Security & Compliance

SOC 1 Type 1

PFL processes are audited against the SOC reporting framework by independent third-party auditors. The audit covers controls for data security, availability, processing integrity, and confidentiality as applicable to in-scope trust principles for each service.

PFL has achieved SOC 1 Type 2, and SOC 2 Type 2 reports. In general, the availability of SOC 1 and SOC 2 reports is restricted to customers who have signed nondisclosure agreements with PFL.

SOC 2 Type 2

PFL processes are audited against the SOC reporting framework by independent third-party auditors. The audit covers controls for data security, availability, processing integrity, and confidentiality as applicable to in-scope trust principles for each service.

PFL has achieved SOC 1 Type 2, and SOC 2 Type 2 reports. In general, the availability of SOC 1 and SOC 2 reports is restricted to customers who have signed nondisclosure agreements with PFL.

PCI DSS

The Payment Card Industry Data Security Standards (PCI DSS) is a proprietary information security standard designed to ensure that companies processing, storing or transmitting payment card information maintain a secure environment. The PCI DSS applies to credit cards from the major card brands, including Visa, MasterCard, American Express, Discover, and JCB. A third-party PCI Qualified Security Assessor (QSA) assesses company systems and processes on an annual basis and issues an Attestation of Compliance (AOC).

HIPAA

The Health Insurance Portability & Accountability Act (HIPAA) regulations require that covered entities and their business associates enter into contracts to ensure that those business associates will adequately protect PHI. These contracts, or BAAs, clarify and limit how the business associate can handle PHI, and set forth each party’s adherence to the security and privacy provisions set forth in HIPAA and the HITECH Act.

Currently there is no official certification for HIPAA compliance. However, PFL’s HIPAA Compliance Program utilizes an automated and online HIPAA compliance and training solution for developing, administering, documenting and monitoring the program. The program methodology is based on National Institute of Standards and Technology (NIST) cyber security protocols endorsed by the Office for Civil Rights for compliance with the HIPAA Security Rule.

The National Institute of Standards and Technology (NIST) framework was designed to be voluntary, the NIST has not formalized an accreditation process. However, PFL utilizes an accredited solution for developing, administering, documenting and monitoring PFL’s Cybersecurity processes.

The General Data Protection Regulation (GDPR) is a complex piece of data privacy legislation from Europe that affects — and, in my experience, may confuse — millions of businesses, big and small, worldwide.

The California Consumer Privacy Act (CCPA) is a piece of data privacy legislation that applies to most businesses that process the personal data of California residents. The CCPA gives California residents a certain amount of control over the personal data that businesses collect about them.