standard (AES) 256-bit.
  • Data Centers 1: United States, Canada, Germany and Ireland hosting locations using world-class cloud hosting providers to support availability, redundancy and stability requirements.
  • Physical Security: Suitable physical security and environmental controls are in place and are designed to protect, control, and restrict physical access for systems and servers that maintain Customer Data to support uptime, performance, and scalability commitments.
  • Compliance Audits: SOC 2 Type II.
  • Access Controls: Access controls are implemented and designed to prevent and/or mitigate the potential threat of unauthorized application access and/or data loss.
  • Data Segregation: TrustArc employs a multi-tenant architecture and logically separates Customer accounts at the database level.
  • Penetration Testing: In addition to internal assessments and testing, TrustArc engages a third-party to annually conduct comprehensive penetration testing of applicable systems.
  • Perimeter Defense and Intrusion Detection: Perimeter protection tools, techniques and services are in place and designed to prevent unauthorized network traffic from entering TrustArc’s product infrastructure. TrustArc network features externally facing firewalls and internal network segmentation. 
  • Data Deletion, Export, and Return: TrustArc Customers may request Customer Data return or deletion at any time, which will generally be fulfilled within thirty (30) days of Customer’s request.
  • Legal/Regulatory Compliance: TrustArc maintains a comprehensive data protection program with processes, procedures, and policies in place, designed to ensure Customer Data is handled in accordance with applicable privacy laws, including the GDPR, CCPA/CPRA, and LGPD.

1 Hosting locations may vary (i.e., depending on TrustArc product), consult the Sub-Processor Disclosure found at https://trustarc.com/subprocessors.


 

Contents

Click on the section title to go to the relevant TOMS section.

 

Introduction

TrustArc Inc (“TrustArc”) is a leader in data privacy compliance and risk management solutions, through its combination of leading software-as-a-service (or “SaaS”) offerings, technology, managed services, and assurance services that together are designed to enable clients to thoughtfully and comprehensively manage all phases of their privacy program management lifecycle. TrustArc is committed to ensuring that the Solutions (as defined in the TrustArc Subscription and Services Agreement) it provides to its Customers are secure and adhere to appropriate industry standards. This Technical and Organizational Measures (or “TOMS”) overview details the security and privacy controls that are implemented by TrustArc across the TrustArc Platform (as used herein, TrustArc Platform shall mean all TrustArc SaaS Solutions).

Encryption

TrustArc takes comprehensive and industry-standard measures that are designed to ensure that Customer Data (as defined in the TrustArc Subscription and Services Agreement), cannot be read, copied, modified, or removed without authorization during electronic transmission [via Transport Layer Security (“TLS”) at v1.2 or higher] or storage [via Advanced Encryption Standard (“AES”) 256-bit]. All Customer Data is protected with comprehensive security measures in place in order to ensure that Customer Data is only accessible to authorized parties. The TrustArc Platform sits behind a set of fully secured web applications which use TLS encryption certificates. These encryption certificates are maintained and secured by TrustArc’s DevOps Team. Additionally, the TrustArc Platform is hosted on Amazon Web Services (“AWS”) and all AWS production Relational Database Services (“RDS”) databases use AWS encryption key services, in conjunction with AWS’ Hardware Security Module (“HMS”) service, to protect data while at rest. HMSs are computing devices that process cryptographic operations and provide secure storage for cryptographic keys. Access to database encryption key management is restricted to a limited subset of need-to-know highly credentialed staff on a role-based access level with suitable access controls.

Data Centers

TrustArc uses AWS’ cloud hosting solutions to provide hosting operations to support technology infrastructure for the TrustArc Platform. You can learn more about AWS’ comprehensive security safeguards at https://aws.amazon.com/security/. TrustArc specifically uses AWS data centers in the United States, Canada, Germany, and Ireland. As hosting locations may vary, depending on the specific subscribed-to TrustArc Solution, consult the Sub-Processor Disclosure found at https://trustarc.com/subprocessors

AWS provides TrustArc with the traditional services of a world-class leading hosting provider: data network connectivity, electrical power, environmental controls, and a secured facility, along with operational services to monitor and manage the equipment on an ongoing basis. AWS has further implemented the following key control activities:

  • Employee User Access
  • Logical Security
  • Secure Data Handling
  • Physical Security and Environmental Protection
  • Change Management
  • Data Integrity, Availability and Redundancy
  • Incident Handling

 

Workplace

TrustArc enlists the following measures, as applicable, to ensure that its workplaces are secure: 

  • Entrances to buildings are controlled by security personnel at the lobby level. 
  • Doors to offices are controlled by biometric systems.
  • Buildings are equipped with security cameras to record activities in certain areas including the front entrances, elevators, and lobbies. 
  • Use of local building codes (e.g., fire codes) are observed. Manufacturer’s recommendations on fire protection of hardware is followed.
  • Telecommuting workers are required to follow all corporate, security, confidentiality, HR, and/or code of conduct policies that are applicable to other employees/contractors.
  • Access to any production servers which contain Customer Data is highly restricted to those who, based on their role and function, have a need-to-know, on a role-basis, under suitable access controls and following the principle of least privilege.

 

Compliance Audits

TrustArc’s information security management system is annually assessed, using a qualified external third-party auditor, in accordance with the American Institute of Certified Public Accountants (“AICPA”) Service Organization Control (SOC) 2 Type II controls and standards.

Application Security

Web application security assessments are performed for the purposes of maintaining the security posture, compliance, risk management, and change control of technologies in use at TrustArc. All web application security assessments are performed by designated DevOps personnel and/or QA Engineers either employed or contracted by TrustArc. All security issues that are discovered during assessments are categorized and predicated on the criticality of the risk, commensurate with documented policies on risk management, and severity, prioritized for remediation where such remediation is determined necessary. The risk levels are based on the Open Worldwide Application Security Project (“OWASP”) Risk Rating Methodology. Remediation validation testing is then performed to validate, fix, and/or mitigate any relevant discovered issues of medium risk level or greater where such issues are viewed, based on industry standard approaches, to pose risk and such risk cannot otherwise be mitigated. 

The following security assessment levels/types are used, as required and applicable: 

  • Full – A full assessment consists of tests for all known web application vulnerabilities using both automated and manual tools based on the OWASP Testing Guide. A full assessment will use manual penetration testing techniques to validate discovered vulnerabilities to determine the overall risk of any and all discovered. 
  • Quick – A quick assessment will consist of a (typically) automated scan of an application for the OWASP Top Ten web application security risks at a minimum. 
  • Targeted – A targeted assessment is performed to verify vulnerability remediation changes or new application functionality. 

 

Logging, Monitoring, and Alerting

TrustArc maintains policies and procedures around logging, monitoring, and alerting, which establishes principles and controls implemented to enhance TrustArc’s capability to promptly detect suspicious activity and respond to it in a timely manner.

Intrusion Detection and Response

All application servers hosted in AWS have intrusion detection systems (“IDS”) installed. A lightweight host-based IDS client is installed on all servers and is used to detect access and changes at the system level. The IDS client performs log analysis, integrity checking, registry monitoring, rootkit detection, time-based alerting, and active response. When a change or access to the system is detected, an event will be triggered and sent to the IDS server which will emit notification to the DevOps team for assessment. Server logs are stored and retained in the IDS server for ninety (90) days. 

Threat Management

TrustArc appoints a number of executive leadership members who are responsible for coordinating the company’s risk analysis and identifying appropriate persons within the organization to assist with the risk analysis. This risk analysis is a thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of assets held by TrustArc. It is designed to reassess the security risks to its assets and evaluate the effectiveness of its security measures and safeguards as necessary in light of changes to business practice and technological advancements. Risk analysis meetings occur on a semi-annual basis. These meetings are in addition to routine and ongoing assessment, planning, and response to actual, perceived, or possible risks as identified by the organization and its respective responsible groups (e.g., Privacy, Security, DevOps, Engineering). 

Access Controls

Access control procedures are in place in order to ensure that only authorized persons are able to access relevant information and to protect against possible data loss, deletion, or corruption risk. Information resources are protected by the use of access control systems. Access control systems include both internal (e.g., passwords, encryption, access control lists, constrained user interfaces, etc.) and external (e.g., port protection devices, firewalls, host-based authentication) systems. Rules for access to resources (including internal and external networks) have been established by the information/application owner or manager responsible for the resources.

Data Segregation

TrustArc leverages a multi-tenant architecture, logically separated at the database level, based on the Customer’s account. Parties must be authenticated to gain access to an account.TrustArc has implemented controls designed to prevent a Customer or User from seeing the data of other Customers or their Users.

Perimeter Defense and Intrusion Detection

TrustArc uses perimeter protection tools, techniques and services to protect against unauthorized network traffic entering TrustArc infrastructure. These include, but are not limited to:

  • Intrusion detection systems that monitor systems, services, networks and applications for unauthorized access.
  • Critical system and configuration file monitoring.
  • Application-layer DDoS prevention services that proxy TrustArc traffic.
  • AWS security groups on TrustArc web servers that filter inbound and outbound connections, including internal connections between TrustArc systems.
  • Internal network segmentation.

 

Security Operations and Incident Management

While TrustArc believes that security and privacy are each employee’s responsibility at the organization, it has established a Confidentiality/Security Team (“CST”) made up of key personnel whose responsibility it is to identify areas of concern within the company and act as the first line of defense in enhancing the appropriate security posture. The CST continuously evaluates, identifies, and takes actions to prevent and/or mitigate potential security issues, threats, or issues. As part of its duties, the CST also helps foster a “security-first” culture, working with the Legal and Privacy Teams (who similarly foster a “privacy-first” culture), to identify key areas that should be addressed for employee annual training and reviews and updates applicable security policies, as necessary.

An incident response plan is in place for the purpose of responding to potential privacy and security incidents. An Incident Response Team (“IRT”) is responsible for detecting and responding to security events as reported by any employee and developing incident response procedures, in conjunction with the Legal and Privacy Team, including a documented Incident Response Plan (“IRP”) that includes communication processes and standard operating procedures. The IRP details how employees report suspected security incidents and the escalation procedures to follow when appropriate.

Disaster Recovery Plan

In the event of an unforeseen disaster or emergency, TrustArc has the capability and plans in place to quickly restore or recover any loss of company mission-critical data and/or systems necessary to make mission critical data available in a timely manner caused by fire, vandalism, terrorism, system failure, or other emergency; and to continue operations during such time information systems are unavailable. 

Data Deletion, Export, and Return

At any time, Customers may request the return (in a machine-readable format) or deletion of their Customer Data. Requests shall be processed within thirty (30) days of receipt, however, in the unlikely event that more time is needed to process a request, notice will be provided as soon as possible of any anticipated delayed and revised completion deadline.

Organizational Controls

TrustArc maintains a comprehensive set of security policies and procedures that are routinely reviewed and updated as necessary to support TrustrArc’s security objectives, changes in applicable law, industry standards, compliance efforts and client obligations. Changes to TrustArc systems are assessed, tested, and approved before implementation to reduce the risk of disruption to TrustArc Solutions.

 

Training

 

TrustArc’s privacy and security awareness program involves training employees about the importance of handling Customer Data, Personal Information (as defined in the Data Processing Addendum (“DPA”)) and confidential information ethically, responsibly, in compliance with applicable law, and with due care. All workforce members shall receive appropriate training concerning the company’s applicable privacy and security policies and procedures. Such training shall be provided prior to onboarding and on an ongoing annual basis for all employees.

 

Legal and Regulatory Compliance Program

TrustArc’s legal and regulatory compliance programs are designed to, on ongoing and continuous-based, meet applicable law, committed-to legal frameworks, client commitments, and industry standards. These programs are routinely evaluated for risks based on changes to laws, to the business, and to the Solutions, but no less than semi-annually in order to adapt, revise, and/or adjust to continue to meet the Company’s ongoing commitments and obligations. TrustArc evaluates all business processes involving Customer Data, inclusive of any maintained Personal Information, against privacy and data protection laws, such as the General Data Protection Regulation (“GDPR”), CCPA, and LGPD.

 

Privacy Program

 

TrustArc maintains a comprehensive privacy program designed to meet current and evolving applicable data protection and privacy laws around the world through the implementation and maintenance of internal and external policies, controls, standards, and addenda that govern the company’s practices. The Company’s program involves coordination and engagement from all functions within the company, including, but not limited to, Security, Compliance, Legal, the Knowledge Team, Product, Engineering, and Marketing. TrustArc’s program addresses numerous laws, regulations, frameworks, and requirements, including but not limited to:

 

  • GDPR


    The General Data Protection Regulation (“GDPR”) is a European Union (“EU”) law regarding data protection and privacy for individuals within the EU. TrustArc maintains a comprehensive GDPR compliance program and to the extent TrustArc engages in processing of personal data subject to the GDPR on behalf of its customers, it does so in accordance with the applicable requirements of the GDPR.

 

  • CCPA


    The California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively referred to as “CCPA”) grants Californians additional rights and protections regarding how businesses may use their Customer Data. TrustArc maintains a comprehensive compliance program and to the extent TrustArc engages in processing of personal data subject to the CCPA on behalf of its customers, it does so in accordance with the applicable requirements of the CCPA.

 

  • LGPD


    The Brazilian Data Protection Law (“LGPD”) regulates the processing of personal data in Brazil and/or of individuals located in Brazil at the time of collection. TrustArc maintains a comprehensive compliance program and to the extent TrustArc engages in processing of personal data subject to the LGPD on behalf of its customers, it does so in accordance with the applicable requirements of the LGPD.

     

These compliance efforts and others are also referenced in TrustArc’s DPA. For more information please see TrustArc’s DPA.

 

Data Processing Addendum

 

TrustArc offers a global DPA that is designed to aid its clients in meeting their requirements under applicable data protection laws, including but not limited to the GDPR, CCPA/CPRA, and LGPD, and includes applicable data transfer mechanisms including the 2021 revised Standard Contractual Clauses (also known as “EU Model Clauses” or “SCCs”) designed to permit lawful transfer of Customer Data under GDPR. For more information about our DPA, which is incorporated by reference into our SSA, see here.

 

Transfer Frameworks

 

TrustArc supports international data transfers under the following:

  • The Standard Contractual Clauses (“SCCs”), sometimes referred to as EU Model Clauses, are incorporated in TrustArc’s DPA to enable lawful transfer of Customer Data out of the European Economic Area (“EEA”) in compliance with the GDPR.
  • For residents of the United Kingdom, TrustArc complies with its obligations under the UK Addendum, also incorporated in our DPA.
  • For residents of Switzerland, TrustArc complies with its obligations under the Swiss Federal Act on Data Protection of 19 June 1992, also incorporated into our DPA.
  • TrustArc participates in the EU-U.S. Data Privacy Framework (“EU-U.S. DPF”), the UK Extension to the EU-U.S. Data Privacy Framework (“UK Extension”), and the Swiss-U.S. Data Privacy Framework (“Swiss-U.S. DPF”), having self-certified to the U.S. Department of Commerce our adherence to the Data Privacy Framework Principles. For more information about our participation, please refer to our TrustArc’s Privacy Policy.

 

More Information 

More Information about TrustArc’s privacy and security program can be found at the Legal Center located here, and the Trust Center located here. Should you have any questions about TrustArc’s privacy and security program that is not answered by these TOMS, the Legal Center, or the Trust Center, you may contact the Privacy Team at: [email protected].

 

Last updated May, 2024

 
Back to Top