Skip to main content

Data Security and Privacy

We combine nearly three decades of continuous service delivery and enterprise-class security features with comprehensive audits of our applications, systems, and networks to ensure client and business data is always protected. Our clients rest easy knowing the information they provide us is protected.

Why Certifications Matter

If you are in Human Resources, Payroll, Procurement, Finance, etc. and considering potential partners for these services your C-suite, Board of Directors, and compliance team will require the details below. T&C's certifications and security controls will represent you well to your leadership team as you champion this vendor transition.

COMPLIANCE

It is one thing to say you adhere to a standard, but it is another to have an independent third party test your controls and validate that you are implementing the security practices appropriately. Thomas & Company has obtained third party audits annually since 2013. This continuous track record of successful audits has an exponentially positive impact on the quality and breadth of our security posture. These audits are in addition to the audits our data center providers hold around our data center controls. It is important to note the difference between receiving SOC certifications from a service provider’s data center and the certification from the service provider itself.

SOC 2 TYPE II

The Thomas & Company SOC 2 Type II report is an independent assessment of our control environment performed by a third party. It’s based on the American Institute of Certified Public Accountants’ (AICPA) Trust Services Criteria, is issued annually in accordance with the AICPA’s AT Section 101 (Attest Engagements), and covers a 12-month period.

SOC 3 TYPE II

The AICPA developed the SOC 3, or SOC for Service Organizations: Trust Services Criteria for General Use Report, to meet the needs of users who need assurance about the controls at a service organization relevant to the applicable Trust Services Criteria but do not have a need for the more detailed SOC 2 Report.

PCI DSS

Thomas & Company is compliant with the requirements of Payment Card Industry Data Security Standard (“PCI DSS”) Version 3.2. Compliance requires annual attestation of adherence to the applicable requirements of the Payment Card Industry (PCI) standards and routine scans on internet facing systems.

California Consumer Privacy Act (CCPA)

Thomas & Company has updated our privacy policy to comply with CCPA requirements. For our clients to whom the CCPA may apply, we offer a Services Agreement Amendment confirming our role as a “Service Provider” as defined in the CCPA.

GDPR

General Data Protection Regulation (GDPR)

Thomas & Company does not process the personal information of EU residents, but we will work with our clients to address any GDPR-related concerns they may have.

NIST Privacy Framework

Thomas & Company has adopted the NIST Privacy Framework as our company standard privacy framework.

Fair Credit Reporting Act (FCRA)

Thomas & Company complies with the Fair Credit Reporting Act’s requirements regarding the handling and privacy of the employment and wage data of our clients’ employees.

Why Privacy Matters

In today's technological environment, Employees demand that their data be completely private and protected, and Employers must fully vet every partner they exchange private employee data with.

HOW IS THOMAS & COMPANY UNIQUELY POSITIONED TO PROTECT OUR CLIENTS’ DATA?

1

Management Commitment

Management commitment truly is a key aspect to our security program. Our CEO is updated on the security program weekly and all decisions are made with a “security first” mindset.
2

Growth Model

Management has avoided growth by acquisition and invested in an organic and responsible growth strategy. From T&C’s data security perspective, steady and healthy growth enables intelligent execution of our information technology and security plan.
3

Intent for Use

We only use your data for the services offered and never sell your data.
4

Wholly-Owned

We do not exchange data with or rely on third parties to deliver our services. T&C’s wholly-owned services model is a significant security advantage to our clients and is rare in this industry.
5

Organic Service & Support

The data processing component of our services is completed by T&C employees, and we do not share our data with any third party subcontractors.
6

Continuous Improvement

It is critical that organizations are continuously improving their security controls. T&C’s commitment to continuous improvement is built into our culture and is demonstrated by our investments in people and technology.

KEY SECURITY CONTROLS IN PLACE

Data Center Security
  • All T&C servers are hosted in data centers with their own SOC 2 and SOC 3 reports along with ISO 27001 certification.
Application Security
  • We take steps to securely develop and test against security threats to ensure the safety of our customer data. In addition, T&C employs third-party security experts to perform detailed penetration tests on our applications regularly.
Security Monitoring
  • T&C utilizes 24/7 security monitoring of our network and systems. This includes analysts that are reviewing and alerting on suspicious network traffic and behaviors in real time.
Logical Security
  • All access to customer data is tightly controlled and access is only granted to the systems and functions needed by each role in the organization. All administrative and remote access requires multi-factor authentications.
Organizational Security
  • All employees receive security, privacy and compliance training the moment they start and must complete ongoing annual security, privacy and compliance training.
Thomas & Company Offices
  • Access to T&C offices is limited by badge access.
  • Security cameras cover points of entry and exit.
Data Center
  • 24/7 physical security monitoring
  • Badge access and biometric fingerprint scanners
  • Colocation cage perimeter security (surveillance cameras and card readers)
  • Electronic cabinet access device and user reports
Additional Architectural, Logical, and Organizational Items
  • Full disk encryption on all hard drives
  • Application White-listing
  • Strict Server Egress Filtering
  • 24 x 7 x 365 IPS / IDS
  • Secure Administration Hosts
  • Secure Identity Management System
  • Real-Time Security Awareness Training
  • Email Attachment Sandboxing and Static File Analysis
  • Layered Network Security Architecture with UTM (Unified Thread Management)
Data Encryption
  • Data is encrypted at rest and in transit.