We combine nearly three decades of continuous service delivery and enterprise-class security features with comprehensive audits of our applications, systems, and networks to ensure client and business data is always protected. Our clients rest easy knowing the information they provide us is protected.
Data Security and Privacy
Why Certifications Matter
As Human Resources, Payroll, Procurement and Finance professionals who will be considering potential partners for these services, your Executive Leadership, Board of Directors, and compliance team will want to ensure appropriate measures are in place to safeguard confidential information. T&C's certifications and security controls will instill confidence with your leadership team as you champion this vendor transition.
COMPLIANCE
It is one thing to say you adhere to a standard, but it is another to have an independent third party test your controls and validate that you are implementing the security practices appropriately. Thomas & Company has obtained third party audits annually since 2013. This continuous track record of successful audits has an exponentially positive impact on the quality and breadth of our security posture. These audits are in addition to the audits our data center providers hold around our data center controls. It is important to note the difference between receiving SOC certifications from a service provider’s data center and the certification from the service provider itself.
SOC 2 TYPE II
The Thomas & Company SOC 2 Type II report is an independent assessment of our control environment performed by a third party. It’s based on the American Institute of Certified Public Accountants’ (AICPA) Trust Services Criteria, is issued annually in accordance with the AICPA’s AT Section 101 (Attest Engagements), and covers a 12-month period.
SOC 3 TYPE II
The AICPA developed the SOC 3, or SOC for Service Organizations: Trust Services Criteria for General Use Report, to meet the needs of users who need assurance about the controls at a service organization relevant to the applicable Trust Services Criteria but do not have a need for the more detailed SOC 2 Report.
PCI DSS
Thomas & Company is compliant with the requirements of Payment Card Industry Data Security Standard (“PCI DSS”) Version 4.0. Compliance requires annual attestation of adherence to the applicable requirements of the Payment Card Industry (PCI) standards and routine scans on internet facing systems.
California Consumer Privacy Act (CCPA)
Thomas & Company has updated our privacy policy to comply with CCPA requirements. For our clients to whom the CCPA may apply, we offer a Services Agreement Amendment confirming our role as a “Service Provider” as defined in the CCPA.
General Data Protection Regulation (GDPR)
Thomas & Company does not process the personal information of EU residents, but we will work with our clients to address any GDPR-related concerns they may have.
NIST Privacy Framework
Thomas & Company has adopted the NIST Privacy Framework as our company standard privacy framework.
Fair Credit Reporting Act (FCRA)
Thomas & Company complies with the Fair Credit Reporting Act’s requirements regarding the handling and privacy of the employment and wage data of our clients’ employees.
2012
- PCI-DSS
2013
- PCI-DSS
- SAS 70
2014
- PCI-DSS
- SSAE 16 SOC I
2015
- PCI-DSS
- SOC 2 TYPE I
- SOC 2 TYPE II
- SOC 3
2016
- PCI-DSS
- SOC 2 TYPE II
- SOC 3
2017
- PCI-DSS
- SOC 2 TYPE II
- SOC 3
2018
- PCI-DSS
- SOC 2 TYPE II
- SOC 3
2019
- PCI-DSS
- SOC 2 TYPE II
- SOC 3
2020
- PCI-DSS
- SOC 2 TYPE II
- SOC 3
2021
- PCI-DSS
- SOC 2 TYPE II
- SOC 3
2022
- PCI-DSS
- SOC 2 TYPE II
- SOC 3
2023
- PCI-DSS
- SOC 2 TYPE II
- SOC 3
Why Privacy Matters
In today's technological environment, Employees demand that their data be completely private and protected, and Employers must fully vet every partner they exchange private employee data with.
HOW IS THOMAS & COMPANY UNIQUELY POSITIONED TO PROTECT OUR CLIENTS’ DATA?
KEY SECURITY CONTROLS IN PLACE
Data Center Security
- All T&C servers are hosted in data centers with their own SOC 2 and SOC 3 reports along with ISO 27001 certification.
- All data is hosted in the United States.
- 24/7 physical security monitoring
- Dual factor authentication access
Application Security
- We take steps to securely develop and test against security threats to ensure the safety of our customer data. In addition, T&C employs third-party security experts to perform detailed penetration tests on our applications regularly.
Security Monitoring
- T&C utilizes 24/7 security monitoring of our network and systems. This includes analysts that are reviewing and alerting on suspicious network traffic and behaviors in real time.
Logical Security
- All access to customer data is tightly controlled and access is only granted to the systems and functions needed by each role in the organization. All administrative and remote access requires multi-factor authentications.
Organizational Security
- All employees receive security, privacy and compliance training the moment they start and must complete ongoing annual security, privacy and compliance training.
Thomas & Company Offices
- Access to T&C offices is limited by badge access.
- Security cameras cover points of entry and exit.
Additional Architectural, Logical, and Organizational Items
- Full disk encryption implemented
- Application White-listing
- Strict Server Egress Filtering
- 24/7 Security Operations Center (SOC)
- 24/7 Managed Detection Response Service
- Secure Administration Hosts
- Secure Identity Management System
- Real-Time Security Awareness Training
- Email Attachment Sandboxing and Static File Analysis
- Layered Network Security Architecture with UTM (Unified Thread Management)
Data Encryption
- Data is encrypted at rest and in transit.