Vendor management and due diligence are best practices for all organizations, particularly financial firms and other highly regulated organizations. To assist customers with this process, we engage third party auditors to conduct regular testing on our services, internal controls, and data centers. We make the resulting reports available to customers on request.

These reports can help your compliance, IT, security, and legal teams address:

  • Regulatory rules related to data preservation and supervision
  • Privacy laws and jurisdictional requirements
  • Legal requirements surrounding chain of custody, storage, and production of data
  • Security and risk assessment processes for data management

Service Organization Control (SOC) 2 Audit

SOC 2 audits test and report on the design and operating effectiveness of non-financial internal controls at cloud vendors. These audits are based on Trust Service Principles that cover policies, communications, procedures, and monitoring.

The Global Relay Archive service undergoes annual SOC 2 audits. The resulting SOC 2 report addresses the following Trust Service Principles:

  • Security: The system is protected against unauthorized access (both physical and logical).
  • Availability: The system is available for operation and use as committed or agreed.
  • Processing Integrity: System processing is complete, accurate, timely, and authorized.

Service Organization Control (SOC) 2 Audits

SOC 2 audits test and report on the design and operating effectiveness of non-financial internal controls at cloud vendors. These audits are based on Trust Service Principles that cover policies, communications, procedures, and monitoring.

Global Relay’s two mirrored data centers undergo SOC 2 Type 2 audits at least annually. The resulting SOC 2 reports address the following Trust Service Principles:

  • Security: The system is protected against unauthorized access (both physical and logical).
  • Availability: The system is available for operation and use as committed or agreed.

Independent Penetration Testing

KPMG completes periodic security penetration testing (“ethical hacking”) with respect to our key internet-facing systems and applications, and provides us with formal reports of the penetration test results. This testing simulates access attempts by unauthenticated individuals to identify, validate, and attempt to exploit vulnerabilities that might be used by attack agents (e.g. malicious persons on the internet and cyber criminal organizations).