Request a Demo

Trust Center

Overview

Welcome to Collective Data’s Trust Center. Our commitment to data privacy and security is embedded in every part of our business. Use this Trust Center to learn about our security posture and request access to our security documentation.

Compliance

AICPA SOC
VPAT
NIST
hipaa

Documents

SOC 2 Reports 🔒
SOC 2 Reports 🔒
2024 Pen Test 🔒
2024 Pen Test 🔒
VPAT-WCAG
VPAT-WCAG

Risk Profile

  • Third Party Dependence = Yes
  • Hosting = Azure Public Cloud and Azure Government Cloud

Product Security

Collective Data has an extensive product logging mechanism. Additionally audit Logging is enabled for all customer support, web end user applications, technical operations applications, and staging and production management infrastructure.

A full list of Collective Data’s integrations can be found here: https://collectivedata.com/software-integrations/

Customers have the ability to choose whether or not to leverage their existing SSO provider for multi-factor authentication capabilities, or to set passwords. Collective Data users are required to use multi-factor authentication when accessing the production environment.

Formal role-based access controls limit access to system and system components are created and these are enforced by the access control system. Collective Data also adheres to the principle of least priviledge.

Collective Data can support OAuth2.0 based SSO through Azure EntraID, On-Premises Active Directory, Octa and other providers. Reach out to support if you would like to check if your SSO provider is supported.

Reports

Data Security

Access to customer data is strictly logged and monitored.

  • Collective Data shall maintain a contemporaneous backup that can be recovered immediately at any point in time unless during a disaster.
  • Backups take place on a daily basis, with full incremental backups every week. We do not use tapes.
  • We archive data and back it up incrementally, in an attempt to ensure that data is usable and readily available.
  • Backups are retained by 12 months by default. If you require longer or shorter backup retention based on local, state or federal law, please advise our support team.

Data at rest is encrypted with AES 256

All data transmitted between Collective Data and Collective Data users is protected using Transport Layer Security (TLS) and HTTP Strict Transport Security (HSTS).

  • The Collective Data production infrastructure is hosted in Cloud Service Provider (CSP) environments.
  • Physical and environmental security related controls for Collective Data production servers, which includes buildings, locks or keys used on doors, are managed by these CSP’s.
  • “Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff.
  • Authorized staff must pass two-factor authentication a minimum of two times to access data center floors.”

App Security

As part of application security input, there are peer reviews and static analysis testing prior to committing code to production.

Collective Data leverages our CSPs’ KMS based protections for the protection of secrets

All Collective Data users are trained commensurate with their roles and responsibilities.

  • Collective Data uses a software development lifecycle in line with general Agile principles.
  • Security is of paramount importance at Collective Data and as such this process has been augmented using mechanisms adapted from the Microsoft Secure Development Lifecycle and OWASP Top 10 and SANS Top 25
  • Collective Data uses manual source-code and automated analysis to detect security defects in code prior to production.
  • Additionally, Collective Data performs monthly scans of servers and networks, and identified vulnerabilities are tracked and remediated according to Collective Data’s Vulnerability Management procedures.
  • Collective Data also performs monthly application vulnerability scans of critical environments, in addition to static code analysis to ensure the security and integrity of Collective Data’s environments and products.
  • All identified vulnerabilities are assigned to an owner, and remediated according to Collective Data’s Vulnerability Management procedures.
  •  

Legal

Data Privacy

For Collective Data’s Cookie Policy, please see: <LINK>

Collective Data’s Privacy Policy is available here

Access Control

  • Collective Data technical operations employees have incidental remote access to the raw service data storage.
  • Support employees access a support application similar in structure to the Collective Data end user web application.
  • All other employees are prohibited from accessing any client sensitive information.
  • Access to client data is strictly logged.
  • Logs are managed centrally, securely stored, and access is read-only to support personnel besides Administrators.
  • Multi-factor authentication is required to access Collective Data’s production environment. Where multi-factor authentication is not possible, Collective Data follows the following password standards:
    • A minimum length of 8 characters
    • At least one lowercase letter
    • At least one number
    • At least one non-alphanumeric character

Infastructure

Current and historical uptime figures, along with corresponding incident and resolution notes can be viewed here

Collective Data uses Azure Public Cloud or Azure Government Cloud for its cloud infrastructure services. If you are unsure of what version your application is stored in, please reach out to our support team.

  • Access to the production environment is dependent on functional role using a role-based access control model.
  • Approved staff with access to the production infrastructure require Security Group assignment in the Cloud Server Provider, a dedicated VPN tunnel, and a multi-factor authenticated SSH connection.
  • Collective Data performs quarterly account recertification to ensure access is approved and only granted where necessary.

Systems and network devices utilize a common time synchronization service.

Collective Data maintains a staging environment for testing, separate from its production environment.

Endpoint Security

All Collective Data employee laptops use full-disk encryption.

Anti-malware controls are in place to protect workstations and servers. The engines supporting these anti-malware tools are updated continuously.

Collective Data uses an MDM solution for all company owned systems and mobiles devices.

Network Security

Collective Data’s firewall rules are set to deny all by default.

Artificial Intelligence

Corporate Security

  • Collective Data performs virtual asset management. Access to asset inventory lists are actively monitored through the a dedicated asset management application.
  • All physical assets in the production environment are strictly controlled and monitored by dedicated Collective Data staff and the Cloud Service Providers.
  • This is accomplished via Proofpoint Email Security controls.
  • All email should be sent using HTTPS/TLS. Users are required to validate secure connection when browsing sensitive material.

All Collective Data personnel undergo regular security and privacy awareness training that weaves security into technical and non-technical roles; all employees are encouraged to participate in helping secure our customer data and company assets. Security training materials are developed for individual roles to ensure employees are equipped to handle the specific security oriented challenges of their roles.

  • Policies and standards have been developed, approved and supported by Senior Management. Policies are reviewed at least annually.
  • As permitted by Applicable Law, Collective Data engages a third-party to conduct background verifications for all Collective Data personnel with access to Customer Personal Data.
  • Collective Data conducts extensive background checks on all full¬-time employees.
  • All Collective Data employees sign confidentiality agreements as part of the standard employment agreement.
  • Organization values and behavioral standards are communicated to all personnel through policy statements and formal codes of conduct in the employee handbook that is made available upon hire. Employees attest to having acknowledged these policies.
  • All Collective Data employees sign confidentiality agreements as part of the standard employment agreement.
  • All Collective Data personnel undergo an annual security and privacy awareness training that weaves security into technical and non-technical roles; all employees are encouraged to participate in helping secure our customer data and company assets. In addition, all new-hires received new-hire focused information security awareness training.
  • Any employee found in breach of the agreement is subject to disciplinary action up to and including termination.
  • Violation of Collective Data’s security policies may result in disciplinary action up to and including termination.
  • Upon termination of an employee, whether voluntary or involuntary the head of Human Resources, Chief Executive Officer, Chief Operations Officer, or the Chief Technology Officer shall promptly notify the Collective Data Operations Team by indicating Remove Access in writing.
  • Access is removed for all employees at time of termination or within 24 hours.
  • At Collective Data, when an incident is identified, a security incident ticket is created with the details of the event, including date and time the incident occurred, the nature of the incident, and how the incident impacts customers.
  • The creation of that case triggers the notification of appropriate security team members. These team members immediately initiate an investigation to assess the scope and impact of the situation, and to determine the actions necessary for mitigation.
  • Collective Data maintains internal audit functions within the Security organization. Collective Data has a designated Security organization with functional units devoted to Security Engineering, Corporate Security and Governance, Risk & Compliance (GRC).
  • The Security Engineering team performs technical internal audit of the infrastructure that supports the service as well as performs code, open source, and dependencies audits. The GRC team performs risk assessments, and other internal audits as mandated industry best practices and regulatory requirements.

Annual penetration testing via a third party is carried out.

  • Collective Data has a dedicated 24×7 incident response function with on-call employees to address critical incidents and service outages.
  • If the incident is determined to be related to security, the appropriate security team members are included in the response procedures.

Policies & Procedures 🔒

Our detailed Policies and Procedures for the items below can be found here.

  • Acceptable Use
  • Access Control
  • Data Management Policy
  • Encryption
  • Information Security Policy
  • Physical Security Policy
  • Monitoring Policy
  • Incident Response Procedures
  • Risk Management
  • Change Management
  • Security Awareness and Training
  • Third Party Management
  • Vulnerability Management
  • Business Continuity / Disaster Recovery
  • HIPAA Data Protection Statement

Documents

Doc Name
Doc Name
Doc Name
Doc Name
Collective Data logo
Facebook-f Twitter Linkedin-in

Collective Data, Inc
460 12th Ave SE, Unit 200
Cedar Rapids, IA 52401

Solutions

Who We Serve

Resources

Start simplifying and centralizing your data.

Request Demo
Collective Data Sourcewell Logo