Compliance & Security
Updated July 9, 2024
Table of Contents
Compliance, Security & Certifications
SOC 2 Type I & II Reports
SOC 2 Type I and Type II reports are designed to evaluate a service organization's controls related to security, availability, processing integrity, confidentiality, and privacy. Each report serves a distinct purpose:
- SOC 2 Type I: This report evaluates the design and implementation of the organization's controls at a specific point in time. It provides a snapshot of the initial setup and design of these control mechanisms, ensuring they are suitably designed and implemented as of the assessment date.
- SOC 2 Type II: This report assesses the effectiveness of the organization's controls over an extended period. It provides a more comprehensive evaluation, demonstrating that the controls are not only in place but are also functioning effectively over time.
Together, SOC 2 Type I and Type II reports are essential tools for understanding both the initial setup and the ongoing effectiveness of a service organization's control mechanisms.
SOC 1 Type II
The SOC 1 Type II certification attests that Shape Software has implemented robust internal controls and processes to ensure security and availability. This certification demonstrates our commitment to mitigating risks and safeguarding our clients' data, ensuring it remains highly secure.
HIPAA
HIPAA compliance involves adhering to standards set by the Health Insurance Portability and Accountability Act to protect sensitive patient health information. This includes implementing safeguards for PHI, conducting risk assessments, establishing policies, training employees, and monitoring for compliance.
PIPEDA
The Personal Information Protection and Electronic Documents Act (PIPEDA) is a Canadian law that regulates how private sector organizations handle personal information in commercial activities, ensuring individuals' privacy rights are protected. It mandates consent for data collection, accountability for data protection, transparency in data practices, and allows individuals to access and correct their personal information.
PHIPA
PHIPA, considered the Canadian equivalent of HIPAA, mandates that healthcare providers in Ontario obtain consent and are responsible for storing and protecting personal health information (PHI). Compliance requires appropriate safeguards, accountability, and allows individuals to access and correct their PHI.
Shape Software Inc. (“Shape” or “Shape Software”) and our affiliates take security very seriously and have developed a comprehensive set of practices, technologies and policies to help ensure your data is secure. This document outlines some of our providers mechanisms and processes we have implemented to help ensure that your data is protected. Our security practices are based on tier of service selected by our customer and are grouped in four different areas: Physical Security; Network Security; People Processes and Redundancy and Business Continuity.
Physical Security
Our providers data-centers are hosted in some of the most secure facilities available.
- 24x7x365 Security – The data centers that host your data are guarded seven days a week, 24 hours a day, each and every day of the year by private security guards.
- Video Monitoring – Each data center is monitored 7x24x365 with night vision cameras.
- Controlled Entrance – Access to the data centers is tightly restricted to a small group of pre-authorized personnel.
- Biometric Authentication – Two forms of authentication, including a biometric one, must be used together at the same time to enter a data center.
- Undisclosed Locations – Servers are located inside generic-looking, undisclosed locations that make them less likely to be a target of an attack.
Network Security
The security team and infrastructure helps protect your data against the most sophisticated electronic attacks. The following is a subset of our network security practices.
- SSL Certification – The communication between your computer and providers servers is encrypted. What this means is that even if the information traveling between your computer and our servers were to be intercepted, it would be nearly impossible for anyone to make any sense out of it.
- IDS/IPS – Provider network is gated and screened by highly powerful and certified Intrusion Detection / Intrusion Prevention Systems.
- Control and Audit – All accesses are controlled and also audited.
- Virus Scanning – Servers are scanned for viruses using top of the line up to date virus scan protocols.
Staff Processes
Providers data center infrastructure is not just technology, but a disciplined approach to processes. This includes policies about escalation, management, knowledge sharing, risk, as well as the day to day operations.
- Access Employees – Only employees with the highest clearance have access to the data center data. Employee access is logged and passwords are strictly regulated. Providers limit access to customer data to only a select few of these employees who need such access to provide support and troubleshooting.
- Audits – Audits are regularly performed and improvements made based on those findings.
- As-Needed Basis – Accessing data center information as well as customer data is done on an as-needed only basis, and only when approved by management.
Redundancy
The process is designed to protect your data and security even in times of system failures.
- Power Redundancy – Providers configure its servers for power redundancy – from power supply to power delivery.
- Internet Redundancy – Provider is connected to the world –and you- through multiple Tier-1 ISPs. So if any one fails or experiences a delay, you can still reliably get to your applications and information.
- Network Devices – Provider runs on redundant network devices (switches, routers, security gateways) to avoid any single point of failure at any level on the internal network.
- Cooling and Temperature – Intense computing resources generate a lot of heat, and thus need to be cooled to guarantee a smooth operation. Provider servers are backed by temperature control systems.
- Fire Prevention – The Providers data centers are guarded by industry-standard fire prevention and control systems.
- Data Protection & Back-up – User data is backed-up periodically across multiple servers, helping protect the data in the event of hardware failure or disaster.
Legal Notice for Canadian Clients
If you are a Canadian client and require your servers to be hosted within Canada, please inform your sales representative at the time of sign-up. By default, our sign-up process does not automatically place you on a Canadian server unless specifically requested. Please note that fulfilling this request may extend the time required to set up your system.
Client Information Requests
Under the Personal Information Protection and Electronic Documents Act (PIPEDA), clients have the right to request access to their personal information. To ensure compliance and protect your privacy, we require the following:
- Identity Verification – We will verify your identity to prevent unauthorized access to your information.
- Access Provision – You will receive a clear and understandable copy of the personal information we hold about you.
- Usage Explanation – We will explain how your personal information has been used and disclosed.
- Correction Option – You can request corrections if any inaccuracies are found in your personal information.
- Timely Response – We will respond to your request within a reasonable timeframe, typically within 30 days, and inform you of any applicable fees for retrieving your information.
To request access to your personal information, please use the form provided below. Your privacy and the security of your data are our top priorities.
Submit a Request
"*" indicates required fields
