At Zasio, we take information security seriously. Keeping your data secure is our highest priority and we are committed to protecting customer data across all of our services. Zasio has demonstrated its commitment to information security through our SOC 2, Type 2 attestation report, which we provide to our customers and prospects on a confidential basis. Our SOC 2 attestation is based on the American Institute of Certified Public Accountants (“AICPA”) Trusted Service Criteria, and is provided by a third party auditor. While dedicated to our SaaS solutions, the majority of the described processes and controls apply throughout our organization. A SOC 2 report is one of the most industry-accepted auditing standards for a service company to demonstrate that its business processes, information technology, and risk management controls are properly designed. To request a copy of Zasio’s most recent SOC 2, Type 2 report, please contact your account team member or contact us through this website.

Comprehensive Information Security Management System

To help ensure that Zasio’s information security practices remain at the leading edge of our industry, Zasio has implemented and maintains a comprehensive written Information Security Management System (ISMS) to manage and protect Zasio’s business information, as well as the data and information entrusted to us by our customers. Zasio’s ISMS is based off of the controls found in ISO/IEC 27001: 2013. All security and privacy related policies and procedures within our ISMS are (i) documented, (ii) approved by executive management, (iii) communicated to all Zasio personnel, and (iv) reviewed and updated at least annually.

Vulnerability Testing

Zasio undergoes annual penetration testing of our information systems infrastructure by a qualified third party. Additionally, Zasio has web application scans in connection with our SaaS offerings performed monthly by a qualified third party.

Network Security

Zasio maintains industry standard technologies and controls to protect network security, including firewalls, intrusion prevention, monitoring, network segmentation, and VPN and wireless security. Zasio reviews its network designs and controls at least annually. Zasio additionally utilizes a dedicated firewall/proxy appliance with an enhanced security subscription to help ensure that all communications attempting to cross our network boundary comply with our documented security policy. Several layers of protection are enabled within this firewall for maximum security. Zasio further utilizes an industry-standard malware protection strategy designed to effectively and efficiently prevent network virus and other malware outbreaks, as well as prevent network security attacks.

Software Secure Development and Lifecycle

Zasio maintains a documented software secure development lifecycle policy to help ensure security by design within the development lifecycle for applications and information systems.

Restricting Information Access

Zasio maintains a written program for limiting information access and utilizes the principle of least privilege to manage access to information processing systems, networks, and facilities. All Zasio personnel are also bound by binding contractual obligations with Zasio for protecting customer data.

Infrastructure Security

Zasio uses Rackspace and Microsoft Azure as our third-party hosting facility providers in connection with our SaaS offerings. These providers are responsible for protecting the infrastructure used to provide Zasio’s cloud-based services. Zasio further protects our cloud infrastructure using the following security mechanisms:

• For our SaaS offerings, Zasio maintains separate hosted databases for each customer, with permissions that only allow user access for the one database to which that customer is associated.
• Zasio also maintains separate internal production and test database servers to protect against unauthorized access to customer data.

Data Backup and Recovery

Zasio maintains a formal backup and recovery plan to guard against loss and to establish recovery time (RTO) and recovery point (RPO) objectives in the event of any unplanned system outage.

Hosting Facility Backups. Each database and dedicated server in Zasio’s hosting facilities is backed up daily, with each backup being stored for at least two weeks (and up to four weeks, depending on customer configuration). Backups are stored in the same physical site as the hosted system for the first two weeks, followed by an additional two weeks of offsite storage in a separate, secure facility.

Internal Backups. Zasio’s on-premises major systems (including Active Directory catalogs, email servers, document stores, production databases, and application servers running critical business functions) are fully backed up on a weekly basis, with backup media rotated offsite to a secure location. Incremental backups of active document repositories are captured every two hours.

Zasio tests both internal and hosted backup and recovery systems at least annually.

Business Continuity and Disaster Recovery

Zasio maintains a formal BC/DR plan to help ensure that our systems and services remain resilient in the event of any extended service outages. Zasio conducts a disaster recovery test utilizing this plan (including testing of the backup restoration process) at least annually.

Information Security Incident Response Planning

Zasio maintains a formal information security incident response plan which shall be activated in the event of any Information Security Incident or related event. Zasio maintains a record of any information security breach with a breach description, the time period, consequences of the breach, identity of the reporter, and the procedure for recovering data.

Encryption

Zasio utilizes strong encryption of customer data both in transit and at rest. All internet traffic is secured using TLS 1.2 (minimum), AES 256, with a 2048 bit signed certificate. The databases for our hosted applications are encrypted at rest using AES 256.

Security Training

Zasio conducts annual security awareness training for all personnel, and provides security awareness updates at least quarterly.

Third Party Management

Zasio maintains a third-party management policy to help ensure that information shared with, accessible to, or managed by third-parties is properly protected. This policy establishes standards for how Zasio must select third-party IT vendors, evaluate vendor information security practices and risks, and monitor these risks.