We’re Committed to Security and Privacy
vArmour Relationship Cloud meets the most stringent enterprise requirements from a Security and Data Protection standpoint. Relationship Cloud is SOC 2 type II audited and implements best-in-class security controls and processes in order to safeguard customer data and service delivery.
In addition, vArmour works with CyberGRX as an independent auditor to validate control capabilities and map to customer frameworks. Independent Penetration Tests and Code Review findings provided by the British Standards Institute are also available.
This Compliance and Trust page provides customers and prospects access to the artifacts they need to meet their Third Party Management Risk requirements. Learn more in the vArmour Relationship Cloud Security and Privacy White Paper.
SOC 2 Type II
Relationship Cloud System and Organization Controls (SOC) 2 Report is an independent third-party examination report that demonstrates how vArmour achieves key compliance controls and objectives that meet the AICPA Trust Services Security, Availability, and Confidentiality Criteria. The purpose of this report is to help you and your auditors understand the Relationship Cloud controls established to support operations and compliance relating to system security, availability, and confidentiality. Learn more in the vArmour Relationship Cloud SOC2 Type II Report.
CyberGRX Independent Assessment
CyberGRX provides an independent third-party validated cyber risk assessment of vArmour’s security posture. This assessment details vArmour’s compliance with industry standards and the security protocols built into our infrastructure.
CyberGRX’s assessment of vArmour covers the strength, coverage, and timeliness of 200+ controls. It has been independently validated and integrates vArmour’s responses with analytics, threat intelligence, and risk models. CyberGRX’s Framework Mapper allows for the mapping of vArmour’s assessment to over 20 different commonly used industry frameworks and standards, such as NIST SP 800-53, NIST CSF, ISO 27001, PCI-DSS, HIPAA, CMMC, SOC2, CSA STAR, NY-DFS, FFIEC, etc. Additionally, CyberGRX risk analytics platform and assessment questions are mapped to the MITRE ATT&CK framework and taxonomy. This enables customers to discover the controls that can mitigate the threats applicable for their industry, and the supporting controls that indirectly affect the efficacy of the attack techniques. Learn more in the Tier 2 Validated CyberGRX Cyber Risk Assessments of vArmour.
Assessment documents available:
- Critical Controls
- CMMC Level 1
- CMMC Level 2
- NIST CSF
- MITRE Full Technique
- MITRE ATT@CK
- NIST 800/53
- CSA CAIQ Lite
- CSA Cloud Controls Matrix
Data Protection and Privacy
Relationship Cloud offers a GDPR-compliant Data Processing Addendum (GDPR DPA), which enables customers to comply with GDPR contractual obligations.
On 16 July 2020, the Court of Justice of the European Union (CJEU) issued a ruling regarding the EU-US Privacy Shield and Standard Contractual Clauses (SCCs), also known as “model clauses.” The CJEU ruled that the EU-US Privacy Shield is no longer valid for the transfer of personal data from the European Union (EU) to the United States (US). However, in the same ruling, the CJEU validated that companies can continue to use SCCs as a mechanism for transferring data outside of the EU.
Following this ruling, Relationship Cloud customers and partners can continue to utilize Relationship Cloud instances within US, in compliance with EU data protection laws – including the General Data Protection Regulation (GDPR). In addition, Relationship Cloud customers are able to request Relationship Cloud instance from their account team within most geographic locations globally. Here’s a list of data protection artifacts and a list of subprocessors.
Third Party Penetration Test and Code Review Reports
In addition to our continuous security testing lifecycle, vArmour engages the British Standards Institute (BSIgroup) to conduct annual security testing of the Relationship Cloud service. This testing includes Secure Code Reviews, application Pen Testing and Cloud environment Pen Testing. Customers can request access to the reports provided by BSIgroup to meet their internal Third Party Risk and Audit requirements. Here are our pen test reports.