Shuttlerock is audited against the System and Organization Controls (SOC) 2 Type II compliance standard. If you would like to review a copy of the SOC 2 Type II audit report or ask any questions about our audit accreditation, please submit your request to email@example.com.
Why is SOC 2 important?
SOC 2 Type II accreditation provides our customers and partners with assurances that our information security standards meet the relevant Trust Services Criteria (TSC): security, availability, processing integrity, confidentiality and privacy.
The audit process is conducted and renewed annually so our customers and partners can trust our commitment to maintaining the standards and controls that we implement within the organisation.
What does the SOC 2 Type II audit process involve?
The audit is conducted by an independent third-party firm that has examined and evaluated our organisational standards to determine if the compliance controls meet the Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA) TSC.
The SOC 2 report describes Shuttlerock’s organisational system and assesses the fairness of our description of the controls we implement. The audit firm’s opinion evaluates whether our organizational controls are designed appropriately and performed effectively during the audit period.
How we protect your data
All the data we store about you is accessible only by Shuttlerock team members that need access to help you meet your goals and to provide customer support. The data we store is backed up daily and can be recovered in the event of a system failure.
All connections to and from our systems are performed over SSL/TLS and are protected by 256-bit encryption. What this means is all sensitive data transmitted over the internet is secure and safeguarded.
All sensitive data stored in our database is encrypted using the AES256-GCM algorithm before being written to the database. All data is encrypted at rest.
Staying up and running
We know how frustrating system downtime can be. At Shuttlerock our goal is to make sure you can access our systems as and when you need them.
Our commitment to this goal has guided us to develop an infrastructure environment that includes locating our servers in top-security Amazon data centres, which have been validated as providing Level 1 service under the Payment Card Industry (PCI) Data Security Standard (DSS), as well as being compliant with SOC 2 and ISO 27001 security practices.
To ensure redundancy, our servers are located in geographically diverse locations. We strive to remove any single point of failure to provide a robust, high-availability system.
Any scheduled maintenance or planned downtime is announced ahead of time on our status page at status.shuttlerock.com. Please subscribe to email updates at the status site to receive the latest information.
Protecting your billing information
Payment processing is performed by Stripe, which has been validated as providing Level 1 service under the Payment Card Industry (PCI) Data Security Standard (DSS). We do not (and will never) store your credit card information on our systems.
See the Stripe security documentation for more details.
We sanitize data submitted to us to keep our systems safe from attack. We use both internal and 3rd-party services to monitor our systems around the clock, which alert operations staff instantly.
We operate under the principle of least privilege, restricting access unless necessary.
As part of our induction process, every member of the Shuttlerock team takes a security training course.
If you have a question about how we stay safe and secure here at Shuttlerock please get in touch.