Security - Frequently Asked Questions

Use the following questions and answers to learn more about information security at TrueContext.

Contents

• Security - Frequently Asked Questions
  • How does TrueContext keep my data secure?
  • How is my data secured on hosted systems in the cloud?
  • Is my data also secured on iOS, macOS, Android, and Windows devices?
  • Can I access TrueContext via single sign-on (SSO)?
  • Has TrueContext achieved SOC 2 compliance?
  • What’s the difference between SOC 2 Type II and other compliance certifications (such as ISO)?
  • Is TrueContext HIPAA Security Rule and HITECH Act compliant?
  • Does TrueContext screen employees prior to hiring?
  • Do TrueContext employees adhere to secure coding guidelines?
  • Does TrueContext sign data processing agreements?
  • Does TrueContext have 24/7 security incident management capabilities?
  • Does TrueContext have a disaster recovery strategy?
  • What steps has TrueContext taken to proactively mitigate Distributed Denial of Service (DDoS) attacks and other malicious attacks?
  • Does TrueContext offer any specific technology for customers who provide regulated services, such as those in the medical field?
  • Does TrueContext offer added security measures for mobile devices?

How does TrueContext keep my data secure?

TrueContext takes the security of your data very seriously. Your information is encrypted in our systems—at rest and in-transit—at all times. Our systems are tightly controlled through comprehensive security policies and multi-layered access control systems. TrueContext’ critical systems are secured using an enterprise-grade corporate identity management system, including the use of multi-factor authentication and robust passwords.

We conduct ongoing compliance audits, penetration testing, and automated security scans. We offer 24/7 service operations and employ dedicated incident management teams.

How is my data secured on hosted systems in the cloud?

All customer data is encrypted with the AES-256 cipher in our cloud hosted systems. Data that's in transit between our cloud-hosted systems and client interfaces is encrypted over HTTPS using TLS. This includes client interfaces such as:

• Mobile Apps provided by TrueContext

• Clients using the TrueContext REST API

• Web browsers, when accessing Customer Feedback forms and the TrueContext Web Portal The TrueContext Web Portal is a web application used to manage security settings, forms, FormSpaces, other users, Data Sources, and Data Destinations.

Is my data also secured on iOS, macOS, Android, and Windows devices?

Yes. Your data is encrypted within the TrueContext Mobile App on macOS, Windows, and Android. The TrueContext Mobile App performs its own encryption within the app. Users don’t require a device-level passcode to ensure encryption.

On iOS, however, a device-level passcode must be enforced to ensure encryption is applied by the iOS system.

Can I access TrueContext via single sign-on (SSO)?

Yes. TrueContext supports SSO for both Mobile App and Web Portal access.

Info:The topic Set up corporate login (Single Sign-On) describes in detail what SSO is and how to set it up for your TrueContext team.

Has TrueContext achieved SOC 2 compliance?

Yes. We have attained SOC 2 Type I and Type II compliance. Use the form at the bottom of this page to request a copy of our SOC 3 report. A detailed report is available under our non-disclosure agreement.

What’s the difference between SOC 2 Type II and other compliance certifications (such as ISO)?

SOC 2 Type II is a comprehensive assessment for an ongoing period of time. ISO, and similar certifications, are assessments at a specific point in time. SOC 2 Type II compliance enables us to demonstrate an ongoing commitment to internal control environment, policies, and procedures.

Is TrueContext HIPAA Security Rule and HITECH Act compliant?

Yes. A certified third party has verified that our controls have been evaluated against the HIPAA Security Rule and HITECH Act.

It is your responsibility to ensure you have an adequate compliance program, internal processes, and that your use of TrueContext services aligns with HIPAA and the HITECH Act. Use of TrueContext contributes to HIPAA compliance, but does not guarantee it.

Info:The topic HIPAA Compliance and Security Features outlines how to comply with HIPAA regulations when you use TrueContext.

Does TrueContext screen employees prior to hiring?

Yes. All prospective TrueContext employees must submit to a detailed background check. The background check includes criminal, education, and past employment verification.

Do TrueContext employees adhere to secure coding guidelines?

Yes. All TrueContext developers are trained on secure coding practices, including OWASP, annually. All code is double-checked using a comprehensive code review process, which enforces secure coding standards before going live.

Does TrueContext sign data processing agreements?

Yes. TrueContext has signed and works with customers to put a mutually agreed data processing agreement in place.

Does TrueContext have 24/7 security incident management capabilities?

Yes. We employ a 24/7 service operations and engineering team that monitors and resolves incidents as they occur. We use industry leading application performance monitoring and log analysis systems.

Does TrueContext have a disaster recovery strategy?

Yes. Our disaster recovery strategy has guidelines for competitive recovery point objective (RPO) and recovery time objective (RTO). We offer an RPO of 30 minutes, which reflects the current handling of database snapshots. We offer an RTO of six hours, which is reflective of the time required to launch services and restore data to the recovery environment.

We test the reliability of our disaster recovery strategy every quarter.

What steps has TrueContext taken to proactively mitigate Distributed Denial of Service (DDoS) attacks and other malicious attacks?

TrueContext uses Amazon Web Services’ Web Application Firewall (WAF) and Shield to minimize the effects of a DDoS attack. Both WAF and Shield allow us to permit or limit traffic through the use of custom security rules. We can also define additional WAF rules to pre-emptively block a wide range of malicious attacks.

Does TrueContext offer any specific technology for customers who provide regulated services, such as those in the medical field?

Yes. TrueContext offers many special capabilities—including, but not limited to:

• Data Passthrough
• Enterprise Mobility Management and Mobile Device Management
• End-to-End Data Encryption
• Single Sign-On
• User Password Policy Management

Does TrueContext offer added security measures for mobile devices?

Yes. In the Form Builder The Form Builder is the tool that form designers use to create forms. In the Form Builder, accessed from the TrueContext Web Portal, form designers can add and edit pages, sections, and questions, as well as attach data destinations and configure the form's settings., you can control a mobile user’s access to form data. For added security on mobile devices, you can:

• Clear the option for users to save images taken through the TrueContext Mobile App on their devices.

• Clear the option for users to share a summary of form data.

Info:The topic Set Up Form Properties describes mobile app settings in more detail.