Our Information Security policies are in place to protect customers, employees, and NameCoach. Inappropriate use exposes NameCoach and our customers to risks including virus attacks, compromise of network systems and services, and legal and compliance issues. The controls in place to protect our users’ Personal Identifiable Information (PII) meet the requirements created by the American Institute of CPAs (AICPA) SOC 2 framework.
NameCoach determines the type and level of access granted to individual users based on the “principle of least privilege.” This principle states that users are only granted the level of access absolutely required to perform their job functions and is dictated by NameCoach’s business and security requirements. NameCoach’s primary method of assigning and maintaining consistent access controls and access rights shall be through the implementation of Role-Based Access Control (RBAC). Wherever feasible, rights and restrictions shall be allocated to groups. Individual user accounts may be granted additional permissions as needed with approval from the system owner or authorized party. All privileged access to production systems uses Multi-Factor Authentication (MFA).
We want to ensure we are prepared to offer our services despite any disruptions. In order to do that, a disaster recovery test, including a test of backup restoration processes, is performed on an annual basis. A snapshot of data is taken daily and stored so the restoration can have the most updated data possible. In the event of a major disruption to production services or a disaster affecting the availability and/or security of NameCoach, managers and executive staff will determine mitigation actions. Continuity of information security is considered along with operational continuity.
Once an issue has been identified, executive staff and management should be notified of any event affecting business continuity. Managers are responsible for communicating with their direct reports and providing any needed assistance for staff to continue working from alternative locations. The CEO and CFO are responsible for any external communications regarding any disaster or business continuity actions that are relevant to customers and third parties. Individual customers shall work with the assigned Customer Success Manager for additional information.
All changes must be approved and compliant with our policies. Emergency changes can be authorized via informal channels before being documented in our formal change management process after the fact.
NameCoach classifies data and information systems in accordance with legal requirements, sensitivity, and business criticality in order to ensure that information is given the appropriate level of protection. Our staff does not access any organization’s sensitive data such as Personal Health Information (PHI) or financial data. Because we do process PII, we have controls in place to protect that data in accordance with the SOC 2 guidelines.
For all service providers who may access NameCoach Confidential data, systems, or networks, proper due diligence is performed prior to provisioning access or engaging in processing activities. Information is maintained regarding which regulatory or certification requirements are managed by or impacted by each service provider, and which are managed by NameCoach as required. Applicable regulatory or certification requirements may include ISO 27001, SOC 2, PCI-DSS, CCPA, GDPR or other frameworks or regulations.
Third parties must maintain an information security policy, risk assessment program, and operation security policy, etc. Our third-party contractors are required to provide proper security documentation to ensure they use the level of security controls to protect our data.
Systems and Organizations Controls 2 (SOC 2) is a framework developed by the American Institute of CPAs (AICPA) to help software vendors and other companies demonstrate the security controls they use to protect customer data in the cloud. These controls are called the Trust Services Principles and include security, availability, processing integrity, confidentiality, and privacy. Outside auditors assess whether a company is SOC2 certified and can issue one or both of the following types of reports:
NameCoach currently has both SOC 2 Type I and II certifications.
Contact [email protected] to request our SOC 2 reports.