You have arrived here from a SOC 3 SM/TM certified site. The applicable SOC 3 Seal of Assurance (the ďSealĒ) symbolizes that this site has been examined by an independent accountant. Further, the Seal represents the practitionerís report (see below) on management's assertion(s) that the entity's business being relied upon is in conformity with the applicable Trust Services Principle(s) and Criteria.Trust services principles represent attributes of a reliable system that help support the achievement of managementís objectives. For each of the principles there are detailed criteria that serve as benchmarks used to measure and present the subject matter and against which the practitioner evaluates the subject matter. The attributes of suitable criteria are as follows:
- Objectivity. Criteria should be free from bias.
Measurability. Criteria should permit reasonably consistent measurements, qualitative or quantitative, of subject matter.
Completeness. Criteria should be sufficiently complete so that those relevant factors that would alter a conclusion about subject matter are not omitted.
Relevance. Criteria should be relevant to the subject matter.
By demonstrating compliance with Trust Services criteria through an examination by an independent practitioner, entities earn the right to display the Seal.
The entity has earned the right to display the Seal with respect to the Trust Service Principle(s) of:
The security principle refers to the protection of the system resources through logical and physical access control measures in order to support the achievement of managementís commitments and requirements related to security, availability, processing integrity, and confidentiality. Controls over the security of a system prevent or detect the breakdown and circumvention of segregation of duties, system failure, incorrect processing, theft or unauthorized removal of data or system resources, misuse of software, and improper access to, or use of, alteration, destruction, or disclosure of information.
The availability principle refers to the accessibility of the system, products, or services as committed by contract, service-level agreement, or other agreements. This principle does not, in itself, set a minimum acceptable performance level for system availability. The availability principle does not address system functionality (the specific functions a system performs) and system usability (the ability of users to apply system functions to the performance of specific tasks or problems), but does address whether the system includes controls to support system accessibility for operation, monitoring, and maintenance.
The processing integrity principle refers to the completeness, validity, accuracy, timeliness, and authorization of system processing. Processing integrity addresses whether the system achieves its aim or the purpose for which it exists, and whether it performs its intended function in an unimpaired manner, free from unauthorized or inadvertent manipulation. Processing integrity does not automatically imply that the information received and stored by the system is complete, valid, accurate, current, and authorized. The risk that data contains errors introduced prior to its input in the system often cannot be addressed by system controls and detecting such errors is not usually the responsibility of the entity. Similarly, users outside the boundary of the system may be responsible for initiating processing. If such actions are not taken, the data may become invalid, inaccurate, or otherwise inappropriate.
The confidentiality principle addresses the systemís ability to protect information designated as confidential in accordance with the organizationís commitments and requirements through its final disposition and removal from the system. Information is confidential if the custodian of the information, either by law or regulation, commitment, or other agreement, is obligated to limit its access, use, and retention, and restrict its disclosure to a specified set of persons or organizations (including those that may otherwise have authorized access within the boundaries of the system). The need for information to be confidential may arise for many different reasons. For example, the information is proprietary information, information intended only for company personnel, personal information, or merely embarrassing information. Confidentiality is distinguished from privacy in that (i) privacy deals with personal information whereas, confidentiality refers to a broader range of information that is not restricted to personal information; and (ii) privacy addresses requirement for the treatment, processing, and handling of personal information.