FinancialForce applications were designed from the ground up using core information security principles:
- Confidentiality. Prevent the disclosure of information to unauthorized individuals or systems.
- Integrity. Maintain and assure the accuracy and consistency of data over its entire lifecycle.
- Availability. Ensure the information is available when needed.
FinancialForce is committed to achieving and maintaining these principles and the trust of our customers. Integral to this is providing a robust information security and privacy program that carefully considers security and data protection across our services, including data submitted by customers to our services (“customer data”). Over 1000 customers in 34 countries trust FinancialForce applications. Our customers are in a wide range of verticals, some with stringent security requirements, including financial services, healthcare, technology, energy and government.
Security at FinancialForce
FinancialForce has a dedicated Information Security function led by our Chief Information Security Officer and driven by a risk-based information security strategy. Our security policy and standards, controls and verification efforts are designed to protect customer information assets against a range of rapidly evolving threats. Our Information Security Program includes identifying, mitigating and reporting on information and cyber security risks, and complying with security and privacy regulations and commitments.
Cloud Security Alliance
As part of our commitment to Trust, FinancialForce has made available to the public a detailed description of our cloud security controls under the Cloud Security Alliance (CSA) STAR Level 1 - Self-Assessment program. This self-assessment uses the CSA Consensus Assessments Initiative Questionnaire to answer nearly 300 standardized questions that provide transparency into cloud vendor security practices and controls supporting their cloud service delivery and applications.
Certifications and Attestations
SSAE 16 SOC 1 Type II Report
As part of our commitment to Trust, FinancialForce has invested in a Service Organization Control 1 (SOC 1) Type II report prepared by the global accounting firm Ernst & Young LLP. The report is prepared in accordance with Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization. The purpose of the report is to provide our customers assurance that the FinancialForce Description of Services is fairly presented in all material respects, that controls put in place by FinancialForce are suitably designed to meet their control objectives, and that those controls were tested and operated effectively during the audit period. Ernst & Young LLP created an Independent Service Auditors’ Report after testing and evaluating FinancialForce applications against the following objectives:
- Control Environment
- Risk Assessment
- Information and Communication
- IT General Controls
- Change Management
- Development and Testing
- Information Security Aspects
- Incident Management
- Sub-Service Organizations
- Disaster Recovery and Business Continuity
The SOC 1 report helps to provide FinancialForce customers with the assurance that our applications are developed and delivered in accordance with transparent standards designed for quality and security.
The safety, security and availability of our customers' data is a top priority of FinancialForce. As part of this commitment, FinancialForce supports compliance with the U.S. Health Insurance Portability and Accountability Act (HIPAA) by our customers that are covered entities or business associates under HIPAA.
FinancialForce complies with the requirements of the HIPAA Security Rule that apply to FinancialForce in its capacity as a business associate. In addition, FinancialForce applications provide configurable security features that can help our customers address their security and compliance requirements under HIPAA.
FinancialForce customers that are subject to HIPAA and wish to use our applications for electronic Protected Health Information (ePHI) must first sign a FinancialForce business associate addendum.
Please review our FinancialForce and the HIPAA Security Rule whitepaper for an overview of FinancialForce application features and controls relevant to the HIPAA Security Rule and how our customers can leverage those controls to meet HIPAA compliance requirements.