Security

Obsessive data security. Because you expect nothing less.

We're obsessed with the security of your data. The strongest encryption of data, both in transit and at rest, is what to expect from our services.

You also expect to be in compliance with government regulations, that your data is safe no matter which storage location you choose, and that your vendors follow the strictest security policies for their own data.

We’ve been meeting expectations since 2001. That’s why more than 50,000 businesses trust us with their data. Our customers include 7 of the world’s 10 largest technology companies and government agencies held to the highest standard of information privacy.

A Code42 guiding principle

Security is a guiding principle here at Code42. Utilizing industry standards and verification by independent auditors, we take a comprehensive approach to secure our products and solutions. As a Code42 customer, here’s what you can expect:

  • Code42 maintains end-to-end control of cloud stack software, server, storage, network, monitoring and security components
  • Rigorous quality testing of platform and product code that follow industry security best practices
  • Data encrypted in transit and at rest
  • Decryption of file contents only happens through the Code42 application – not a human being
  • Strong authentication protocols ensure only authorized customer access
  • Ongoing vulnerability tests by professional third party and internal teams
  • Full time monitoring of Code42 cloud environment with a dedicated response team
  • Comprehensive security awareness training program for all Code42 personnel

Code42 maintains compliance certifications and attestations on our product and infrastructure to validate our robust security program. Additionally, Code42 ensures and monitors appropriate security assurance obligations (SOC 1, SOC2, ISO27001) for its cloud data centers.  Learn more about our compliance certifications and standards below.

*Other organizations, such as managed service providers and resellers, may provide cloud storage using Code42 cloud hardware and software. The information on this page may not apply to the cloud data centers managed by those organizations. Please contact those organizations for information about the features of their cloud solutions.

Privacy

Code42 is committed to privacy and the protection of our customers’ data.

Keeping your data secure and private is paramount to our success as a business. We follow global privacy principles to design practices and products that safeguard your data and enable your organization to meet its own privacy obligations.

Transparency

Code42 values trust.  Whether you are a prospective or existing customer, it’s important to us that we’re clear about our data practices.

The data collected by Code42 through our products is customer data that is owned and controlled by the customer. Code42 will only process that data in order to provide our services as described in our agreements and product documentation. In addition, Code42 processes and controls other information about potential and existing customers, including account-related information. For more details on how Code42 processes this data, please review our Privacy Statement.

Code42 does not and will not sell our customers’ data.

To provide our services, Code42 may engage and use other companies to process certain customer data. Code42 has a mature vendor assessment process to ensure your data remains secure and protected.  We validate that these subprocessors have the appropriate privacy and security safeguards and that they are contractually obligated to protect your data.

View our authorized subprocessors.

Protecting your data

You control your data. Code42 provides flexible configurations and the ability to specify which data Code42 collects to limit unwanted data storage.

Code42’s commitment to protecting customer data is built into our agreements. A Data Processing Addendum (“DPA”) is automatically incorporated into our Master Services Agreements. The DPA is based upon globally recognized privacy standards, including the GDPR and CCPA.

Code42 supports international data transfers by executing standard contractual clauses through our updated DPA, which is available to all customers and can be viewed here.

We use industry best security practices that are regularly verified by internal safeguards and external auditors. This includes end-to-end encryption of your files, customer controlled access, controls to ensure file integrity, and deletion of your files after your subscription ends.

Privacy in our product

Access controls. Code42 provides a variety of role-based access and permissions controls within the product which allow manual or automated (via an external Identity Provider) access delegation.

Audit logs. Code42 maintains both customer-facing and internal audit-logging to ensure proper monitoring of privileged accounts.

Data encryption. Code42 leverages independently tested industry best practices and protocols to ensure that all data is encrypted when in transit and at rest.

Retention and storage. Code42 allows you to control how and when preservation operations take place, what files to include and exclude from preservation, the frequency and how long file versions should be retained.

Breach investigation and response. With Code42, you have visibility into files and events that allows for quicker breach investigation and response. Our built in reporting features can be utilized as part of your analysis and reporting in the event of a data breach.

Learn more about Code42 Incydr's privacy best practices in this white paper.

Frequently Asked Privacy Questions

Will Code42 enter into a Data Processing Addendum?

Code42 has a Data Processing Addendum (“DPA”) that sets out our obligations and commitments related to the processing of customer data. The DPA can be found here. Our DPA is incorporated into our Master Services Agreements (“MSA”), which means it automatically forms part of our customer agreement.

Does Code42’s DPA include GDPR or CCPA provisions?

Our current DPA includes applicable privacy provisions to assist customers with their GDPR and CCPA compliance. Customers who signed earlier versions of our DPA can sign our current DPA at any time. Please reach out to your account representative.

Does the GDPR require EU personal data to stay in the EU?

The GDPR does not require EU data to reside in the EU. It does require that certain regulatory and contractual conditions be met if personal data is transferred to a third country. Code42 provides the required contractual provisions in our DPA, which includes Standard Contractual Clauses as approved by the European Commission(“SCCs”) to lawfully transfer personal data outside the EU.

Does Brexit affect my service and data transfers with Code42?

As of January 1, 2020, the UK is a third country for GDPR purposes. However, the UK and EU reached an agreement that transmission of personal data from the EU to theUK will not be considered a transfer to a third country for an interim period of four months (and up to six months). Data can continue to be transferred between the EU and the UK without a specific data transfer mechanism during this period. If the UK does not receive an adequacy decision from the European Commission before the end of this period, data can continue to be transferred from the EU to the UK using the data transfer mechanism (SCCs) in Code42’s DPA.

Transfers of data from the UK to the EU are subject to the UK GDPR. The UK government has confirmed that such transfers are not restricted and can continue without the need for further transfer mechanisms to be put in place.

How does the Schrems II decision impact Code42 services?

Under the GDPR, companies that transfer personal data outside of the EU must have a legal basis to ensure the continued protection of such data. On July 16,2020, the Court of Justice of the European Union (“CJEU”) invalidated the EU-US Privacy Shield framework, which means companies can no longer rely on the framework to transfer personal data from the EU to the US. The CJEU confirmed the validity of the European Commission’s SCCs as a legal mechanism for the transfer of EU personal data. Code42 customers can rely on the SCCs, which are incorporated into our DPA.

How does Code42 handle government requests for access to customer data?

At Code42, we are committed to maintaining customer privacy and confidentiality.Information about our policies and practices with respect to requests for customer data by law enforcement or government entities can be found here.

Does Code42 use sub-processors?

Code42 uses sub-processors in the performance of services that may require the transfer of customer data for purposes of hosting data, providing customer support, and ensuring the services are working properly. These sub-processors can include affiliates of Code42 as well as third party organizations. As described in the DPA, Code42 takes responsibility for the actions of its sub-processors. Up-to-date information about our sub-processors can be found here.

Does Code42 comply with HIPAA?

Code42 has a Business Associate Agreement that we will enter into with any customer that has data regulated by the United States Health Insurance Portability and Accountability Act (“HIPAA”). For customers that have entered into contracts as a business associate with covered entities, Code42 also has a Subcontractor Business Associate Agreement. Learn more about Code42 and HIPAA compliance.

Compliance

It's built in.

Compliance simplified

Whether you’re protecting the data of patients, cardholders, or employees, you expect it to be easy and cost effective to comply with ever-changing requirements.

Compliance regulations abound across industries and geographies. Our platform helps you comply with regulations governing where and how your data is stored, who can access it, and who can decrypt it. Here is a guide on how Code42 Incydr™ prevents data leaks while also meeting compliance.

All our deployment options provide:

  • Centralized policy management
  • Enterprise-wide administration with complete visibility of data and users
  • Tamper-proof audit trails
  • Compliance with data export laws
  • Data access strictly via strongly authenticated customer credentials
  • Permanent data deletion after your subscription ends
  • Single-click Compliance Settings to automatically restrict data access based on your regulations

Endpoint protection is a key component of most security and privacy regulations. Code42 helps customers meet their applicable compliance and risk management requirements, including:

DFARS: Defense Federal Acquisition Regulation Supplement
HIPAA: Health Insurance Portability and Accountability Act
FISMA: Federal Information Security Management Act
ITAR: International Traffic in Arms Regulation
GLBA: Gramm-Leach-Bliley Act
FERPA: Family Educational Rights and Privacy Act
GDPR: General Data Protection Regulation
CCPA: California Consumer Privacy Act
CMMC: Cybersecurity Maturity Model Certification

Certifications, Attestations and Standards

SOC Reporting: Service Organization Control Reporting
ISO/IEC 27001: Information Security Management System
NIST 800-53: Security and Privacy Controls for Federal Information Systems and Organizations
NIST 800-171: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
TrustE Privacy Verified Seal: Data collection and processing practices consistent with regulatory expectations.
PCI DSS: Protecting Card Holder Data
FedRAMP:  The Federal Risk and Authorization Management Program
CSA CAIQ: Cloud Security Alliance Consensus Assessments Initiative Questionnaire

Security, Trust and Compliance

We believe our customers should benefit from cloud solutions without compromising their data security, regulatory, or privacy requirements.

Get Started