The Evolve IP Compliance CloudTM
In addition to SSAE- 16 SOC II compliance, Evolve IP has been rigorously audited and achieved standing compliance for retail & finance (PCI) and healthcare (HIPAA). The company also features one of the broadest sets of cloud service provider certifications in the nation including: VMware, Cisco, EMC, Microsoft, Citrix, and Polycom.
In addition to cloud security, Evolve IP enables IT departments to minimize the risk, complexity and ultimately cost of managing corporate data, especially around email. Evolve IP delivers solutions that help organizations protect the security, integrity and availability of information within their businesses.
Learn more about email security, archiving and continuity.
SSAE 16 Service Organization Control II (SOC 2)
Evolve IP has received an SSAE 16 SOC 2 Type II report on our internal controls relating to how we assess and address the potential risks associated with the security, availability, and confidentiality of not only the cloud-based services that we provide, but also our physical and logical infrastructure. Evolve IP utilizes the Certified Public Accounting firm of Grant Thornton to perform its annual audit and attestation in accordance with the Statements on Standards for Attestation Engagements No. 16 and the associated Trust Services Principles, as published by the AICPA, to evaluate the effectiveness of Evolve IP’s service organizations controls.
Health Insurance Portability & Accountability Act (HIPAA)
The Privacy regulations of the U.S. Health Insurance Portability and Accountability Act (HIPAA) require health care providers, organizations, and their business associates, develop and follow procedures that ensure the confidentiality and security of protected health information (PHI) when it is transferred, received, handled, or shared. This applies to all forms of PHI — paper, oral, and electronic, etc. Those who fail to adhere to HIPAA can suffer from huge fines climbing into the millions of dollars for major violations.
The Compliance Cloud™ fully enables covered entities and their business associates subject to HIPAA regulations to leverage a secure environment to process, maintain, and store protected health Information (PHI) featuring among other controls:
- Military-grade data encryption in transit and at rest
- Password protected access to backups
- Redundant secure data centers
Download a HIPAA-focused cloud brief to learn more about how The Evolve IP Compliance Cloud™ meets, and in many instances exceeds compliance requirements for transmitting, processing, and storing Protected Health Information (PHI).
HITRUST Common Security Framework (CSF)
The HITRUST Common Security Framework (CSF) was developed to address the multitude of security, privacy and regulatory challenges facing healthcare organizations. The HITRUST CSF was developed by healthcare and IT professionals to provide an efficient and prescriptive framework for managing the security requirements inherent in HIPAA. HITRUST CSF rationalizes healthcare-relevant regulations and standards into a single overarching security framework. An important part of the “What is HITRUST” answer is understanding that the CSF is risk-based and compliance-based so that organizations can tailor the security control baselines and vendor management programs that they follow based on their specific organization type, size, systems, and regulatory requirements.
Payment Card Industry Data Security Standard (PCI DSS)
Evolve IP has achieved Payment Card Industry (PCI) Data Security Standard (DSS) compliance covering all 12 sections of the PCI DSS. The PCI data security standard is a comprehensive set of standards that require merchants and service providers that store, process, or transmit customer payment card data to adhere to strict information security controls and processes. It was created by the founding brands of the PCI Security Standards Council, which includes American Express, Discover Financial, JCB International, MasterCard Worldwide, and Visa Inc.
With its validation Evolve IP met the following PCI DSS compliance goals:
- Built and Maintains a Secure Network
- Protects cardholder data
- Maintains a Vulnerability Management Program
- Implements Strong Access Control Measures
- Regularly Monitors and Tests Networks
- Maintains an Information Security Policy
Evolve IP’s PCI DSS validation includes physical security, operational controls, and related policies. The assessment was performed by an accredited Qualified Security Assessor (QSA) firm that provides assurance and compliance services to global companies. The scope of the assessment included the applicable requirements of version 3.1 of the PCI Data Security Standard for validation of “Level 1” service providers. An Attestation of Compliance (AOC) was issued to reflect Evolve IP’s full compliance with the PCI Data Security Standard. This report is available to customers upon request.
Download a PCI-focused cloud brief to learn how our customers have the ability to create their own cardholder data environment (CDE) that can store, transmit or process cardholder data using The Evolve IP Compliance Cloud™.
CSA STAR – Participating Member
Evolve IP is also a registered and participating member of the CSA Security, Trust & Assurance Registry (STAR). The CSA was formed to encourage transparency of security practices within cloud providers. It is a free, publicly accessible registry that documents the security controls provided by various cloud computing offerings, thereby helping users assess the security of cloud providers they currently use or are considering contracting with. CSA STAR is open to all cloud providers, and allows them to submit assessment reports that document compliance to CSA published best practices. The searchable registry will allow potential cloud customers to review the security practices of providers, accelerating their due diligence and leading to higher quality procurement experiences. CSA STAR represents a major leap forward in industry transparency, encouraging providers to make security capabilities a market differentiator.
MiFID 2 – Markets in Financial Instruments Directive
Markets in Financial Instruments Directive 2 Compliancy affects anyone who offers any investment service. MiFID 2 will be effective from the 3rd of January 2018. With MiFID 2 affecting many users and the cost of call recording for traditional PBX systems traditionally having a high-cost entry point, call recording with a cloud platform is an ideal mix. The customer can benefit from the investment and ongoing improvements that tvf bring to the cloud call recording service.
How we can help you become compliant. Now with 5 Years storage as standard, and cost-effective expansion to 7 years anyone who is required to conform to the MiFID 2 standard is easily able to take tvf’s call recording solution. Customers often ask about compliance and if the platform is ‘compliant’. Our platform doesn’t need to be compliant, as it’s the customer’s processes that must deliver the compliance, using our technology we support and help them to become compliant.
To aid this, we focus on the security of the recordings:
- Fully Encrypted Recordings
- Valid and authenticated user access via SSL
- Full Audit Trail
- Authentication Rules and Lockout Methodology
General Data Protection Regulation (GDPR/AVG)
On May 25th, 2018, organizations will be obliged to comply with the European Union General Data Protection Regulation (GDPR/AVG). This privacy legislation will apply throughout the European Union, replacing all individual privacy laws of the various countries. The idea of “free flow of data within the EU” offers great opportunities for our customers and for Evolve IP as a provider of cloud services. The introduction of the GDPR also means that the privacy rights of EU citizens are strengthened and that the responsibility of companies which process personal data, increases.
As a Processor of data, including personal data, Evolve IP must guarantee that our customers can meet the GDPR requirements while utilizing our services. That is why Evolve IP started preparations for the new privacy legislation mid 2017. We have completed our plan and can now say: GDPR, Evolve IP is ready for it!
Three roles are distinguished within the GDPR, namely the Data Subject, the Data Controller and the Data Processor. As a supplier, Evolve IP fulfills the role of Data Processor for our customers; Evolve IP’s customers fulfill the role of the Data Controller. Based on our responsibility as a Processor, Evolve IP guarantees to take all measures to ensure that our customers are compliant for the services outsourced to Evolve IP.g their due diligence and leading to higher quality procurement experiences. CSA STAR represents a major leap forward in industry transparency, encouraging providers to make security capabilities a market differentiator.
What steps did we take?
- A GAP-analysis was carried out with the aim of mapping the actions for GDPR-compliance. The starting point for this are our information security and privacy policies which have been in place for our SOC2, PCI and HITRUST compliance programs.
- From the start we have been working on raising privacy awareness among our associates. For this we have extended our existing awareness program with privacy components, such as a mandatory online GDPR training with knowledge test.
- We have created a Data Processing Inventory in which we have recorded for all services, on which systems they are processed and/or stored and whether this is done at Evolve IP or at third parties.
- We have created a Template Processor Agreement for our Customers
- For suppliers who may have access to our data, we have had a Template Sub Processing Agreement drawn up. In addition, Standard Contractual Clauses (SCCs) have been concluded between Evolve IP US and Evolve IP EU. Evolve IP US achieved an EU Privacy Shield registration in 2017, which provides a basis for transfer data outside of the EU.
- The controls of our Security and Compliance Policies have been extended with privacy items from the GDPR.
- Our procedure for reporting Data Breaches has been improved to help our clients meet the reporting and communication requirements of their Data Processing Authority (DPA).
- Security by Design and Privacy by Default were already an integral part of our Security and Compliance Program; the new privacy legislation was a great reason for us to review and adjust these principles.
- The standard retention periods for the data have been examined, and where necessary, these have been tightened.
- Evolve IP’s systems and applications have been made suitable and tested for executing GDPR-requests.
- Our goal is that our customers can view/change/anonymize their data on our systems themselves, through our self-service portals.
Within Evolve IP, our Security and Compliance team is responsible for compliance with the new privacy legislation. They are supported in this by external legal advisers. In addition, knowledge and expertise in the field of information security is shared with privacy specialists, both within Evolve IP US and Evolve IP EU.
Evolve IP is ready for the new European privacy legislation. Our customers can continue to safely avail of our services.
Evolve IP associates are dedicated to learning and growing their knowledge. Today on our staff you’ll find associates that hold multiple certifications for the following:
- Cisco SMB
- Cisco SMB Engineer
- MS 365
- Windows 7
- VMware VSP5
- VMware VTSP
- VOP CP
Industry and Other Vendor Certifications
- Six Sigma
- Red Hat
Evolve IP Secure Data Sovereignty and Security Management Practices
From its inception, Evolve IP recognized that security management and data integrity were not just important features and nice to haves, they are critical requirements demanded by enterprise customers and those subject to formal compliance regulations.