Your Data is Protected
Your data is as important to us as it is to you. SAP Fieldglass has instituted a world-class Information Security Management System (ISMS) to ensure it remains secure. We proudly provide the following assurances to our customers.
Since 2011, our ISO certification has proven that we're serious when it comes to the management of information security. This globally recognized standard mandates the requirements for bringing information security under explicit control. The scope of our ISMS includes both our corporate headquarters and R&D technology center where all software planning, design, development, testing and support activities are performed. In 2016, we attained ISO 27018:2014 compliance to further demonstrate our commitment to protecting Personally Identifiable Information (PII) in the cloud computing environment. Customers can be assured that we have:
- Examined our information security risks considering all threats, vulnerabilities and impacts.
- Implemented a formal ISMS based on continuous improvement.
- Formalized management’s oversight of the entire security program.
- Established controls to specifically address the protection of personal data in the cloud.
In 2016, SAP Fieldglass positioned our organization as a leader in cloud-specific security assurance by obtaining the CSA Star Certification. This systematic third party independent assessment evaluates the security of a cloud service provider. The ISO 27001:2013 requirements together with the Cloud Security Alliance Cloud Controls Matrix criteria are leveraged to measure the maturity of a cloud provider’s security posture against five management principles.
Since 2005, SAP Fieldglass has undergone rigorous auditing of our internal controls. A SOC1 is an audit of the operating effectiveness of our internal control environment. Internal controls include, but are not limited to, employee background checks, physical and logical access controls, the entire Systems Development Life-Cycle (SDLC) and IT change control. This report serves as a window into how we operate as a service provider.
SOC1 Type 2 assessments provide independent third-party verification by a licensed CPA firm as to whether control activities were suitably designed and operating effectively during the audit period. SAP Fieldglass' operates on a 12-month audit period. The scope of the audit includes both our corporate headquarters and R&D technology center where all software planning, design, development, testing and support activities are performed.
Our SOC1 Type 2 audit is conducted in accordance with the Statement on Standards for Attestation Engagements No. 18 (SSAE 18) and the International Standards for Assurance Engagements No. 3402 (ISAE 3402). This single report is designed to satisfy both domestic and overseas customers.
A SOC2 report is similar to a SOC1 but does have some key differences. A SOC1 is self-defined by the service provider and is not held to any industry standard. A SOC2 is designed to evaluate service providers such as SAP Fieldglass against pre-defined control criteria based on the American Institute of Certified Public Accountants' (AICPA) Trust Services Principles.
SAP Fieldglass has successfully completed a Type 2 audit against the following principles:
- Security – The system is protected against unauthorized access, use or modification.
- Availability – The system is available for operation and use as committed or agreed.
- Processing Integrity – System processing is complete, valid, accurate, timely and authorized.
- Confidentiality – Information designated as confidential is protected as committed or agreed.
- Privacy – Personal information is collected, used, retained, disclosed and destroyed in conformity with the commitments in the entity’s privacy notice and with criteria set forth in generally accepted privacy principles (GAPP) issued by the AICPA and CICA.
SAP Fieldglass’ management understands the ever-increasing importance of corporate governance, as well as the impact of the organization’s services on our clients’ system of internal controls. The successful completion of the SOC 2 examination is only part of SAP Fieldglass’ continued commitment to maintaining a high level of internal control.
The SAP Fieldglass SOC3 report is a publically available version of the SOC2 report. A SOC2 report includes auditor testing and results, while SOC3 provides a system description and the auditor’s opinion. You’ll see an overview of our infrastructure, our external auditor's opinion, and SAP Fieldglass management's assertion that we maintain effective control over the system based on the AICPA's Trust Services Security and Availability criteria.