This article was originally published on October 20, 2022. It was last updated on May 18, 2023.
If you are evaluating a Workplace Equity Platform, one of your key questions should be whether your data will be secure. Data security is a growing concern in light of the fact that the second quarter of 2022 saw a 32% increase in global cyberattacks year over year. While that fact is alarming, organizations can protect themselves by utilizing best-in-class security systems and best practices, as well as technologies and certifications that rigorously vet those systems.
Data security is especially important for a workplace equity platform, which must protect highly sensitive data including employee personal information and compensation, and corporate workplace equity status. Just like financial institutions and other organizations safeguarding sensitive data, a workplace equity platform must utilize stringent safety standards.
How do you ensure data security in your workplace equity software?
- Vet your vendors’ plans, certifications, and security record carefully. Ask questions and make sure you’re satisfied with the answers. For more information on what to look for, see the technical and administrative controls described below.
- Evaluate the vendor’s security plans on an ongoing basis — do they provide a Trust Center with complete information, as Syndio does?
- Examine the types of customers using the software and check references. If entities such as American Airlines, General Mills, and Volvo entrust their data to a SaaS system, that indicates a high level of data security.
Are SaaS systems safer than on-premise?
Cloud providers utilize the most secure and heavily tested/scrutinized technology solutions that exist; on-premise systems rely on perimeter security rather than focusing on fundamental application security. SaaS (Software as a Service) systems also provide the resources and personnel for high-level security that many companies don’t have or don’t want to invest in, and include backup systems in the cloud for assurance in case of on-premises disaster. SaaS providers have a significant interest in protecting customer data, since their business relies on data security.
As a top-tier SaaS vendor, Syndio provides outstanding security that includes replication, backup, disaster recovery planning, data encryption in transit (TLS 1.2+) and at rest (AES-256+), advanced threat detection, and more — a higher level of security than most companies are able to provide in-house.
Industry audits and certifications
A key level of protection to look for when choosing software is trusted industry third-party audits and certifications, relied on by leading software providers. These include SOC 2 Type II audits, governed by The American Institute of Certified Public Accountants (AICPA), which take 3-13 months to complete, depending on the type of audit, and are valid for a year. Another trusted certification is ISO 27001, developed by the ISO (International Organization for Standardization) and IEC (International Electrotechnical Commission), which takes between 12 to 18 months to complete and is valid for three years with surveillance audits annually.
Syndio is SOC 2 Type II audited. The report attesting to the independent verification of our compliance with these global standards is available in our Trust Center. Syndio is also currently undergoing certification for ISO 27001; when completed, this report will also be available in the Trust Center.
These audits are designed to test and certify that information security controls — both technical and administrative — for managing information security risks are in place and appropriately followed by the solutions provider. Below we dive more deeply into different elements of security controls.
In addition, Syndio has completed the Cloud Security Alliance CAIQv.4.02 security self assessment for STAR Level One. The Security Trust Assurance and Risk (STAR) registry from the Cloud Security Alliance is a publicly accessible registry and assurance framework that documents the security and privacy controls for cloud providers. It incorporates transparency, meticulous auditing, and adherence to the best practices in cloud security and privacy. By publishing on the registry, Syndio provides current and potential customers with transparent access to our security and compliance posture, showcasing which regulations, standards, and frameworks our technology adheres to. Access is available in our Trust Center under “Security Reports.”
SaaS companies put specific technical controls in place that manage access to your data. These include:
Encryption — the basic building block of data security, encryption is converting data from a readable format into an encoded format which can only be accessed after it is decrypted. It is the simplest and most important way to ensure a computer system’s information can’t be stolen and read by someone who wants to use it for malicious purposes.
At Syndio, all production data at rest is stored on encrypted volumes using encryption keys managed by Syndio. We provide data encryption in transit (TLS 1.2+) and at rest (AES-256+), advanced threat detection, and more. The Syndio data security team also ensures that we’re up to speed on the latest approved technologies and encryption standards that are on the market. Syndio has never experienced a data breach.
Password protection — used to establish and verify identity, and to restrict access to devices, files, and accounts. Unfortunately, stolen login credentials are often used by cyberattackers to deliver malware and access systems. To avoid this problem, security experts recommend password security best practices such as multi-factor authentication (MFA).
Syndio requires multi-factor authentication, supports single sign-on (SSO), and requires strict password security from customers, including specific password composition and length requirements.
Audit trails — allow a software provider to monitor who in the organization is accessing different data and what they were doing with those records. All audit trails include three pieces of information: a login ID, a summary of system actions, and a time stamp.
Syndio continuously monitors its audit trails, and has engaged a third-party group that also monitors access to the system.
Administrative controls address the human factors in security, often viewed as the weakest link in the process since research indicates human error is involved in 95% of security breaches. These controls generally apply to all levels of an organization and determine which users have access to what resources and information and often include:
Security education training and awareness programs — Most companies now have these types of programs to educate their employees on hacker tactics such as phishing, clickjacking, viruses, trojans, etc., as well as how to avoid falling prey to them.
Syndio has stringent security training and awareness programs, with certification requirements at the end of training on how to protect data, passwords, and access.
A policy of least privilege — This is an information security concept in which users are given the minimum levels of access — or permissions — needed to perform their job functions.
Syndio follows the practice of least privilege diligently; access to data is limited to those platform engineers who require it, and customer success managers as necessary. Access is logged and monitored. Even our CEO doesn’t have access to client data, because she doesn’t need it.
Password management policies — These are principles and best practices for storing and managing passwords to secure the passwords as much as possible to prevent unauthorized access. Security teams develop the policies and train users to correctly follow them.
Syndio follows best practices in requiring password complexity and security, requires training at hire and annually, and these policies are evaluated in the certification processes.
Incident response plans — These plans provide an organized approach to addressing and managing the aftermath of a security breach or cyberattack. A plan generally covers six phases including preparation, detection, containment, investigation, remediation and recovery.
Syndio has established incident response plans, which are reviewed as part of both the SOC 2 Type II audits and the ISO 27001 certification process, as well as being monitored by Drata, a third-party automated system trusted by leaders in the industry.
Personnel management controls — these include managing or monitoring employee data permissions, including access after termination, and training and enforcing cybersecurity policies and procedures. These controls are key to data security; 62% of executives said the greatest threat to their organization’s cybersecurity was employees’ failure to comply with data security rules, not hackers or vendors.
Syndio provides customers with user-based permissions for system access, and internally has role-based access controls that limit data access to those customer success and engineering personnel who need it. All of our personnel management controls are reviewed and certified under both SOC 2 Type II audits and the ISO 27001 certification process.
Workplace equity data security is a top priority
Our customers trust us with their sensitive data and we take keeping it safe seriously. Security is a top priority at Syndio and receives support from our leadership teams to ensure we are implementing security processes and controls to protect our customers’ data.
Syndio handles data with the utmost care and integrity and our systems are designed to reduce the chances for errors or accidents. We believe transparency in our security processes and controls is essential. Learn more about Syndio’s leading Workplace Equity Platform and talk to one of our experts by requesting a demo below!