Information Security

We take information security seriously. Keeping your data secure is our highest priority and we are committed to protecting customer data across all our services.

At Zasio, we take information security seriously. Keeping your data secure is our highest priority and we are committed to protecting customer data across all of our services. Zasio has demonstrated its commitment to information security through our SOC 2, Type 2 attestation report, which we provide to our customers and prospects on a confidential basis. Our SOC 2 attestation is based on the American Institute of Certified Public Accountants (“AICPA”) Trusted Service Criteria, and is provided by a third party auditor.

While dedicated to our SaaS solutions, the majority of the described processes and controls apply throughout our organization. A SOC 2 report is one of the most industry-accepted auditing standards for a service company to demonstrate that its business processes, information technology, and risk management controls are properly designed. To request a copy of Zasio’s most recent SOC 2, Type 2 report, please contact your account executive or by filling out this form.

Zasio has demonstrated its commitment to information security through our SOC 2, Type 2 attestation report, which we provide to our customers and prospects on a confidential basis. Our SOC 2 attestation is based on the American Institute of Certified Public Accountants (“AICPA”) Trusted Service Criteria and is provided by a third-party auditor.

While dedicated to our SaaS solutions, the majority of the described processes and controls apply throughout our organization. A SOC 2 report is one of the most industry-accepted auditing standards for a service company to demonstrate that its business processes, information technology, and risk management controls are properly designed. To request a copy of Zasio’s most recent SOC 2, Type 2 report, please fill out this form.

Data-Security-Web-Page-Content_Third-Party-Management-1-1-768x768

Comprehensive ISMS

To help ensure our information security practices remain at the leading edge of our industry, Zasio has implemented and maintains a comprehensive written Information Security Management System (ISMS) to manage and protect Zasio’s business information, as well as the data and information entrusted to us by our customers. All security and privacy-related policies and procedures within our ISMS are documented, approved by executive management, communicated to all Zasio personnel, and reviewed and updated at least annually.

Data-Security-Web-Page-Content_Encryption-1-768x768

Network Security

Zasio maintains industry-standard technologies and controls to protect network security, including firewalls, intrusion prevention, monitoring, network segmentation, and VPN and wireless security.

We review our network designs and controls at least annually. We utilize a dedicated firewall/proxy appliance with an enhanced security subscription to help ensure that all communications attempting to cross our network boundary comply with our documented security policy. Several layers of protection are enabled within this firewall for maximum security. Zasio further utilizes an industry-standard malware protection strategy designed to effectively and efficiently prevent network viruses and other malware outbreaks, as well as prevent network security attacks.

Vulnerability Testing

We undergo annual penetration testing of our information systems infrastructure by a qualified third party. Additionally, Zasio has web application scans in connection with our SaaS offerings performed monthly by a qualified third party.

Data-Security-Web-Page-Content_Information-Security-Incident-Response-Planning-1-1-768x768

Software Secure Development and Lifecycle

We maintain a software secure development lifecycle policy to ensure security by design within the development lifecycle for applications and information systems.

Data Backup and Recovery

Zasio maintains a formal backup and recovery plan to guard against loss and to establish recovery time (RTO) and recovery point (RPO) objectives in the event of any unplanned system outage.

• Hosting Facility Backups. Each database and dedicated server in Zasio’s hosting facilities is backed up daily, with each backup being stored for at least two weeks (and up to four weeks, depending on customer configuration). Backups are stored in the same physical site as the hosted system for the first two weeks, followed by an additional two weeks of offsite storage in a separate, secure facility.

• Internal Backups. Zasio’s on-premises major systems (including Active Directory catalogs, email servers, document stores, production databases, and application servers running critical business functions) are fully backed up on a weekly basis, with backup media rotated offsite to a secure location. Incremental backups of active document repositories are captured every two hours.

Zasio tests both internal and hosted backup and recovery systems at least annually.

Infrastructure Security

We use Microsoft Azure as our third-party hosting facility provider in connection with our SaaS offerings. These providers are responsible for protecting the infrastructure used to provide our cloud-based services. Zasio further protects our cloud infrastructure using the following security mechanisms:

• For our SaaS offerings, Zasio maintains separate hosted databases for each customer, with permissions that only allow user access for the one database to which that customer is associated.
• Zasio also maintains separate internal production and test database servers to protect against unauthorized access to customer data.

Data-Security-Web-Page-Content_Comprehensive-Information-Security-Management-System-1-1-768x768

Information Security Incident Response Planning

We maintain a formal information security incident response plan which shall be activated in the event of any Information Security Incident or related event. Zasio maintains a record of any information security breach with a breach description, the time period, the consequences of the breach, the identity of the reporter, and the procedure for recovering data.

Data-Security-Web-Page-Content_Restricting-Information-Access-1-1-768x768

Encryption

Zasio utilizes strong encryption of customer data both in transit and at rest. All internet traffic is secured using TLS 1.2 (minimum), AES 256, with a 2048 bit signed certificate. The databases for our hosted applications are encrypted at rest using AES 256.

Data-Security-Web-Page-Content_Technical-and-Organization-Measures-1-1-768x768

Security Training

We conduct annual security awareness training for all personnel and provide security awareness updates at least quarterly.

Third Party Management

Zasio maintains a third-party management policy to help ensure information shared with, accessible to, or managed by third parties is properly protected. This policy establishes standards for how we select third-party IT vendors, evaluate vendor information security practices and risks, and monitor these risks.

Live, Interactive TrustShare

Zasio maintains an up-to-date, interactive site called TrustShare that details our security posture, including policies, procedures, SOC reports, and security framework mappings. Click here to access the site (requires non-disclosure acknowledgment).

ZConnect

Stay up-to-date with Zasio



News and events



Product releases and updates



Conference and event announcements

Legal

Privacy Notice
Terms of use
Acceptable Use Policy
Cookie Notice
Code of Conduct
Site Map

Corporate Office

401 W. Front St.
Suite 305
Boise, ID 83702

(800) 513-1000

connect@zasio.com

A pioneer in information governance, we continue to expand our technology and consulting services to help businesses of all sizes maintain the highest records management and retention standards.