Many businesses now face mandates to maintain and demonstrate proper control and safeguards when handling electronic data. Industry-specific regulations to impose confidentiality, industry portability, and preservation of records force many organizations to implement processes to support data backup and recovery objectives.
To support customers, IDrive continues to maintain high compliance standards relating to data privacy, safekeeping and access.
Statement on Standards for Attestation Engagements (SSAE) 16 is an auditing standard for service organizations, superseding SAS 70, which IDrive previously maintained. IDrive has completed the necessary audits and can provide supporting documentation to demonstrate that it meets the standards defined by SSAE 16.
SSAE 16 reporting can help service organizations comply with several regulations such as Sarbanes Oxley's (section 404) to show effective internal controls covering financial reporting. IDrive can also assist companies within the medical, accounting and legal professions to comply with regulatory standards including the Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley (GLBA), Securities and Exchange Commission (SEC), and Financial Industry Regulatory Authority (FINRA).
More information on how IDrive assists its customers comply with different regulatory standards can be found on IDrive's Compliance Page.
IDrive addresses data security and privacy concerns by employing a robust security model that includes encrypted data transmission and storage, restricted physical access, and password protection safeguards among its several layers of security measures used to protect customer data.
The EU-US Privacy Shield is a framework for transatlantic exchanges of personal data for commercial purposes between the European Union and the United States. Its purpose is to enable US companies to more easily receive personal data from EU entities under EU privacy laws meant to protect European Union citizens. This framework replaced the old EU Safe Harbor Privacy Principles, which IDrive was previously certified with, after it was declared invalid by the European Court of Justice in October 2015. Learn more on how IDrive will assist with GDPR compliance.
Data is encrypted and securely transmitted to IDrive servers residing at world-class data centers. These data centers provide Service Organization Control (SOC) approved data protection services. All transmitted data is automatically verified each time a backup takes place.
Data files are encrypted on transfer and stored using AES 256-bit encryption. Data resides on RAID-protected industry leading NAS / SAN storage devices with multiple levels of redundancy and is available for online restores 24/7.
Encryption based on a private encryption key ensures data stored on IDrive servers cannot be decrypted by anybody other than you and your authorized personnel. Private encryption keys are never stored or escrowed on IDrive servers as is.
Data access is restricted by password and private key authentication. All access to the stored data is documented and time/date stamped. Detailed reporting gives regulators a clear idea of the chain of custody of the stored information, and rapid access, should it be required.
Physical access to the vaults and the data center housing IDrive servers is strictly controlled through administrative procedures, physical safeguards, and technical security measures to prevent unauthorized physical access to IDrive servers.
Account passwords are never stored or transmitted to IDrive in plain text.
While IDrive meets several technical safeguards for maintaining data security, full compliance with specific regulatory requirements is not guaranteed by simply implementing IDrive solutions. It is important that organizations consult with their legal counsel to ensure applicable compliance regulations are satisfied.