FullyRamped Trust Center
FullyRamped is in compliance with security best practices, has implemented and is monitoring comprehensive controls, and maintains policies to outline its security procedures.
Compliance
Links
Resources
SOC 2 Type I Report
ISO 27001 Certificate
SOC 2 Type II Report
Incident Response Policy
Data Retention and Disposal Policy
Controls
Password rules enforced
Production access keys restricted and key management services
Access control procedures
Least-privilege access strictly enforced for produciton infrastructure
Sensitive Data Classification & Access Control
Encryption of data
Secure disposal of electronic media containing sensitive data (PII, ePHI, etc.)
Data protection impact assessment
Data transfers covered by approved safeguards
Encryption in transit over public networks
Source code tool
Code of Conduct acknowledged by contractors
Business continuity and disaster recovery testing
Web application firewall
Penetration testing
Intrusion detection tool
Infrastructure baseline hardening policy
Infrastructure firewall
Monitoring, measurement, analysis and evaluation
Network diagram
Incident response procedures documented
Business continuity plans ensure emergency functionality
Alerts and remediation
Security incident list
Documented HIPAA Security Rule policy acknowledgment
Automated decision-making policy
Internal GDPR compliance assessments performed
Erasure request handling policy
Internal Audit Program
Log management tool
Interested party security requirements logged
Annual risk assessments performed
Vendor management program
Age verification and parental/guardian consent process enforced
Consent for processing captured via explicit opt-in mechanisms
New employee and contractor agreements
Existing employee and contractor agreements
Customer onboarding
Security awareness training implemented
Background checks performed on contractors
Records of Processing Activities (RoPA) maintained
Multi-availability zones
Defined and maintained ISMS scope
Notification workflows regarding rectification or erasure maintained
Lawful basis assessment
Automatic Session Timeout Enforcement
Patch management
Antivirus and malware configurations
Board charter
Removable Media Use Restricted and Encrypted