Precisely Trust Center

 

Precisely: Your Trusted Partner

At Precisely, establishing trust in data is core to our delivery of data, and data integrity services and solutions – ensuring the accuracy, consistency, and reliability of information and processes.

Information security and data protection are integral to all business functions across Precisely. Our dedicated Security, Compliance, and Data Privacy teams are committed to keeping customer, company, and private information secure.

Security

The nature of our core business requires compliance with relevant regulatory, industry, and standards frameworks. Precisely solutions stand out in the marketplace with their inherent ability to help customers enhance data privacy and security.

Industry-Leading Standards

In addition to our adherence to strict security policies and standards, Precisely also provides industry-leading reliability in the development and delivery of our products and services – whether on-premises, hosted, or SaaS offerings, with professional or managed services.

Privacy

Our commitment to data integrity and trust in data extends to ethical data stewardship. That means we continually advance our products and services to protect data and help our customers meet their privacy obligations.

As additional security threats arise and as data privacy and data protection laws and processes change, we will continue to update our operations and periodically reflect those changes in this Trust Center.


Security at Precisely

Policy

Precisely safeguards the personal and confidential data of customers, employees, and partners. To ensure the availability, integrity, and confidentiality of customer and partner data, Precisely employs strict information security and data privacy policies, standards, and guidelines that are updated regularly and at least annually.

Precisely’s Information Security Management System (ISMS) aligns and complies with ISO27001 standards. Precisely reviews its systems regularly against ISO 27001, CIS Controls, and NIST Frameworks, and any identified risks or gaps are addressed accordingly.

Precisely’s InfoSec Risk Board holds regular meetings to ensure delegation and assumption of risk throughout the company and effective communication to and from company board members and executive leadership.

As part of a comprehensive Information Security Management System, a comprehensive policy framework has been instituted and implemented across the organization covering General Security, Information Classification and Handling, Access Control, Physical Security, Acceptable Use, Incident Management, Business Continuity, Risk Management, Vulnerability Remediation, Vendor Risk Management, and Software Development Lifecycle. Supporting Standards, Guideline and Standard Operating Procedures ensure coverage and efficacy of the policies.

Administrative Safeguards

Background Checks

Precisely employees undergo background checks to the extent allowed by local law and sign a non-disclosure agreement before hire. All employees attest and reaffirm company handbook, data privacy, and security policies annually thereafter.

Security and Privacy Training

Upon hire and on an ongoing basis, all Precisely employees are required to undertake tested security and privacy training, which cover safe data handling and classification, compliance, security best practices, and adherence to the principle of least privilege.

The company provides training on specific role-based aspects of security and privacy. Examples include the product development team undergoing privacy by design and secure software development training, the professional services team undertaking PII, GDPR, and ePHI specific training, and training and testing all employees on phishing, vishing, and smishing vectors.

Incident Management

Precisely has implemented an Incident Response Plan which details the processes for detecting, reporting, identifying, analyzing, and responding to security incidents impacting Precisely infrastructure and data under its purview.

Data Breach Notification

In the event of a data breach, Precisely will follow its Incident Response Plan and contractual obligations to notify partners and customers of incidents impacting the infrastructure and data related to the delivery of their services and products.

Third Party Risk Management

Precisely may use sub-processors to perform or deliver services and are only entitled to access customer data only as needed to perform the services and shall be bound by written agreements that require them to provide strict levels of data protection required by Precisely and applicable regulations. These agreements are no less stringent than the data protection levels afforded by the customers agreement with Precisely.

Initial and ongoing vendor assessments are conducted to ensure proper data security and privacy practices are in place throughout the vendor relationship. Changes to vendor services provided or changes to existing contracts require a security risk assessment to confirm that the changes do not present additional or undue risk.

Technical Safeguards

Data Encryption

All customer data held by Precisely is encrypted in transit and at rest.

Information Classification and Handling Policy

Precisely has implemented an Information Classification and Handling Policy which governs data labeling and retention. Where appropriate, platforms use built-in rules to govern retention and employees follow operational guidelines for the secure removal of data at termination of services. Precisely follows NIST guidelines for the irrevocable logical and physical deletion of data.

Backup and Recovery

Precisely performs regular, secure backup and recovery testing of data and supporting systems. Backup intervals are dependent on the type of data and underlying repositories. Intervals range from minutes to daily. Wherever possible resilient and redundant systems, services, and stack components are used for automated failover capability.

Vulnerability Remediation

Precisely has a Vulnerability Remediation policy to identify and remediate vulnerabilities according to the risk they present. Precisely utilizes numerous coordinated management frameworks to monitor code, services, and systems and ensure vulnerabilities are assessed and remediated.

Intrusion and Malware Protection

Precisely has in place multilayered network and endpoint solutions to protect company assets which are centrally monitored and alerted upon.

Data Protection

Precisely implements multiple data security controls including DLP (Data Loss Prevention), data profiling, and data governance technologies to ensure data is secure throughout its lifecycle.

Logging & Monitoring

Precisely has a process in place to log, monitor, and respond to events and anomalies in its systems and solutions. Precisely has deployed centralized non-repudiable logging and monitoring solutions to identify and investigate possible security events and track anomalous behavior. Dedicated and centralized SIEM (Security Info & Event Management) platforms allow for Precisely and its partners to proactively model risks and respond to incidents.

Identity & Access Control

Access to personal information is limited through login credentials to those employees who require it to perform their job functions. In addition, Precisely utilizes access controls such as Multi-Factor Authentication, Single Sign-On, MAM, least privilege and access on an as-needed basis, strong password controls, and restricted access to administrative accounts.

Precisely’s solutions use role-based access controls that allow customers to create least-privilege roles that provide only the rights needed to perform the required functions.

Security Operations Center

Precisely maintains 24x7x365 monitoring operations with oversight of its entire infrastructure. Along with its partners, the company maintains a proactive threat hunting and rapid reaction posture to security incidents.

Physical Safeguards

Workplace Security

Precisely maintains strict facility access controls by the use badge access and alarm systems to limit ingress to authorized individuals only. Visitor registration and escort policies and surveillance systems ensure all access is monitored. In addition, Precisely offices have fire suppression and fire detection systems or devices as well as clearly defined emergency exits and evacuation routes. Workplace health and safety measures are kept up to date with local laws and regulations as well as industry best practice.

Data Center Security

All data centers where data is processed and stored are in the geographic regions tailored to the regulatory requirements of customers. The Tier 1 facilities and service providers hold SOC 2, HIPAA, PCI DSS, and ISO 27001 amongst other certifications.


Industry-Leading Standards

Frameworks

Precisely assesses its SaaS, hosted and external services to SOC 2 trust principles via third party. All current SaaS offerings have received SOC 2 Type 1 or Type 2 assessments via audit partners with a goal of having all services under SOC 2 Type 2 and HIPAA HITECH assessment for contiguous review periods in 2022/2023. Precisely aligns and complies its ISMS and controls framework to ISO 27001 and NIST standards. The company is pursuing ISO 27001 certification company-wide via third party in 2022/2023.


Product Security

Secure Design Principles

Precisely products and services are designed with security in mind. Precisely utilizes a Secure Software Development Lifecycle based on the OWASP methodologies where applicable. The company incorporates automated and manual scanning of code and artifacts to detect and remediate defects and vulnerabilities. Precisely DevOps systems and processes support the core pillars of information security: Confidentiality, Integrity and Availability.


Precisely Service Status

System Status

Precisely continuously monitors its customer services internally and through 3rd-party services. Find service status, updates, and maintenance announcements here: https://status.precisely.com/

Service Level Agreement (SLA)

Precisely provides on-premise, hosted, and SaaS products as well as managed and professional services as part of its solutions. SaaS and hosted services platforms are continuously monitored for performance and availability. Support SLAs are defined and tracked for all offerings. The SLA for our DI Suite SaaS product is here: www.precisely.com/dis-sla, and the SLA’s for other Precisely SaaS products can be found here: www.precisely.com/availability


Data Privacy

Trusted Data

This trust center section provides an overview of Precisely’s privacy practices, policies, and controls that regulate our handling of personal data.

Commitment to Privacy

Precisely’s commitment to data integrity and trust in data extends to ethical data stewardship. That means we continually advance our products and services to protect data and help our customers meet their privacy obligations.

Privacy Today

We live in an era of complex privacy legislation and requirements that vary by state and country. In the US alone, numerous new state privacy laws are coming into force, which will include expanded definitions of personal data, new rights (e.g., to opt-out of data sharing and profiling, to limit the use of sensitive personal information (SPI), to rectify, and to appeal) and robust penalties for non-compliance.

These new requirements, along with the existing obligations under GDPR, CCPA, and other laws, impact businesses, because individuals have expanded privacy rights and organizations have increased obligations to properly handle and protect personal data. As a result, organizations must keenly understand how they process and protect personal data across the data lifecycle.

Privacy at Precisely

As a global company, Precisely complies with applicable international privacy and data protections laws, including the implementation of the various requirements of the European Union General Data Protection Regulation (GDPR) and California Consumer Protection Act (CCPA).

The following focuses promote privacy compliance and accountability across all our business units and processes.

  • A comprehensive privacy framework: Our data privacy framework includes core pillars ranging from Privacy-by-Design and Default to Training & Awareness to Privacy Ethics.
  • A central global privacy office: Our privacy office comprises professionals fully dedicated to privacy and strategically positioned within our senior leadership to promote top-down, agile implementation and awareness of our privacy and data governance framework across the enterprise.
  • Privacy policies and practices: Our employees are governed by numerous policies and procedures to ensure the proper, responsible handling of personal data.
  • Transparency, notice and choice: The Precisely Privacy Notice applies to the personal data we may obtain through our various online and offline channels, as well as from third-party sources.
  • Technical and Organizational measures: Precisely has adopted technical and organizational measures for the processing of personal data in its SaaS platforms to support its responsibilities to protect individual’s privacy. Precisely’s policies and measures support the principles of data protection by design and by default through this technical and organizational measures framework. Precisely implements and assesses both technical and organizational measures to ensure the confidentiality, integrity, availability and resilience of its processing of personal data.
  • Reviews: We have built into our business model reviews and audits to ensure that we continue to assess

At Precisely, we take data privacy seriously and we aim to design our products and offerings to facilitate responsible management of data and empower our customers to be ethical stewards of their personal data.

Data Privacy