Security is a key focus area for our organization and product engineering. Rest assured your data is managed by a security-minded organization to the highest security and privacy standards. We use industry-standard encryption standards to enable the security and privacy of your data in every phase of our operations.
Compliance And Security
Relationships are built on trust, and you expect the same for your business. As your Data Residency and Protection partner, we hold ourselves to the highest standards in the industry. That’s why we’re constantly improving our solutions by staying ahead of the latest trends, building security into every layer of offerings, and adapting to the latest compliance standards.
Compliance
Compliance is within our DNA. We are constantly working to ensure our solutions meet the latest compliance & regulatory standards worldwide. We undergo external audits and reviews to ensure our services are ready for market changes which could disrupt your business.
SOC 1 Type II
The report is an internal controls report specifically intended to meet the needs of the InCountry customers’ management and their auditors, as they evaluate the effect of the InCountry controls on their own internal controls for financial reporting. The InCountry SOC 1 report examination was performed in accordance with the Statement on Standards for Attestation Engagements (SSAE) No. 16 and the International Standard on Assurance Engagements (ISAE) No. 3402, therefore it can be used by our customers and their auditors both the US and abroad. These reports are issued by independent third party auditors periodically. Request Report
SOC 2 Type II
InCountry has obtained a SOC 2 Type II (Service Organization Controls) report based on the AICPA Trust Service Principles (TSP) and Criteria and covers the security, availability, and confidentiality TSPs as they relate to a Cloud Service Provider (CSP). Request Report
SOC 3
A SOC 3 (Service Organization Controls) report is an abbreviated version of a SOC 2 report and is appropriate for users who want assurance about the Cloud Service Provider’s (CSP) controls but do not require a full SOC 2 report. A SOC 3 report may only be issued if the CSP has an unqualified audit. Download
GxP
Good Clinical Practices, Good Laboratory Practices, and Good Manufacturing Practices (“GxP”) Compliance on the InCountry platform enables a secure and highly available data distribution and localization, aligned the requirements of life science organizations for validated and controlled workloads. Customers will benefit from improved user experience, reduced cost, and improved security. Request Report
PCI DSS
The Payment Card Industry-Data Security Standard (PCI-DSS) is an industry level information security standard regarding the secure handling of credit card information.
HIPAA
The Health Insurance Portability and Accountability Act (HIPAA) provides U.S. federal protections for patient health information held by Covered Entities (CEs) and Business Associates (BAs).
152-FZ
InCountry complies with Russia’s Federal Law No. 152 and meets industry standards as well as satisfying the requirements under the law “On Personal Data”. Opinion on Compliance (English) Заключение о соответствии (Russian)
CSA
The Security Trust Assurance and Risk (STAR) Level 2 Certification is a rigorous third-party independent assessment of the security of a cloud service provider. The certification leverages the requirements of the ISO/IEC 27001:2013 management system standard together with the CSA Cloud Controls Matrix criteria. Download
ISO 27001
ISO/IEC 27001:2013 is a risk-based set of information security requirements that require an organization to have a well-structured Information Security Management System (ISMS). Maintenance of the system requires annual audits by external auditors, ongoing risk assessments, and continuous improvement of the system. Download
ISO 27017
ISO/IEC 27017:2015 provides guidance on the information security aspects of cloud computing, recommending the implementation of cloud-specific information security controls that supplement the guidance of the ISO/IEC 27002 and ISO/IEC 27001 standards. This code of practice provides additional information security controls implementation guidance specific to cloud service providers. Download
ISO 27018
ISO/IEC 27018:2019 is a code of practice that focuses on the protection of personal data in the cloud. It is based on ISO/IEC information security standard 27002 and provides implementation guidance on ISO/IEC 27002 controls applicable to public cloud Personally Identifiable Information (PII). Download
ISO 27701
The design goal of ISO 27701 is to enhance the existing Information Security Management System (ISMS) with additional requirements in order to establish, implement, maintain, and continually improve a Privacy Information Management System (PIMS). The standard outlines a framework for Personally Identifiable Information (PII) Controllers and PII Processors to manage privacy controls to reduce the risk to the privacy rights of individuals. Download
Security
Product security
Our processes, standards, policies, and tools help keep security integral to our product design, architecture, implementation, and operation. Security is extremely important to us. Thorough code reviews and vulnerabilities testing is a core part of our product delivery.
Cybersecurity
Preventative controls and measures guard data from security breaches with threat detection and continuous monitoring and response.
Security Development Lifecycle
All products follow a defined SDLC program which requires at a minimum detailed threat modeling, manual and automated code reviews, vulnerability scans, developer training, privacy reviews, penetration testing and image and server hardening. By keeping a measurable and consistent secure development lifecycle (SDLC), we’re able to improve trustworthiness and product resilience. The tools and processes we keep adding promote a culture of security and privacy awareness.
Encryption
We protect your data with industry standard encryption methods including AES-256 for data at rest and TLS1.3 for data in transit.
Privacy
We respect and protect the rights of individuals, particularly data protection and privacy during the processing and use of information. We are committed to protecting the privacy of our customers’ data and preventing it from unauthorized access. Our privacy policy and data processing agreements help us act out our values in all our output, including technology products and marketing content, and abide to all related laws, worldwide.
InCountry IS NOT
InCountry IS
Social media posts
Text messages
Instant messages
Personal photographs
Phone logs
Profile data
Finance data
Payment data
Health data
Employee data
Privacy by Design
InCountry does not access or sell customer data. Your data is yours.
Our Ethical Stand
Our mission is to help companies expand their business into new countries by addressing data residency and protection challenges. We do so by addressing data residency requirements with local regulations and securely and privately localizing regulated data, such as Payment Card Information (PCI), Protected Health Information (PHI), Personally Identifiable Information (PII). InCountry does not collect or store any information beyond what is required to operate the service. We do not handle or store social media posts, text messages, instant messages, personal photographs or phone logs. InCountry is committed to conducting business with the highest degree of ethical values and has dedicated resources for maintaining compliance with regulatory and legal requirements.
The European Union (EU) passed the GDPR to give individuals more control over their personal data. GDPR imposes more rules about processing PII and comes with powerful enforcement. We invest significant strategic resources in maintaining compliance with the GDPR and we also aim to help our customers comply with the processes and policies outlined.
InCountry’s privacy policy describes what data InCountry collects, how we use and protect this data, retention periods for customer data and customer rights regarding use of their data. Our policies enable us to comply with related privacy and data protection laws. It defines requirements for processing and accessing personal data, and establishes clear responsibilities and organizational structures. This means that your data is safe with us.
InCountry employees are regularly trained and tested for a high level of data privacy awareness. Internal teams regularly test the effectiveness of privacy and security controls to confirm we continue to maintain the appropriate level of protection of data.
Guidelines for Law Enforcement
To protect customers’ rights and data privacy, we only provide customer information to law enforcement agencies or government entities after the customer has been notified and all legal processes and procedures have been followed as prescribed by law, unless we are explicitly prohibited from doing so by law.
For prompt processing law enforcement requests for customer information should be sent by email to:
If your agency or entity must submit requests via mail or in person, our address is:
2443 Fillmore Street, Suite #380-16895
San Francisco, CA 94123