Compliance with Laws, Regulations and Standards

SAI360 complies with all applicable laws of the countries where it operates. The key legislation applicable to SAI360, in addition to other obligations and applicable national/state laws, is as follows:

• 201 CMR 17.00 (Massachusetts)
• Australian Privacy Act 1988 (C’th)
• California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA)
• Colorado Privacy Act (CPA)
• Data Protection Act 2018 (UK) and UK General Data Protection Regulation (UK GDPR)
• General Data Protection Regulation (EU) 2016/679 (GDPR) and Regulation (EU) 216/679 of the European Parliament and of the Council
• Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009
• Health Insurance Portability and Accountability Act (HIPAA)
• Personal Information Protection and Electronic Documents Act (PIPEDA) (Canada), S.C. 2000, c. 5
• Virginia Consumer Data Protection Act (VCDPA)

We monitor industry sources for changes to laws and regulations and follow proposed legislation to make sure our operations remain compliant. SAI360 subscribes to regulatory alerts, maintains memberships of relevant organizations and receives additional updates through seminars and briefings. This is a critical component of our Information Security and Data Protection program in order to identify and maintain applicable legal and regulatory requirements impacting our Information Security Management System (ISMS).

SAI360 subprocessor agreements are subject to all applicable laws and regulations.

 

Privacy at SAI360

SAI360’s privacy policy is informed by industry standards and tailored to SAI360’s custom applications and operations environment. SAI360’s Privacy Information Management System (PIMS) is combined with the ISMS which is defined in the ISO 27001:2013 framework and certified to that standard. Roles and responsibilities are clearly defined within the system.

SAI360’s privacy policy can be publicly viewed at Privacy Policy – SAI360

 

Security Incident and Personal Data Breach Notifications

SAI360 will advise the customer within 3 business weekdays, or as otherwise agreed, upon  becoming aware of any security event or incident which has impacted the confidentiality, integrity, or availability of the customer’s data. Such notification shall include the details of the information security incident, along with a description of the customer’s confidential information or personal data that may have been accessed, the effect of the information security incident on the customer’s confidential information or personal data, and the corrective action taken or to be taken by SAI360.

SAI360 shall promptly take all appropriate corrective actions and shall cooperate with the customer in all reasonable and lawful efforts to mitigate or rectify the information security incident, including, without limitation, cooperation in complying with applicable breach notification laws.

 

Internal and External Audits

An internal audit is executed using a staged plan throughout the year and prior to any external audits being performed. SAI360 is independently and externally audited against the following:

• ISO 27001:2013 annually to maintain certification
• SOC 1 Type 2 (AICPA SSAE 18 and AASB ISAE 3402 Standards)
• SOC 2 Type 2 (AICPA SSAE 18 and AASB ISAE 3000 Standards)

For environments hosting personal health information (PHI) in the Americas, compliance to the Health Information Portability and Accountability Act (HIPAA) Security Rule and the HITECH breach notification requirements is audited against and attested

SAI360’s ISO 27001 certificate is available to customers here. SAI360 Information Security classifies SOC reports as confidential along with access to any ISMS documentation, view only, and therefore SAI360 can provide at any time under a Non-Disclosure Agreement (NDA) or existing customer agreement confidentiality clause(s).

 

Law Enforcement and Government Requests for Data

SAI360 will only share customer data if it is required to be disclosed by operation of law, government regulation, or court order. If a law enforcement agency or government body sends SAI360 a demand for customer data, SAI360 will attempt to redirect the law enforcement agency to request that data directly from customer. As part of this effort, SAI360 may provide customer’s basic contact information to the requesting law enforcement agency. If compelled to disclose customer data to a law enforcement agency or government body, then SAI360 will give the customer reasonable notice of the demand to allow the customer to seek a protective order or other appropriate remedy unless SAI360 is legally prohibited from doing so.

 

Cyber Insurance

SAI360 holds commercial general liability, automobile liability, workers’ compensation, cybersecurity, crime, employment practices, and umbrella coverages in varying amounts at the levels expected of a global organization. We can provide additional details, including evidence of coverages, by request.

 

Securing Our People

As information security and data protection is everyone’s responsibility, SAI360 arms its personnel (employees, contractors, and sub-contractors) with appropriate resources and training in order to perform their job responsibilities with security and data protection in mind. Below are control areas implemented and managed by Human Resources (HR), Legal Counsel, and Information Security ensuring that SAI360 personnel are held accountable and comply with all applicable policies.