TCC takes data protection and individual privacy rights very seriously. We are committed to securing our customer’s data and complying with all applicable data and privacy protection laws.
The General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) create consistent data protection rules. At TCC, we ensure that our services comply with the GDPR, and CCPA and any emerging privacy laws.
TCC is committed to confidentiality, integrity, and availability.
- Confidentiality: Our Commitment to data security will remain the single consolidated principle that maps out the ways we use, process and protect the confidentiality of personal data.
- Integrity: We pride ourselves on providing consistent, accurate, and trustworthy data throughout the entire lifecycle of the data.
- Availability: We rigorously maintain all hardware, software and networking infrastructure to ensure industry-leading uptime and availability. We also regularly test and validate our business continuity/disaster recovery plans.
When TCC provides services to our partners as a data processor on their behalf, we ensure that we comply with GDPR, CCPA, and any emerging privacy laws
TCC develops and maintains a comprehensive information security & privacy program. This program includes an extensive set of formal policies and procedures that conform to best-practice policies for handling confidential data. TCC Executive Management regularly meets to review and approve these policies.
Security Framework Compliance
In addition to the data protection laws, TCC works to comply with several industry recognized cybersecurity frameworks. These include:
- PCI-DSS 3.2.1
- ISO/IEC 27001, 27002, 27005, 27017, and 27018
- NIST SP 800-53r5
- CIS Critical Security Controls
- NYDFS Cybersecurity Regulation (23 NYCRR 500)
Standards, Regulations & Certifications
TCC shares information, best practice and access to documentation to help its customers with compliance and reporting. Our products regularly undergo independent verification of security, privacy, and compliance controls, achieving certifications against global standards. TCC is constantly working to expand our coverage.
ISO/IEC 27001:2013 is an international standard. It specifies the requirements for establishing, implementing, maintaining, and continually improving an information security management system within the organization’s context. It also includes requirements for the assessment and treatment of information security risks tailored to the organization’s needs. The requirements set out in ISO/IEC 27001:2013 are generic and are intended to apply to all organizations, regardless of type, size, or nature. TCC has engaged with Coalfire ISO to achieve the ISO/IEC 27001:2013 certification.
SOC 2 Controls over security, availability, processing integrity and confidentiality Type II
SOC 2 is a report based on AICPA’s existing Trust Services principles and criteria. The purpose of the SOC 2 report is to evaluate an organization’s information systems relevant to security, availability, processing integrity, and confidentiality or privacy. TCC undergoes a regular third-party audit to certify individual products against this standard.
SOC I SSAE 18/ISAE 3402 Type II
The Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA) created the Statement on Standards for Attestation Engagements No. 18 (SSAE 18) to keep pace with globally recognized international accounting standards. SSAE 18 aligns closely with the International Standard on Assurance Engagements 3402 (ISAE 3402). SSAE 18 and ISAE 3402 are used to generate a report by an objective third-party attesting to a set of statements which an organization asserts about its controls. The System and Organization Controls SOC framework is the method by which the control of financial information is measured. TCC undergoes a regular third-party audit to certify individual products against this standard.
Star Continuous Level I
TCC continually documents the security controls we provide in the Cloud Security Alliance (CSA) Security Trust Assurance and Risk (STAR) Program. This program encompasses key principles of transparency, rigorous auditing, and harmonization of standards. Companies who use STAR indicate best practices and validate the security posture of their cloud offerings. The STAR registry documents the security and privacy controls provided by popular cloud computing offerings. This publicly accessible registry allows cloud customers to assess their providers in order to make the best procurement decisions. You can find our latest Consensus Assessments Initiative Questionnaire (CAIQ) v3.1 in the CSA registry at: https://cloudsecurityalliance.org/star/registry/tcc/
- TCC only stores confidential data in data centers that maintain independent third-party SOC examination reports certifying that key compliance controls and objectives have been achieved and are operating effectively.
- TCC requires its data center vendor partners to maintain strong physical security controls, such as key cards, biometric authentication, security patrols, closed circuit video and supported by 24×7 monitoring to ensure that building access is limited to authorized personnel only – no electronic confidential data is stored outside the data centers.
- All power distribution units are redundant and include back-up generators.
- Environmental controls include early smoke and heat detection, air temperature, humidity, fire detection and water pressure, all are managed by automatic control systems.
- The TCC platform and services run on our dedicated cluster of web and database servers.
- TCC builds these servers according to CIS benchmarks and templates. We test and apply Critical OS and application security patches as they are released.
- Our web environment uses widely accepted best practices for data security including segmentation, audit logging and input validation.
- Secure FTP (SSH) process utilizes an employer login and password configuration, PGP encrypted files and IP address filtering for authentication. The SFTP server is configured to only accept inbound files from white-listed IP addresses. The server will automatically lockout connection attempts (by IP address) after a predetermined number of invalid login attempts.
Backup and Uptime
- TCC utilizes fully resilient systems and continuous data backups to minimize downtime and data loss in the event of a hardware, communications failure or destruction of the data center.
- We maintain industry leading service-level agreements (SLAs) with our vendors to ensure network availability and one-hour hardware replacement guarantee.
Firewalls and Automated Defense
- TCC utilizes next-generation firewalls (NGFW), filtering all traffic to necessary ports and restricting all others to prevent unauthorized traffic – The NGFW performs real time virus prevention, intrusion prevention, and website blocking and filtering to limit exposure to external threats.
- We leverage advanced web application firewall (WAF) service for intrusion detection and prevention – its detection technology scans all incoming traffic to our data centers and will block threats in real-time before they can reach our servers.
- We utilize a geolocation service to block traffic from known “bad-actor” countries.
- We have a globally distributed content delivery network system that provides real-time fail over and protects against large scale distributed denial of service attacks (DDOS).
- TCC also leverages advanced network protection and intrusion detection – protecting against internal and external threats. Our security operations are monitored 24×7 by GIAC-certified analysts and security experts.
- TCC runs next generation-antivirus (NGAV) on our perimeter network security controls.
- We continually update and run a centrally managed workstation NGAV software is continually to prevent malware infections.
- TCC scans all incoming and outgoing email through multiple filtering mechanisms to prevent malware, spam, and phishing.
Security Audits and Compliance
- PCI compliant and self-attestation documentation is available for review.
- We periodically perform external penetration and security scans with an independent security firms. Executive Management reviews the results of these scans, and associated remediations.
- TCC uses an independent security firm, to perform an application source-code security review. Executive Management reviews any findings, and associated remediation.
- Technical support monitors for network, firewall and server problems 24×7, including comprehensive event logging, log management, log review and log retention.
- TCC encrypts all information at rest in the database in compliance with our data encryption policy. Encryption is performed at the field level. This process also ensures all data is encrypted in transit to and from the database, that no clear text data is recorded in the database transaction logs. Even individuals with privileged access to the database cannot read sensitive information.
- We encrypt all web application traffic with TLS (HTTPS). Weak protocols (like SSL) and ciphers (like RC4) have been disabled at the server level.
- All TCC workstations utilize full drive encryption with a hardware key.
- TCC uses a HIPAA compliant fax service to receive all inbound faxes as encrypted and password-secured PDF files.
- Sensitive employee data is never stored on workstations.
- Full SSNs are never displayed in completed reports.
- All our Customer Support Representatives (CSR) adhere to a clean desk policy – all documentation stored in locked storage system.
Additional Steps We Take to Protect Data
The TCC services are constantly monitored to ensure the highest degree of confidence concerning the security of confidential data.
- TCC does not resell, distribute, disclose or overlay any of the data retained outside of the intended business use of our services.
- We utilize an advanced credentialing process to ensure that access to reports is restricted to authenticated users and businesses.
- We require clients to provide specific employer information and acknowledge permissible purpose when submitting each request.
- TCC’s datacenter, development and customer support functions are all US-based. There is no storage or processing of data at offshore locations.
- Passwords adhere to industry standards, are managed by user and cannot be viewed or provided by TCC’s CSRs.
- We impose automatic application session timeouts after a predetermined period of inactivity.
- Administrative and support offices are protected by a security system monitored 24×7 by a professional monitoring station that is U.L. listed, FM approved, and IQ certified.
If requested, we will provide more specific details on any aspect of our security infrastructure including completing a client/prospect’s security questionnaire and providing copies of audit/security assessment documentation. We also maintain an up-to-date completed Consensus Assessments Initiative Questionnaire (CAIQ) to facilitate our client’s vendor risk assessments.