Today, channel organizations must close and lock those windows to comply with strict data privacy policies and regulations. It goes without saying that adhering to the data privacy laws everywhere our customers are located or conducting business is of the utmost importance to us. We recently spoke with Tim Porterfield about GDPR and how channel marketers use Zift to ensure compliance. Today, we’re following with Zift’s Director of IT and resident data privacy expert Stuart Phipps. He’s navigated Zift through multiple SOC II Type 2 certifications with no exceptions. Naturally, we turned to him for answers on CCPA. 

What sets the CCPA apart from GDPR? 

“The California Consumer Privacy Act is not a far-reaching set of regulations like GDPR, but it is still a strong step in the right direction for protecting consumer’s rights to privacy in the US,” said Phipps. The main difference between the two laws is the broadness of their reach. GDPR applies to the data of an EU citizen worldwide, meaning EU citizens can invoke their right to be forgotten from any company that has acquired their data. The CCPA applies only to California-based companies with revenue over $25 million or whose primary business function is the sale of personal information. 

Data encryption is another important facet of privacy that CCPA addresses. Encryption makes data that much more difficult to be accessed by unauthorized users and adds a level of security to companies involved in data transfer. Mainly, though, its purpose is to ensure the protection of personal data.

Phipps also thinks it’s not a matter of if, but when, for other states to follow suit on new privacy laws. “The CCPA is likely the beginning of a whole suite of data privacy laws in the US — New York, Illinois, and Washington state are all in the process of drafting privacy laws to be enacted in 2020.” 

Zift is committed to driving your channel success, and that includes ensuring compliance to all data privacy laws not only for ourselves but for suppliers and partners as well. Our platform is set up with the “right to be forgotten” in mind for the end customer, and partners can be anonymized in our support system.  

How does Zift ensure CCPA compliance for Suppliers? 

GDPR’s requirements are more stringent than the CCPA. So the GDPR requirements met and ensured by ZiftONE also cover the needs of CCPA. We have steps baked into the platform that brands can enable that require verification of contacts opting-in for marketing and communications. Keep in mind, though: a system designed to protect data is only as good as the people using it. Our terms and conditions protect suppliers and us as a data processor. 

It’s worth stating: playing by the (data) rules pays off. Our system has automatic bounce rate and spam rules in place, and those who fail to meet those rules repeatedly lose access to our platform for communication. Conversely, those who use it effectively gain more email credits. 

Have any questions for our IT experts on how Zift ensures total compliance for GDPR and CCPA for suppliers and partners? We’re happy to answer them. Leave a comment or contact us — privacy matters, but our commitment to data security is totally transparent.  

The post CALIFORNIA’S GDPR? CCPA, DATA PRIVACY, AND YOU appeared first on Zift Solutions.

We’re focused on providing world-class availability, security, and privacy controls. As a result, we have achieved a degree of security and operational maturity seen in very few software-as-a-service companies. We are in an exclusive club — Less than 1% of SaaS vendors who have achieved SOC 2 Type II compliance attestation! 

Our team has spent the last few months working diligently through a detailed, thorough third-party review, so our organization can be designated as SOC 2-compliant. When a company completes this process, its customers and partners are assured by a third-party that the organization adheres to a strict set of principles around securely managing your data. Zift recently completed this process for the third consecutive year, and again received a “clean report” with no exceptions!

Some of the most common questions we get from customers revolve around security and privacy. We field questions like:

• How do you protect my company’s data from potential threats?
• What critical security controls have you implemented to ensure the security of my company’s data?
• What type of testing is performed to ensure the effectiveness of those security controls?

How can you be sure a service provider has really prepared for all the potential issues? SOC 2 is one of the major frameworks that’s come to the forefront of security discussions as a way to combat issues before they start.

Let’s look at what being SOC 2 compliant means, and why it’s important.

What is SOC 2 compliance?

The Service Organization Control reporting platform was developed by the American Institute of CPAs (AICPA) to help companies get a handle on the complex, diverse security issues out there, and provide a framework for service providers to measure against. SOC 2 compliance covers companies that provide services like data hosting, colocation, data processing and software-as-a-service (SaaS), and is based on five “trust services principles” that reflect different criteria for managing customer data: security, privacy, availability, processing integrity, and confidentiality.

The five SOC 2 principles 

The SOC 2 principles double as a great way for customers to organize their thoughts and concerns over data management. To be compliant, service providers must have clear, well-documented, proven strategies for each of these topics:

• Security ensures that system resources are protected against all types of unauthorized access, including network and application firewalls, two-factor authentication and intrusion detection.
• Privacy addresses how the system collects, retains, discloses and disposes of personal information, and how that process aligns with the organization’s privacy notice and with the AICPA’s generally accepted privacy principles (GAPP). It includes access control, two-factor authentication, and encryption.
• Availability looks at how accessible a company’s services, products, and systems are, based on the contracts and service level agreements (SLA) it has. It includes performance monitoring, disaster recovery and security incident handling.
• Processing integrity, at its base, asks if a system achieves what it’s meant to do. Does it process data the way it promises? Does it do so in a timely manner, with authorization, and with the performance and price agreed upon? It involves quality assurance and process monitoring.
• Confidentiality relates to data that has access and/or disclosure limited to specific groups. It involves encryption, access controls, and network and application firewalls.

Why does SOC 2 matter?

It’s important to note that no vendor is required to be SOC 2 compliant; it’s a voluntary process, generally driven by customer demand. Any company that chooses to go down this path has security and privacy as a top priority within the company. After all, the certification process is a months-long endeavor, conducted by impartial outside auditors.

SOC 2 is considered the “gold standard” in compliance for software companies and is well worth the effort. It’s a very tangible way for Zift Solutions to ensure that our data, and our customers’ data, is handled using the strict guidelines mentioned above. It’s more than checking a box; it’s a commitment that goes to the very heart of our relationship with the continuing assurance to our customers and their partners worldwide.\

To learn how your organization can use channel sales, channel marketing, and channel operations together as ONE with ZiftONE, visit us or get in touch.

The post SOC 2 Type II Success: Keeping Data Security Close to Home appeared first on Zift Solutions.