Data Security and Privacy
Service Organization Control Reports SOC 2 ®
Greatland highly values the security and confidentiality of our customers. To that end, Yearli online and Desktop W-2, 1099 and 1095 filing products have undergone a number of security assessments that have been tested and validated by third-party auditors. Specifically, these improvements were made to comply with the Service Organization Control Reports SOC 2 certification. Read More.
HIPAA & Greatland
While there is not a governing body that certifies that vendors are HIPAA compliant, Greatland has aligned with ISO 27002:2013. This set of standards maps to the HIPAA security rule. Additionally Greatland enters into a Business Associate Addendum when using Greatland’s technology products.
A business associate includes a subcontractor that creates, receives, maintains, or transmits Protected Health Information (PHI) on behalf of a covered individual – under the HIPAA regulations, service providers like Greatland are considered business associates. HIPAA guidelines typically require that covered entities and business associates enter into contracts to ensure that the business associates will appropriately safeguard PHI. The business associate contract also serves to clarify and limit, as appropriate, the permissible uses and disclosures of protected health information by the business associate, based on the relationship between the parties and the activities or services being performed by the business associate. Greatland refers to these contracts as Business Associate Agreement Addendums.
Greatland recognizes the great importance of ensuring the security of all information provided by our customers. Your security is our highest priority. Greatland takes all reasonable steps to safeguard any information our customers share with us. All sensitive data that is stored in databases is encrypted at the database level. All communication is encrypted when sent to the site.
We will permit only authorized parties trained in the proper handling of sensitive customer information, to access that data. Access is on a need to know basis. Parties who violate our Security Policy are subject to disciplinary action including termination.
Physical Media Security
- Any printed confidential material is kept under lock and key or destroyed by a secure shredding service that is NAID (National Association for Information Destruction) Certified.
- All electronic or magnetic media is also kept under lock and key or destroyed by degaussing and pulverization. Access to all machines is restricted by password protection.
Electronic Security Measures
- Data is stored on secure servers behind firewalls.
- Network is monitored by an IPS solution that alerts IT to potential threats.
- All servers are protected with up-to-date anti-virus and all servers storing or processing sensitive data are protected by IPS.
- Systems are housed in a secure data center which is monitored around the clock by a camera that stores three months of footage.
- Monthly security scans are conducted to search for vulnerabilities.
- There is a 24x7 live monitoring of potential threats.
Data Integrity and Availability
- Data is securely mirrored to a secure offsite Disaster Recovery site so that data can be recovered and service restored at an offsite location in the event of a disaster.
- Data center is protected by a fire suppression system.
- Databases are clustered for high availability in the event of hardware or software failure.
- Web servers are load balanced for high availability.