Security and compliance
Data security
- Ensures data does not leave a country
- Securely deliver data directly to browsers and apps within a country
- Declarative controls enforced and logged
- Fully hardened servers
- Isolated serverless functions
- Business intelligence aggregation functions that do not reveal underlying data
- RBAC – Role Based Access Control – Fully integrates with source applications such as Salesforce or Identity Providers to record what the user can access
- ABAC – Attribute Based Access Control – JWT attributes map to what records the user can access
- PBAC – Policy Based Access Control – Policies that define which countries, times of day, and other logic that compute access controls
- Each field can have full encryption, searchable encryption, hashes, deterministic hashes
- Bring Your Own Key fully supported across countries
Operational and applications security
- All user activity is logged
- Data governance metadata such as provenance stored with data
- Validation data does not leave a country
- Detailed threat modeling and penetration testing
- Manual and automated architecture and code reviews
- Security and privacy by design principles integrated into SDLC
- Infrastructure monitored 24×7
- Threat detection and continuous monitoring and response
- 24×7 on-call SIRT team
- Ongoing Internal pen testing
- Monthly system scans and patching
Compliance
The report is an internal controls report specifically intended to meet the needs of the InCountry customers’ management and their auditors, as they evaluate the effect of the InCountry controls on their own internal controls for financial reporting. The InCountry SOC 1 report examination was performed in accordance with the Statement on Standards for Attestation Engagements (SSAE) No. 16 and the International Standard on Assurance Engagements (ISAE) No. 3402, therefore it can be used by our customers and their auditors both the US and abroad. These reports are issued by independent third party auditors periodically.
InCountry has obtained a SOC 2 Type II (Service Organization Controls) report based on the AICPA Trust Service Principles (TSP) and Criteria and covers the security, availability, and confidentiality TSPs as they relate to a Cloud Service Provider (CSP).
A SOC 3 (Service Organization Controls) report is an abbreviated version of a SOC 2 report and is appropriate for users who want assurance about the Cloud Service Provider’s (CSP) controls but do not require a full SOC 2 report. A SOC 3 report may only be issued if the CSP has an unqualified audit.
Good Clinical Practices, Good Laboratory Practices, and Good Manufacturing Practices (“GxP”) Compliance on the InCountry platform enables a secure and highly available data distribution and localization, aligned the requirements of life science organizations for validated and controlled workloads. Customers will benefit from improved user experience, reduced cost, and improved security.
The Payment Card Industry-Data Security Standard (PCI-DSS) is an industry level information security standard regarding the secure handling of credit card information.
The Health Insurance Portability and Accountability Act (HIPAA) provides U.S. federal protections for patient health information held by Covered Entities (CEs) and Business Associates (BAs).
InCountry complies with Federal Law No. 152 and meets industry standards and the InCountry platform satisfies the requirements under the law “On Personal Data”.
Opinion on Compliance (English)
Заключение о соответствии (Russian)
The Security Trust Assurance and Risk (STAR) Level 2 Certification is a rigorous third-party independent assessment of the security of a cloud service provider. The certification leverages the requirements of the ISO/IEC 27001:2013 management system standard together with the CSA Cloud Controls Matrix criteria.
ISO/IEC 27001:2013 is a risk-based set of information security requirements that require an organization to have a well-structured Information Security Management System (ISMS). Maintenance of the system requires annual audits by external auditors, ongoing risk assessments, and continuous improvement of the system.
ISO/IEC 27017:2015 provides guidance on the information security aspects of cloud computing, recommending the implementation of cloud-specific information security controls that supplement the guidance of the ISO/IEC 27002 and ISO/IEC 27001 standards. This code of practice provides additional information security controls implementation guidance specific to cloud service providers.
ISO/IEC 27018:2019 is a code of practice that focuses on the protection of personal data in the cloud. It is based on ISO/IEC information security standard 27002 and provides implementation guidance on ISO/IEC 27002 controls applicable to public cloud Personally Identifiable Information (PII).
The design goal of ISO 27701 is to enhance the existing Information Security Management System (ISMS) with additional requirements in order to establish, implement, maintain, and continually improve a Privacy Information Management System (PIMS). The standard outlines a framework for Personally Identifiable Information (PII) Controllers and PII Processors to manage privacy controls to reduce the risk to the privacy rights of individuals.
In partnership with Alibaba Cloud
Standard Contractual Clauses (China SCCs) for cross-border transfer of personal information is one of three mechanisms specified in China’s Personal Information Protection Law for transferring personal information outside of China (PIPL).
The China Personal Information Protection Law (PIPL) is China’s new data privacy law, aimed at protecting personal information and addressing personal data leakage issues.
Data Security Law of the People’s Republic of China (DSL), establishes a framework for classifying data collected and stored in China based on its potential impact on Chinese national security and regulating its storage and transfer based on the classification level of the data.
The China Cyber Security Law (CSL), provides cybersecurity requirements for protecting Chinese cyberspace The law safeguards the legal interests and rights of both organizations and individuals in China.
The design goal of ISO 27701 is to enhance the existing Information Security Management System (ISMS) with additional requirements in order to establish, implement, maintain, and continually improve a Privacy Information Management System (PIMS). The standard outlines a framework for Personally Identifiable Information (PII) Controllers and PII Processors to manage privacy controls to reduce the risk to the privacy rights of individuals.
Privacy
Privacy by Design
InCountry does not access or sell customer data. Your data is yours.
Our Ethical Stand
Our mission is to help companies expand their business into new countries by addressing data residency and protection challenges. We do so by addressing data residency requirements with local regulations and securely and privately localizing regulated data, such as Payment Card Information (PCI), Protected Health Information (PHI), Personally Identifiable Information (PII). InCountry does not collect or store any information beyond what is required to operate the service. We do not handle or store social media posts, text messages, instant messages, personal photographs or phone logs. InCountry is committed to conducting business with the highest degree of ethical values and has dedicated resources for maintaining compliance with regulatory and legal requirements.
Guidelines for Law Enforcement
For prompt processing law enforcement requests for customer information should be sent by email to:
If your agency or entity must submit requests via mail or in person, our address is:
2443 Fillmore Street, Suite #380-16895
San Francisco, CA 94123