Data Security and Privacy

We combine nearly three decades of continuous service delivery and enterprise-class security features with comprehensive audits of our applications, systems, and networks to ensure client and business data is always protected. Our clients rest easy knowing the information they provide us is protected.


It is one thing to say you adhere to a standard, but it is another to have an independent third party test your controls and validate that you are implementing the security practices appropriately. Thomas & Company has obtained third party audits annually since 2013. This continuous track record of successful audits has an exponentially positive impact on the quality and breadth of our security posture. These audits are in addition to the audits our data center providers hold around our data center controls. It is important to note the difference between receiving SOC certifications from a service provider’s data center and the certification from the service provider itself.

To assist your security, compliance, and risk management teams with understanding the applicable compliance requirements for your organization as it relates to our services, we have gathered the following compliance and certification resources below.

Third-Party Audits and Certifications

SOC 2 Type II

The Thomas & Company SOC 2 Type II report is an independent assessment of our control environment performed by a third party. It’s based on the American Institute of Certified Public Accountants’ (AICPA) Trust Services Criteria, is issued annually in accordance with the AICPA’s AT Section 101 (Attest Engagements), and covers a 12-month period. It details the design and operating effectiveness of controls relevant to any system containing customer data. The T&C SOC 2 report addresses the applicable Trust Services Principles and Criteria (Security, Availability, Confidentiality, and Processing Integrity). This report is available to clients and prospective customers upon request.


The AICPA developed the SOC 3, or SOC for Service Organizations: Trust Services Criteria for General Use Report, to meet the needs of users who need assurance about the controls at a service organization relevant to the applicable Trust Services Criteria but do not have a need for the more detailed SOC 2 Report.

The T&C SOC 3 report, an independent assessment of our control environment performed by a third party, is publicly available and provides a summary of our control environment relevant to the security, availability, confidentiality, and processing integrity of customer data. You can request access to the T&C SOC 3 report here by providing your information on our contact page.


Thomas & Company is a participant in TRUSTe’s Enterprise Privacy and Data Governance Practices Certification program. This program is designed to enable organizations to demonstrate that their privacy and data governance practices for personal information comply with the standards outlined in the TrustArc Privacy & Data Governance Framework which is aligned with external regulatory standards and frameworks such as the OECD Privacy Guidelines, the APEC Privacy Framework, the EU General Data Protection Regulation (“GDPR”), the U.S. Health Insurance Portability and Accountability Act (“HIPAA”), ISO 27001 International Standard for Information Security Management Systems, and other global privacy laws and regulations.

The certification also reflects input from consumers, clients, advocates, and regulators. TRUSTe has verified that our privacy practices are compliant with TRUSTe privacy standards through a combination of technical and manual methodologies and company self-attestations. To see our TRUSTe certification, please click below.TRUSTe



Thomas & Company is compliant with the requirements of Payment Card Industry Data Security Standard (“PCI DSS”) Version 3.2. Compliance requires annual attestation of adherence to the applicable requirements of the Payment Card Industry (PCI) standards and routine scans on internet facing systems.

How is Thomas & Company uniquely positioned to protect our clients’ data?

T&C is committed to protecting the data entrusted in our care. We believe we are unique in several areas around this commitment.

  1. Management Commitment – Management commitment truly is a key aspect to our security program. Our CEO is updated on the security program weekly and all decisions are made with a “security first” mindset.
  2. Growth Model – Management has avoided growth by acquisition and invested in an organic and responsible growth strategy. From T&C’s data security perspective, steady and healthy growth enables intelligent execution of our information technology and security plan.
  3. Intent for Use – We only use your data for the services offered and never sell your data.
  4. Wholly-Owned – We do not exchange data with or rely on third parties to deliver our services. T&C’s wholly-owned services model is a significant security advantage to our clients and is rare in this industry.
  5. Organic Service & Support – The data processing component of our services is completed by T&C employees, and we do not share our data with any third party subcontractors.
  6. Continuous Improvement – It is critical that organizations are continuously improving their security controls. T&C’s commitment to continuous improvement is built into our culture and is demonstrated by our investments in people and technology.

Key Security Controls in Place

Data Center Security
  • All T&C servers are hosted in data centers with their own SOC 2 and SOC 3 reports along with ISO 27001 certification.
Application Security
  • We take steps to securely develop and test against security threats to ensure the safety of our customer data. In addition, T&C employs third-party security experts to perform detailed penetration tests on our applications regularly.
Security Monitoring
  • T&C utilizes 24/7 security monitoring of our network and systems. This includes analysts that are reviewing and alerting on suspicious network traffic and behaviors in real time.
Data Encryption
  • Data is encrypted at rest and in transit.

Organizational Security

  • All employees receive security, privacy and compliance training the moment they start and must complete ongoing annual security, privacy and compliance training.
Logical Security
  • All access to customer data is tightly controlled and access is only granted to the systems and functions needed by each role in the organization. All administrative and remote access requires multi-factor authentications.


Thomas & Company Offices
  • Access to T&C offices is limited by badge access.
  • Security cameras cover points of entry and exit.
Data Center
  • 24/7 physical security monitoring
  • Badge access and biometric fingerprint scanners
  • Colocation cage perimeter security (surveillance cameras and card readers)
  • Electronic cabinet access device and user reports
Additional Architectural, Logical, and Organizational Items
  • Full disk encryption on all hard drives
  • Application White-listing
  • Strict Server Egress Filtering
  • 24 x 7 x 365 IPS / IDS
  • Secure Administration Hosts
  • Secure Identity Management System
  • Real-Time Security Awareness Training
  • Email Attachment Sandboxing and Static File Analysis
  • Layered Network Security Architecture with UTM (Unified Thread Management)

T&C’s Ongoing Security Philosophy

We are proud to serve as an extension of our clients’ HR, Payroll, and Tax teams and are responsible for protecting employee data as if it were our own. We agree that compliant doesn’t necessarily mean secure, and we understand the importance of our clients complying with the applicable laws and regulations related to data privacy, including instances where a service provider holds and processes client data. Compliance with such standards and best practices serves as the baseline. However, in an environment of constantly evolving security threats, we are continuously challenging and adapting our controls. We welcome the opportunity to discuss your security requirements and our program in greater detail with you and your security team.