Third-party verified business, operational, and security controls
Vendor management and due diligence are best practices for all organizations, particularly financial firms and other highly regulated organizations. To assist customers with this process, we engage third party auditors to conduct regular testing on our services, internal controls, and data centers. We make the resulting reports available to customers on request.
These reports can help your compliance, IT, security, and legal teams address:
- Regulatory rules related to data preservation and supervision
- Privacy laws and jurisdictional requirements
- Legal requirements surrounding chain of custody, storage, and production of data
- Security and risk assessment processes for data management
KPMG Report on Global Relay’s Business, Operational and Security Controls
We are proud of the annual testing KPMG has completed with respect to our archiving systems and controls. KPMG’s independent agreed-upon testing with respect to our systems and controls is tailored to our specific environment and control reporting requirements—including key aspects of our security, availability, processing integrity, and confidentiality of customer data—and represents an ongoing investment in our customers and partners.
Specifically, the KPMG Report provides information regarding our security, business, and operational controls and related KPMG testing and results obtained with respect to:
- Physical Security: Physical safeguards at our headquarters and data centers.
- Change Management: Frameworks for guiding software development releases, operations, and change control.
- Network Security and Availability: System architecture, redundancy, access, and security.
- Processing of Message Data: Inbound message processing, secure storage, data center replication, and end-user access.
- Data Import, Export, and Deletion: Policies, procedures, and methodologies for securely handling customer data.
- Security Policies and Standards: Policies and standards governing privacy and confidentiality.
- Personnel Policies and Procedures: Employee lifecycle management.
- SAML Based Authentication: Verification of the security and correctness of our SAML authentication service.
- Software Security Testing: Automated and manual software testing for security vulnerabilities.
*KPMG LLP (“KPMG”) is a Canadian limited liability partnership and a member firm of the global KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity.
Service Organization Control (SOC) 2 Audits
SOC 2 audits test and report on the design and operating effectiveness of non-financial internal controls at cloud vendors. These audits are based on Trust Service Principles that cover policies, communications, procedures, and monitoring.
Global Relay’s two mirrored data centers undergo SOC 2 Type 2 audits at least annually. The resulting SOC2 reports address the following Trust Service Principles:
- Security: The system is protected against unauthorized access (both physical and logical).
- Availability: The system is available for operation and use as committed or agreed.
Independent Penetration Testing
KPMG completes periodic security penetration testing (“ethical hacking”) with respect to our key internet-facing systems and applications, and provides us with formal reports of the penetration test results. This testing simulates access attempts by unauthenticated individuals to identify, validate, and attempt to exploit vulnerabilities that might be used by attack agents (e.g. malicious persons on the internet and cyber criminal organizations).