With corporate data breaches being a concern for businesses of all sizes, making sure that your technology partners are dedicated to protecting your data is an essential element in your overall data security.

The American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA) created a series of data security standards and an auditing process for reviewing and assessing a company’s physical and procedural processes.

For cloud software companies such as ClearPoint, the relevant AICPA/CICA standard is known as Soc 2, Type II.

This certification demonstrates that a third-party accounting and auditing firm has reviewed and examined ClearPoint’s control objectives and activities and tested those controls to ensure that they are operating effectively. ​

Software developed by a SOC 2 certified organization must be developed following audited processes and controls – code is developed, reviewed, tested, and released following the AICPA Trust Services Principles.

As part of the assessment, we hosted independent inspectors, provided them with documentation of controls, and allowed our systems to be sampled and tested.

By working with a SOC 2 certified vendor like ClearPoint, you know your data is kept secure through the implementation of standardized controls as defined in the AICPA Trust Service Principles framework (as mentioned above).

We are deeply committed to the security of our customers' data and are happy to answer any questions you may have about our SOC 2 certification or data security processes overall.

ClearPoint employs a cloud deployment model for its software-as-a-service (“SaaS”) solution. All software maintenance and configuration activities are conducted by ClearPoint employees. ClearPoint employs industry standard practices for security controls such as firewalls, intrusion detection, and change management.

ClearPoint's distributed architecture for data collection and processing allows it to scale horizontally as the number of clients and volume of traffic increase. ClearPoint uses multiple monitoring processes and tools to continuously track network resources, operating systems, applications and capacity. Systems are scaled up when predetermined capacity thresholds are reached.

ClearPoint has practices in place as part of its business continuity planning to assist management in identifying and managing risks that could affect the organization’s ability to provide reliable services to its clients (as further described in Section 12 below). These practices are used to identify significant risks for the organization, initiate the identification and/or implementation of appropriate risk mitigation measures, and assist management in monitoring risk and remediation activities.

ClearPoint maintains, and annually updates, a general written Information Security Policy, which details employee’s responsibilities toward confidentiality of client data and acceptable use of resources. All staff must review and acknowledge policy.

Only authorized personnel can administer systems or perform security management and operational functions. Authorization for and implementation of changes are segregated responsibilities wherever appropriate to the organization. Access to client data is restricted to legitimate business use only.

ClearPoint employees are required to undergo background checks and provide specific documents verifying identity at the time of employment.

General information security responsibilities are documented in ClearPoint Information Security Policy, which all employees must sign as part of their onboarding.

General information security training is provided to all new employees (both full time and temporary) as part of their onboarding. A compulsory annual security and privacy training requirement ensures employees refresh their knowledge and understanding. Additional security training is also provided to employees who handle client data.

ClearPoint manages a formal termination process, which includes removal of any potential access to ClearPoint and related data. The exit interview reminds ex-employees of their remaining employment restriction and contractual obligations.

All critical and repeatable processes and security checks in ClearPoint production environment are either documented in procedures or implemented as automation scripts. ClearPoint maintains and follows formal change management processes. All changes to the production environment (network, systems, platform, application, configuration, including physical changes such as equipment moves) are tracked and documented. All relevant business owners such as Support, Engineering, and DevOps, Security are represented at regular change management meetings.

Both scheduled and emergency changes are tested in separate environments, reviewed and approved by Engineering, and Technical Support before deployment to the production environment. Testing, other than deployment validation, is prohibited in the production environment.

ClearPoint stores all client data in fully redundant databases. Daily and intraday data is backed up on a scheduled basis, encrypted using Advanced Encryption Standard (AES) algorithm, AES-256, and stored in a geographically separated location.

ClearPoint uses an industry standard enterprise application management solution to monitor systems 24×7, trigger alerts based on event logs, and to facilitate alerting, trend analysis, and risk assessment.

Any customer data in the ClearPoint application is encrypted in transit over public networks using Transport Layer Security encryption (TLS / HTTPS). The data provided by ClearPoint's clients within the ClearPoint application is stored using industry-standard AES-256 encryption at rest.

ClearPoint follows an agile development methodology in which products are deployed on an iterative, rapid release cycle. Security and security testing are implemented throughout the entire software development methodology. Quality Assurance is involved at each phase of the lifecycle and security best practices are a mandated aspect of all development activities.

ClearPoint has developed a robust Security Incident Response Process (“SIRP”) to address events in an efficient and timely manner. The SIRP framework describes how the team is deployed, documents the criteria for incident severity, defines the investigation and diagnosis workflow, details documentation and reporting requirements, and establishes contact information.

Security incidents are escalated from the initial responders to the relevant Account Manager for client notification. All critical issues confirmed are remediated immediately. Issues of lesser severity are evaluated for resolution as part of the standard development process.

Business continuity planning (BCP) and disaster recovery (DR) activities prioritize critical functions supporting the delivery of ClearPoint's SaaS Solutions to its clients. The development and scope of BCP and DR in each business function reflects the criticality of each function and/or facility in order to maximize the effectiveness of these efforts.

ClearPoint's SaaS Solutions architecture utilizes redundancy through the entire infrastructure, from load balancers, storage units and processing engines, to power and telecommunication providers. Data is always written to two separate locations when stored.