Equisolve receives ISO 27001 & 27018 certifications. You can download the certificate by visiting our Trust page.

Certifications & audits

ISO 27001:2022

This ISO certification showcases our ability to implement and enhance information security policies. It demonstrates that we can implement and maintain information security policies and procedures relevant to the needs of the organization and its clients while continuing to improve the Information Security Program and the organization's operations. Equisolve is the only IR Website vendor with this certification. 

Download ISO 27001

ISO 27018:2019

ISO 27018 is part of the ISO 27K series and addresses the specific needs of protecting personally identifiable information (PII) in public cloud services. It offers a focused approach to data privacy and regulatory compliance that is crucial in the cloud computing era. The standard aims to build trust and transparency between cloud service providers and customers by outlining specific practices for handling, processing, and storing PII in the cloud. Equisolve is the only IR website vendor with this certification.

Download ISO 27018

SOC 2 TYPE II

Our internal processes undergo annual audits by an accredited advisory firm, ensuring effective controls for key compliance and control objectives.

The CSA Security, Trust, Assurance, and Risk (STAR)

The CSA Security, Trust, Assurance, and Risk (STAR) program is the largest cloud assurance program in the world that constitutes an ecosystem of the best practices, standards, technology, and auditing partners. STAR encompasses the key principles of transparency, rigorous auditing, and harmonization of standards outlined in the Cloud Controls Matrix (CCM).

Security

Encryption and key management

We ensure robust protection for sensitive data in transit and at rest. We employ cutting-edge encryption methods, including TLS 1.2 and AES 256. Production data is encrypted following FIPS 140-2 standards, with AWS Key Management System (KMS) used to securely store encryption keys in an isolated environment.

Access control

Our stringent access controls, featuring multifactor authentication, SSO (e.g., SAML), RBAC, and encryption, guarantee the safety of data. Quarterly access reviews further secure against unauthorized transmission, disclosure, alteration, or deletion.

Network security

Equisolve employs diverse controls such as network segmentation, web application firewalls, intrusion detection, DDoS mitigation, and strong encryption to fortify infrastructure, systems, and applications.

Vulnerability and threat management

Ongoing authenticated vulnerability scans across workstations, infrastructure, web applications, and containers, coupled with prompt remediation based on SLAs, ensure continual protection. Senior management receives routine reports on the effectiveness of these measures.

Assurance testing

In addition to SOC 2 and ISO 27001 audits, Equisolve annually collaborates with a respected cybersecurity firm for red and blue team penetration testing, web application security testing, and remote vulnerability testing, ensuring a comprehensive evaluation of our key applications and public-facing services.

Privacy

Data Privacy Addendum

Our DPA is a market standard implementation of US privacy law and GDPR Article 28 requirements imposed upon processors and reflects how we process personal data under our services.

Governance

We leverage the Privacy Shield Framework which helps ensure global privacy control requirements are understood, appropriately documented, and implemented. 

Data Access

Strong access controls such as multifactor authentication, SAML, role-based access (RBAC), anonymization, masking, and encryption are all essential to ensuring data is safe from unauthorized transmission, disclosure, alteration, or deletion.

Knowledge

All Equisolve employees and contractors are required to participate in privacy training. Additionally, Equisolve has a Data Privacy Officer who champions the Privacy Program and ensures compliance.

Availability

Infrastructure

Equisolve leverages AWS’ IaaS platform to host all critical infrastructure used to provide client-facing services. This allows for the design of an operating environment that is fault-tolerant delivering an uptime of nearly “Five Nines”.

Monitoring

Equisolve uses both internal and external tools to monitor a broad range of metrics across all systems, applications, and communication channels. Where metrics fall out of an acceptable tolerance, alerts are triggered and immediately responded to.

Testing

To ensure that the infrastructure and supporting processes are designed to be resilient to all forms of threats, Equisolve conducts testing that covers a broad range of scenarios. This testing occurs at least quarterly, with results and any required remediation activities reported to senior management.

Service Level Agreement

Equisolve guarantees that client sites will be available 99.99% of the time in a given month.

Third-party risk management

Rigorous vendor requirements

Equisolve mandates strict adherence to requirements for all vendors, based on their assessed risk concerning service reliance and data sensitivity. Vendors handling sensitive data must possess 3rd party attestation of control effectiveness and, when applicable, industry-specific certifications.

Ongoing monitoring

Our vendor monitoring activities involve due diligence reviews to validate risk levels, ensure up-to-date certifications and cybersecurity insurance, and confirm the completion of 3rd party attestations with no outstanding material findings.

Cloud security

We heavily rely on cloud service providers. To ensure clarity in responsibilities, we maintain an annually updated cloud security control responsibility matrix, outlining each party's role in the relationship.

Incident Response

Procedures

Our comprehensive Incident Response Procedure is inclusive of event categorization, team responsibilities, forensics, and reporting.

24/7 monitoring

We use a broad range of monitor tools to capture and analyze security events. Additionally, a Security Incident and Event Management (SIEM) system performs advanced analytics and alerting.

Training & Education

Security awareness

Security awareness

To ensure that all constituents are aware of their responsibilities around information security, security awareness training is provided to employees and contractors upon hiring and annually thereafter. To remain current, training is reviewed for updates no less than annually.

Phishing

Phishing

We perform simulated phishing attacks against all employees and contractors at least monthly. If an individual fails the test, they are immediately directed to remediation training to reinforce the techniques used by fraudsters and how to spot suspicious emails.

Targeted training

Targeted training

All employees and contractors with specialized roles (e.g., code development, accessibility) are required to take additional training specific to their responsibilities. 

VPAT

Our Accessibility Conformance Report (ACR) for our Investor Relations Company Template product was produced from VPAT v2.5 (Voluntary Product Accessibility Template). Our VPAT document is updated annually.

100% of our client service specialists, content strategists, designers, developers, and project managers are trained in IR Website accessibility through Deque. We also hold the following accessibility certifications:

Additionally, 7 team members are in the process of receiving their Web Accessibility Specialist (WAS) certification.

Let's talk

*Required Fields

Interested In (optional)
This site is protected by hCaptcha and its Privacy Policy and Terms of Service apply.