Compliance at Reltio
Reltio provides customers added assurance through auditing its privacy and security controls annually with an industry leading third party. Audits demonstrate Reltio has implemented controls to secure customer data and strives to enhance its existing security practices with valuable third party input and evolving industry best practices.
HITRUST Common Security Framework
Reltio is certified for HITRUST Common Security Framework (CSF). HITRUST CSF unifies recognized standards and regulatory requirements from NIST, HIPAA/HITECH, ISO 27001, PCI DSS, FTC, and COBIT.
Service Organization Control Reports
Reltio is certified for SOC 1 Type II and SOC 2 Type II compliance for the Reltio Data Cloud. SOC 1 focuses on financial reporting controls as they relate to the security of a system. SOC 2 focuses on a business’s non-financial reporting controls as they relate to the security of a system.
HIPAA Environment
Reltio maintains an environment on Reltio Data Cloud configured to help customers meet HIPAA requirements. The HIPAA environment uses HIPAA compliant services from our hosting vendors and complies with HIPAA requirements.
Reltio maintains a Business Associate Agreement (BAA) with our hosting vendors. The Reltio Data Cloud encrypts customer data at rest and in-transit on the public Internet. The Activity Log captures all access and activity to platform services.
ISO/IEC 27001:2022 Certification
Reltio is certified for ISO/IEC 27001:2022, the internationally recognized standard for Information Security Management Systems (ISMS). This certification validates that Reltio has implemented a comprehensive framework of policies, procedures, and controls to systematically manage and protect customer data. The ISMS emphasizes continuous improvement and risk-based security practices, reinforcing Reltio’s commitment to safeguarding sensitive information across the Reltio Data Cloud.
Data Privacy Framework
Reltio participates in the EU-U.S. Data Privacy Framework (DPF), the Swiss-U.S. DPF, and the UK Extension to the EU-U.S. DPF, which were developed to provide companies on both sides of the Atlantic with a reliable mechanism for transferring personal data. Participation in the DPF demonstrates Reltio’s commitment to meeting data protection requirements when transferring personal information from the European Union, Switzerland, and the United Kingdom to the United States.
CSA STAR Level 1
Reltio has achieved the Cloud Security Alliance (CSA) Security, Trust, Assurance, and Risk (STAR) Level 1 certification. This certification confirms Reltio’s adherence to CSA best practices for cloud security and its transparency in sharing security and compliance posture. STAR Level 1 validates that Reltio has documented its security controls in alignment with the CSA Cloud Controls Matrix, providing customers with additional assurance around risk management and cloud data protection.
Third Party Security and Privacy Assessment
Reltio conducts an assessment of third-party vendors prior to utilizing vendor services as part of the Reltio Data Cloud or used for internal Reltio use. As part of the assessment, Reltio reviews the vendor’s SOC 2 type II reports or the vendor’s responses to a Reltio security assessment questionnaire. Reltio includes security and privacy obligations in its contractual agreements with such third-party vendors that are aligned with contractual obligations of Reltio’s customers as well as Reltio’s own security standards. Reltio conducts a reassessment of third-party vendors annually.
Third Party Penetration Testing
Reltio engages a reputable penetration testing third-party firm to review the Reltio Data Cloud for vulnerabilities. Testing includes both network and application vulnerability scans and human penetration testing. Testing occurs on production and non-production tenants and network subnets. Reltio takes a risk-based approach to remediating penetration testing findings and prioritizes all critical and high findings.
Compliance FAQs
How frequently are you audited?
Reltio performs external audits annually for SOC 1 and SOC 2 compliance, ISO/IEC 27001:2022 certification, as well as for HITRUST annual certification/recertification.
How do I request your most recent compliance reports or penetration test?
Does Reltio use Sub-processors?
Yes, a list of our sub-processes is available to current customers.
Please reach out to request a copy of these compliance reports.
What information security policies does Reltio have in place? Can I request copies?
Reltio maintains approved security policies and procedures aligned to the HITRUST CSF standard. Reltio Information Security enforces these policies and procedures throughout the Reltio organization. Reltio Security Operating Procedures cover:
|
|
Reltio updates our policies & procedures annually and as needed.
Please reach out to request a copy of these compliance reports.