Security and Trust at ZenCentiv
Data protection at the core of our every action
Protecting your source and commission data is paramount to us. We integrate a security-first strategy into every aspect of our product development, internal protocols, and infrastructure design.
Our adherence to global standards, such as SOC 2 Type I compliance, along with features like role-based access and meticulous audit logging, reinforces our unwavering commitment to security and trust at ZenCentiv.
Count on us to safeguard your data, empowering you to focus on optimizing your incentive compensation program with peace of mind.
Security
Account security
Encryption
Data breach security
Reliability
Disaster Recovery
Regular Pen Testing
Availability
Secure product access
Stringent privacy policy
Trust
Here are a few methods we use to safeguard your data.
Safeguards
Practices
Procedural
We maintain a documented information privacy, security and risk management program with clearly defined roles, responsibilities, policies, and procedures. Our program is founded on the industry standards such as Information Security Management SOC 2 Type 1 and SOC 2 Type 2 (In-progress)
We regularly review and modify our security program to reflect changing technology, regulations, laws, risk, industry and security practices and other business needs.
Organizational
Security Organization and Management
We prioritize security and accountability in our operations. Our robust security management structure is meticulously crafted to:
- streamline information security processes,
- provide clear points of contact for addressing security concerns,
- continually assess the efficacy of our security measures,
- uphold rigorous security standards
We’ve designated an Information Security Officer who works closely with business managers, users, IT personnel, and other stakeholders to ensure everyone fulfills their information security obligations.
Personnel
Role and Responsibilities
We uphold stringent measures to ensure the integrity and confidentiality of all information processing activities. We have established precise roles and responsibilities encompassing the management and oversight of operational systems, administration and maintenance of communication networks, and the development of innovative systems. Notably, we maintain a clear separation of roles and access rights between computer operators, system administrators, and network/systems development staff. Furthermore, we have implemented robust procedures to:
- Vigilantly supervise information processing activities.
- Mitigate the potential risks associated with unauthorized or erroneous actions.
- Conduct thorough screening procedures for individuals applying for security-sensitive positions.
Training
We prioritize role-based security and cultivate a culture of security awareness. It is mandatory for all active employees and contractors to undergo comprehensive security awareness training. Additionally, employees holding specific roles receive enhanced data security training to ensure they possess the necessary skills and knowledge to safeguard sensitive information effectively.
Network Communications and Systems Management
Firewalls
We implement industry-standard firewall technologies and employ procedures to effectively manage firewall rules and their alterations, ensuring robust access control mechanisms. Additionally, we strictly segregate informational resources utilized for production from those allocated for systems development or acceptance testing, bolstering security and minimizing potential risks.
Antivirus/Antimalware Management
We utilize the latest software and protocols to detect and prevent the spread of viruses and malicious code within our internal computing environments, specifically tailored to support the development and delivery of our hosted applications.
Encryption
We rely on industry-standard encrypted transport protocols, with a minimum Transport Layer Security (TLS) v1.2, to secure data while in transit across untrusted networks. Additionally, we employ Advanced Encryption Standard (AES) 256 encryption, or an equivalent algorithm, to encrypt data at rest, ensuring robust protection of sensitive information.
Vulnerability and Penetration Testing
We maintain comprehensive monitoring systems for applications, databases, networks, and resources to swiftly identify vulnerabilities and safeguard our applications. Before release, our solutions undergo thorough internal vulnerability testing to ensure optimal security measures are in place.
Annually, we enlist third-party security specialists to conduct vulnerability and penetration testing on our systems, ensuring robust defenses against potential threats. Additionally, our internet-facing systems undergo regular vulnerability scans to proactively identify and address any security weaknesses.
Business Continuity and Disaster Recovery
To mitigate the risk of business disruption, our solutions are engineered to eliminate single points of failure. We maintain formal documentation of recovery processes, which can be activated in case of a significant business disruption affecting both our corporate IT infrastructure and customer data processing infrastructure. Regular testing, conducted at least annually, ensures the effectiveness and reliability of these recovery processes.
In addition to disaster recovery measures, we implement redundant configurations in our solutions to minimize service interruptions in the event of a single data center disaster. Continuous monitoring allows us to detect and address any signs of failure or impending failure, enabling preemptive action to minimize or prevent downtime effectively.
Software Development Lifecycle
We adhere to industry-standard software development lifecycle processes and controls to govern the development of our software, encompassing updates, upgrades, and patches. Our rigorous process incorporates secure software development practices and thorough application security analysis and testing to ensure the integrity and resilience of our solutions.
Security Architecture
We’ve established and implemented a comprehensive security architecture to safeguard our information resources effectively. This architecture encompasses a set of meticulously defined security mechanisms and standards to ensure:
- Adequate protection for various information resources, each requiring different levels of security.
- Secure transmission of information within and across technical environments.
- Efficient and authorized access for users to information resources across different technical environments.
- Prompt revocation of access privileges for individual users upon their departure or job change.
Furthermore, we maintain an up-to-date inventory of critical information assets and associated applications. We conduct thorough information security risk assessments whenever there are significant changes in our business or technology practices that could impact the privacy, confidentiality, security, integrity, or availability of data. This ensures proactive mitigation of potential risks and reinforces our commitment to maintaining a secure environment for our stakeholders.