Security & Trust 2017-11-16T10:30:54+00:00
TAP

TRUST

Trust us with what is important.
We’re leading the industry in security and compliance.

Secure, Reliable,
Compliant.

At ThinkSmart, we know very well how technological innovation and change come with an increasing need for the highest levels of security.

ThinkSmart’s highest priority is the privacy and security of our customers’ information, documents, and data. We’re committed to leading-edge security, so you can focus on your business with confidence. We ensure compliance best practices with regular third-party audits and assessments and maintain up-to-date certifications.

ThinkSmart (TAP) Certifications

We stringently maintain constant third party oversight and audits to ensure compliance.

TAP Certification logo

HIPAA-HITECH

The ThinkSmart Automation Platform (TAP) has been designed to include provisions to protect the security and privacy of personally identifiable health-related data also known as protected health information (PHI). TAP increases the reliability, integrity, availability, and authenticity of records and signatures. By using TAP, you will know that your signature processes are backed by ISO27001 security certification and anti-tampering controls.

TAP Certification logo

PCI-DSS 3.1

ThinkSmart’s PCI DSS 3.1 compliance certifies safe and secure handling of credit card holder information. As overseen by the Payment Card Industry Security Standards Council (PCI SSC), ThinkSmart places stringent controls around cardholder data as both a service provider and merchant.

TAP Certification logo

SSAE 16 (SOC)

As an SSAE 16 examined and tested organization, ThinkSmart complies with the reporting requirements stipulated by the by the American Institute of Certified Public Accountants (AICPA). We undergo yearly audits across all aspects of our enterprise business and production operations including our datacenters, and have sustained and surpassed all requirements.

TAP Security

Our network architecture has been hardened to PCI (Payment Card Industry ) DSS (Data Security Standards) and more as we strive to keep ahead of the latest threats and attacks. ThinkSmart’s security experts operate in conjunction with third party auditors to ensure that environments remain secure, managed correctly and maintained through daily auditing, weekly reporting and quarterly full network reviews.

At ThinkSmart, security is not just the responsibility of one department but the entire organization is involved. Interdepartmental testing, auditing and training all combine to put the ThinkSmart security program at the cutting edge of security standards.

Applications & Access

Formal code reviews and vulnerability mitigation by third parties

Automated code vulnerability scanning in use to ensure secure coding of TAP applications

Application level Advanced Encryption Standard (AES) 256 bit encryption

Managed Virtual Private Cloud with constant firewall monitoring

Key management and encryption program

Enterprise-grade malware protection

Multiple authentication mechanisms

Policies and Procedures

Employee access to private data is prohibited with strict penalties applied should they do so

Customers retain ownership of their data

24/7 monitoring, escalation procedures, disaster recovery and crisis recovery plans in place and tested periodically

Security program which reacts to changes in security landscape by altering company policies, procedures and controls to mitigate new risks

All ThinkSmart TAP application users verified by email

Systems and Operations

Physically and logically separate networks

Two-factor, encrypted VPN access

Professional, commercial grade firewalls and border routers to ensure access is only available to those permitted

Distributed Denial of Service (DDoS) mitigation

Protection against Man in the Middle (MITM) attacks, IP spoofing, port scanning, packet sniffing

Active monitoring and alerting

Periodic patching at OS and Third Party Application level to harden system security

Systems configured to search for an patch according to the latest security threats identified

Data protection through various encryption techniques and network design

PCI-DSS, HIPAA and ISO 27002 based policies and procedures, which are regularly reviewed, audited and assessed by multiple members of ThinkSmart Security Team

Encryption for all administrative traffic (HTTP, SFTP, SSH)

Employee security training program, clean desk, acceptable use and VPN usage training in place

Repository of certificates of training completion stored in ThinkSmart archives

ThinkSmart development team undergo annual OWASP training

Role based access control practiced throughout the ThinkSmart hierarchy

Access granted on a need to know basis and permission requests tracked and reviewed periodically

Systems access logged and tracked for auditing and compliance purposes; database change logging in place for auditing

Secure media destruction procedures in place (according to NIST and DOD standards proceeded by shredding by certified, CCTV monitored vendor)

Secure document removal and destruction policies for all critical and sensitive information

Fully documented change management procedures in compliance with PCI-DSS standards

Hardware & Infrastructure

Two geo-dispersed, ISO27001, Level 1 Service Provider Payment Card Industry (PCI) Data Security Standard (DSS), SOC1, DIACAP Level 2 audited and certified data centers

Near real-time secure data replication and encrypted archival

365x24x7 on-site security

Annual Business Continuity Planning (BCP) & Disaster Recovery (DR) testing

Third-party penetration testing and external data center audits

Data center access restricted on a need to access basis

Employees and contractors required to present identification, sign in and are escorted by security staff

Access reviewed periodically

Physical access is controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems and other electronic means

Authorized staff utilize multi-factor authentication mechanisms to access data center floors

Environmental controls such as fire detection and suppression systems, air conditioning and humidity monitoring systems, uninterruptible power supply (UPS) units, and generators are in place to protect assets located within the data centers

Fire Detection and Suppression: Automatic fire detection and suppression equipment has been installed to reduce risk

Fire detection system utilizes smoke detection sensors in all data center environments, mechanical and electrical infrastructure spaces, chiller rooms and generator equipment rooms

These areas are protected by either wet-pipe, double-interlocked pre-action, or gaseous sprinkler systems

Power: The data center electrical power systems are designed to be fully redundant and maintainable without impact to operations, 24 hours a day, and uninterruptible power supply (UPS) units provide back-up power in the event of an electrical failure for critical and essential loads in the facility

Data centers use generators to provide back-up power for the entire facility

Climate and Temperature: Climate control is required to maintain a constant operating temperature for servers and other hardware, which prevents overheating and reduces the possibility of service outages

Data centers are conditioned to maintain atmospheric conditions at specified levels; personnel and systems monitor and control temperature and humidity at appropriate levels

Transmission & Storage

Secure, private SSL 256 bit viewing session

Customer configurable data retention program – provide 99.999999999% durability and 99.99% availability of objects over a given year