![iComply Logo Square.jpg]](https://support.icomplyis.com/hs-fs/hubfs/iComply%20Logo%20Square.jpg?height=40&name=iComply%20Logo%20Square.jpg){kind=small}
Privacy and Security FAQ
|
Privacy and Security Questions |
Answers |
|
Enterprise Security |
|
|
Has your company experienced a security incident in the past 3 years? |
No |
|
Do you require multi-factor authentication on all enterprise applications and production systems? |
Yes |
|
Does your company assess the security and privacy practices of all third-party companies with access to customer data? Please describe. |
Yes. We do quarterly reviews with all of our third party vendors to ensure they follow SOC2 and ISO27001 practices as well as regular access control reviews. |
|
Are these assessments repeated on an annual basis? |
Yes |
|
Please provide a point of contact in case of security issues. |
Matt Masiar, CTO: matt.m@icomplyis.com |
|
|
|
|
Product Security |
|
|
How often are third party penetration tests conducted against your product/service? |
Quarterly |
|
Does your product/service support integration with Okta as an SSO provider?
|
|
|
If SSO is supported but not through Okta, please describe (e.g., Login with Google) |
Yes |
|
Does SSO support require an ‘enterprise’ plan or similar? If so, please describe. |
SSO Requires at least a Pro plan. |
|
If your product doesn’t offer SSO and therefore iComply will be required to use password-based login, does your product comply with all of the below best practices? If not, please list any exceptions. - Password length can be at least 64 characters - Password requirements do not dictate character choices (e.g., a certain number of special characters, numbers, capitals, etc...) - Secret questions are not the sole requirement for password reset process - Require email verification of a password change request - Store passwords in a hashed and salted format using a memory-hard or CPU-hard one-way hash function
|
We do support these password complexity requirements. |
|
How does your company securely back up all product data? |
Backups of all key services are done daily and are fully encrypted. |
|
Does your company’s product/service encrypt any data prior to insertion into databases (i.e., row level encryption)? Please describe. |
Yes. Data is encrypted at the row level and database level. |
|
Does your company have a formal process to produce and deploy patches to address application vulnerabilities that materially impact security within defined SLAs (i.e., vulnerability management)? Please describe. |
iComply maintains a formal vulnerability management program designed to ensure that application vulnerabilities are identified, assessed, remediated, and deployed into production within defined Service Level Agreements (SLAs). This process is aligned with industry best practices (e.g., ISO 27001, NIST CSF, and OWASP guidance) and supports our commitment to protecting client data and maintaining platform resilience. Critical (CVSS ≥ 9.0 or active exploitation): Patch within 24–72 hours of validation.
High severity: Patch within 7 business days.
Medium severity: Patch within 30 days.
Low severity: Patch within 90 days or included in routine maintenance cycles. |
|
|
|
|
Data Privacy |
|
|
Does your company publish a list of subprocessors with respect to GDPR or CCPA? Please provide link(s). |
No |
|
Are you GDPR and CCPA compliant? |
Yes |