Security and compliance

We build security into every layer of our software and operations in order to deliver fully compliant solutions

Data security

InCountry’s data vault is built from the ground up to securely store and process regulated data. Our data firewall ensures that data remains within a geographic boundary and only encrypted data or aggregate data can cross borders.
Data firewall
Data firewall
  • Ensures data does not leave a country
  • Securely deliver data directly to browsers and apps within a country
  • Declarative controls enforced and logged
  • Data loss prevention ensure data does not leave a country
Data vault
Data vault
  • Fully hardened servers
  • Isolated serverless functions
  • Business intelligence aggregation functions that do not reveal underlying data
Authentication and authorization
Authentication and authorization
  • The source application and identity provider continue to authenticate users and authorize all actions and data access within InCountry Vaults
  • The source application continues to provide Role-Based Access Control (RBAC), Attribute-Based Access Control (ABAC), and Policy-Based Access Control (PBAC)
  • Data authorization is fine grained to the row and field level
Encryption and tokenization
Encryption and tokenization
  • Each field can have full encryption, searchable encryption, hashes, deterministic hashes
  • Bring Your Own Key fully supported across countries

Operational and applications security

Security is the key focus area for our organization and product engineering. InCountry is a security-minded organization with the highest security and privacy standards.
Auditable logging with provenance
Auditable logging with provenance
  • All user activity is logged
  • Data governance metadata such as provenance stored with data
  • Validation data does not leave a country
Software development lifecycle
Software development lifecycle
  • Robust security and privacy by design principles integrated throughout the software development lifecycle.
  • Threat modeling and comprehensive penetration testing.
  • Architecture and code reviews, both manual and automated.
Infrastructure security
Infrastructure security
  • Continuous Infrastructure Monitoring (24×7)
  • Continuous threat detection, monitoring and response
  • On-Call Security Incident Response Team (SIRT) (24×7)
  • Regular Internal and External Penetration Testing
  • Regular scans, patching and updates

Compliance

Compliance is within our DNA. We are constantly working to ensure our solutions meet the latest compliance & regulatory standards worldwide. We undergo external audits and reviews to ensure our services are ready for market changes which could disrupt ensuring your business is not disrupted.
SOC 1 Type II
SOC 1 Type II

Our internal controls report, conducted in accordance with industry standards (SSAE No. 16 and ISAE No. 3402), demonstrates the effectiveness of our controls on financial reporting. It provides assurance to both our clients and their auditors, ensuring the security and reliability of our services.

Request Report

SOC 2 Type II
SOC 2 Type II

InCountry has obtained a SOC 2 Type II (Service Organization Controls) report based on the AICPA Trust Service Principles (TSP) and Criteria and covers the security, availability, and confidentiality TSPs as they relate to a Cloud Service Provider (CSP).

Request Report

SOC 3
SOC 3

A SOC 3 (Service Organization Controls) report is an abbreviated version of a SOC 2 report and is appropriate for users who want assurance about the Cloud Service Provider’s (CSP) controls but do not require a full SOC 2 report. A SOC 3 report may only be issued if the CSP has an unqualified audit.

Download

GxP
GxP

Good Clinical Practices, Good Laboratory Practices, and Good Manufacturing Practices (“GxP”) Compliance on the InCountry platform enables a secure and highly available data distribution and localization, aligned the requirements of life science organizations for validated and controlled workloads. Customers will benefit from improved user experience, reduced cost, and improved security.

Request Report

PCI DSS
PCI DSS

The Payment Card Industry-Data Security Standard (PCI-DSS) is an industry level information security standard regarding the secure handling of credit card information.

HIPAA
HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) provides U.S. federal protections for patient health information held by Covered Entities (CEs) and Business Associates (BAs).

152-FZ
152-FZ

InCountry complies with Federal Law No. 152 and meets industry standards and the InCountry platform satisfies the requirements under the law “On Personal Data”.

Opinion on Compliance (English)

CSA
CSA

The Security Trust Assurance and Risk (STAR) Level 2 Certification is a rigorous third-party independent assessment of the security of a cloud service provider. The certification leverages the requirements of the ISO/IEC 27001:2013 management system standard together with the CSA Cloud Controls Matrix criteria.

Download

ISO 27001
ISO 27001

ISO/IEC 27001:2022 is a risk-based set of information security requirements that require an organization to have a well-structured Information Security Management System (ISMS). Maintenance of the system requires annual audits by external auditors, ongoing risk assessments, and continuous improvement of the system.

Download

ISO 27017
ISO 27017

ISO/IEC 27017:2015 provides guidance on the information security aspects of cloud computing, recommending the implementation of cloud-specific information security controls that supplement the guidance of the ISO/IEC 27002 and ISO/IEC 27001 standards. This code of practice provides additional information security controls implementation guidance specific to cloud service providers.

Download

ISO 27018
ISO 27018

ISO/IEC 27018:2019 is a code of practice that focuses on the protection of personal data in the cloud. It is based on ISO/IEC information security standard 27002 and provides implementation guidance on ISO/IEC 27002 controls applicable to public cloud Personally Identifiable Information (PII).

Download

ISO 27701
ISO 27701

The design goal of ISO 27701 is to enhance the existing Information Security Management System (ISMS) with additional requirements in order to establish, implement, maintain, and continually improve a Privacy Information Management System (PIMS). The standard outlines a framework for Personally Identifiable Information (PII) Controllers and PII Processors to manage privacy controls to reduce the risk to the privacy rights of individuals.

Download

In partnership with Alibaba Cloud

SCC
SCC

Standard Contractual Clauses (China SCCs) for cross-border transfer of personal information is one of three mechanisms specified in China’s Personal Information Protection Law for transferring personal information outside of China (PIPL).

PIPL
PIPL

The China Personal Information Protection Law (PIPL) is China’s new data privacy law, aimed at protecting personal information and addressing personal data leakage issues.

DSL
DSL

Data Security Law of the People’s Republic of China (DSL), establishes a framework for classifying data collected and stored in China based on its potential impact on Chinese national security and regulating its storage and transfer based on the classification level of the data.

CSL
CSL

The China Cyber Security Law (CSL), provides cybersecurity requirements for protecting Chinese cyberspace The law safeguards the legal interests and rights of both organizations and individuals in China.

MLPS 2.0
MLPS 2.0

The MLPS 2.0 series standards including “GB/T 22239-2019 Information Security Technology–Baseline for Classified Protection of Cybersecurity”, “GB/T 25070-2019 Information Security Technology–Technical Requirements of Security Design for Classified Protection of Cybersecurity” and “GB/T 28448-2019 Information Security Technology–Evaluation Requirements for Classified Protection of Cybersecurity” apply to the supervision of the development, operation, maintenance and use of networks in China.

Coming soon

Privacy

We respect and protect the rights of individuals, particularly data protection and privacy during the processing and use of information. We are committed to protecting the privacy of our customers’ data and preventing it from unauthorized access. Our privacy policy and data processing agreements help us act our values in all our output, including technology products and marketing content, and abide to all related laws, worldwide.
InCountry IS NOT
InCountry IS
Social media posts
Text messages
Instant messages
Personal photographs
Phone logs
Profile data
Finance data
Payment data
Health data
Employee data

Privacy by Design

InCountry does not access or sell customer data. Your data is yours.

 

Our Ethical Stance

Our mission is to help companies expand their business into new countries by addressing data residency and protection challenges. We do so by providing the tools and secure storage services needed to help companies meet the data protection requirements for regulated data, such as Payment Card Information (PCI), Protected Health Information (PHI), Personally Identifiable Information (PII), in the regulated countries in which they operate. InCountry does not collect or store any information beyond what is required to operate the service. We do not handle or store social media posts, text messages, instant messages, personal photographs, or phone logs. InCountry is committed to conducting business with the highest degree of ethical values and has dedicated resources for maintaining compliance with regulatory and legal requirements.

EU General Data Protection Regulation

.
The European Union (EU) passed the GDPR to give individuals more control over their personal data. GDPR imposes more rules about processing PII and comes with powerful enforcement. We invest significant strategic resources in maintaining compliance with the GDPR and we also aim to help our customers comply with the processes and policies outlined.

Data Protection and Privacy Agreements

.
InCountry’s privacy policy describes what data InCountry collects, how we use and protect this data, retention periods for customer data and customer rights regarding use of their data. Our policies enable us to comply with related privacy and data protection laws. It defines requirements for processing and accessing personal data, and establishes clear responsibilities and organizational structures. This means that your data is safe with us.

Internal Data Protection

.
InCountry employees are regularly trained and tested for a high level of data privacy awareness. Internal teams regularly test the effectiveness of privacy and security controls to confirm we continue to maintain the appropriate level of protection of data.

Guidelines for Law Enforcement

To protect customers’ rights and data privacy, we only provide customer information to law enforcement agencies or government entities after the customer has been notified and all legal processes and procedures have been followed as prescribed by law, unless we are explicitly prohibited from doing so by law.

If your agency or entity must submit requests via mail or in person, our address is:

2443 Fillmore Street, Suite #380-16895
San Francisco, CA 94123