Certifications

The Cloud Computing Compliance Criteria Catalogue, also referred to as C5:2020, was developed by the German Federal Office for Information Security (BSI) as a way to assess the information security of cloud services that leverage internationally recognized security standards like ISO/IEC 27001 to set a consistent audit baseline that helps establish a framework of trust between cloud providers and their customers. 
Google previously received an attestation for the BSI’s Cloud Computing Compliance Controls Catalog (“C5”). The BSI revised the guidance as C5:2020 in 2020. The C5:2020 expands the scope of C5 and addresses new requirements, including a section on product safety and security. 

C5:2020 is based on established standards, including ISO/IEC 27001, Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM), AICPA Trust Services Principles and Criteria, BSI IT-Grundschutz Catalogue, and others. However, C5:2020 adds additional transparency controls to provide information on data location, provision of services, place of jurisdiction, existing certifications, and information disclosure obligations towards government agencies. This emphasis on transparency helps potential cloud customers decide whether the cloud services meet their compliance with legal requirements like data protection, company policies, or the ability to address the threat of industrial espionage.
NSPECT.IO Uses Google  for marketplace and other operations which  has achieved an attestation against the C5:2020 requirements. Current and potential customers can use the C5:2020 attestation as verification of compliance and as part of their assessment for using Google Cloud services.

C5:2020

In 2016, the German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, or BSI) created the Cloud Computing Compliance Criteria Catalogue (C5) as an auditing standard. It is intended for cloud service providers (CSPs), their auditors, and customers of the CSPs. C5 established a mandatory minimum baseline for cloud security and the adoption of public cloud solutions by German government agencies and organizations that work with government. C5 is also being increasingly adopted by the private sector.

The California Consumer Privacy Act (CCPA) is a data privacy law that provides California consumers with a number of privacy protections, including right to access, delete, and opt-out of the “sale” of their personal information. Starting January 1, 2020, businesses that collect California residents’ personal information and meet certain thresholds (e.g., revenue, volume of data processing) will need to comply with these obligations. The California Privacy Rights Act (CPRA) is a data privacy law that amends and expands upon the CCPA. The law takes effect on January 1, 2023.
Google is very committed to helping our customers meet their obligations under these data regulations by offering convenient tools and building robust privacy and security protections into our services and contracts. You can find more information about your responsibilities as a business under the CCPA on the California Office of the Attorney General’s website. NSPECT.IO Uses Google  for marketplace operations which commits to CCPA.

California Consumer Privacy Act (CCPA)

The California Consumer Privacy Act (CCPA) is a state statute intended to enhance privacy rights and consumer protection for residents of California, United States. The bill was passed by the California State Legislature and signed into law by Jerry Brown, Governor of California, on June 28, 2018, to amend Part 4 of Division 3 of the California Civil Code.Officially called AB-375, the act was introduced by Ed Chau, member of the California State Assembly, and State Senator Robert Hertzberg.

The Cloud Security Alliance is a non-profit organization whose mission is to “promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing.”
The CSA’s Security, Trust & Assurance Registry Program (CSA STAR) is designed to help customers assess and select a Cloud Service Provider through a three-step program of self-assessment, third-party audit, and continuous monitoring.
NSPECT.IO Uses Google  for marketplace and other operations which  has achieved the third-party assessment-based certification (CSA STAR Level 2: Attestation) for Google Cloud Platform (GCP) and Google Workspace, resulting in a CSA Star SOC2+ report.
Google is also a CSA sponsor and a member of CSA’s International Standardization Council (ISC), and a founding member of the CSA GDPR Center of Excellence.

Cloud Security Alliance(CSA)

Cloud Security Alliance (CSA) is a not-for-profit organization with the mission to “promote the use of best practices for providing security assurance within cloud computing, and to provide education on the uses of cloud computing to help secure all other forms of computing."

The U.S. Federal Government established the Federal Risk and Authorization Management Program (FedRAMP), a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. All Federal agency cloud deployments and service models, other than certain on-premises private clouds, must meet FedRAMP requirements at the appropriate risk impact level (Low, Moderate, or High).
NSPECT.IO Uses Google Cloud  Platform for marketplace and other operations . Google’s FedRAMP status is posted on the government’s website: FedRAMP Marketplace.

FedRAMP

FedRAMP stands for the “Federal Risk and Authorization Management Program.” It standardizes security assessment and authorization for cloud products and services used by U.S. federal agencies.
The goal is to make sure federal data is consistently protected at a high level in the cloud.

The General Data Protection Regulation (GDPR) is a privacy legislation that replaced the 95/46/EC Directive on Data Protection of 24 October 1995 on May 25, 2018. GDPR lays out specific requirements for businesses and organizations who are established in Europe or who serve users in Europe. It:
• Regulates how businesses can collect, use, and store personal data
• Builds upon current documentation and reporting requirements to increase accountability
• Authorizes fines on businesses who fail to meet its requirements


NSPECT.IO Uses Google Cloud  Platform and Wix for marketplace and other operations 
Google Cloud, prioritizes and improve the security and privacy of customer personal data. Google Cloud,  supports GDPR compliance efforts by:
1. Committing in our contracts to comply with the GDPR in relation to our processing of customer personal data in all Google Cloud Platform and Google Workspace services
2. Offering additional security features that may help you to better protect the personal data that is most sensitive
3. Giving you the documentation and resources to assist you in your privacy assessment of our services
4. Continuing to evolve our capabilities as the regulatory landscape changes

Wix.com is 100% committed to data protection

Customer trust is Wix's absolute top priority. 
Wix has worked with a team of experts and have implemented the required adjustments to products, services, and documentation, to ensure compliance with the GDPR. This empowers Wix to get more control over personal data and gain the tools necessary to protect the information of visitors to Wix sites. 
Wix is  dedicated to data protection and have effectively reinforced this over the past 10 years. 

Wix deploys and maintains a range of technical and organizational security measures to protect our customers’ data and assets.Wix security team leads the facilitation and development of procedures, processes and controls that govern the security and integrity of Wix and its users.

GDPR

The General Data Protection Regulation (EU) 2016/679 (GDPR) is a regulation in EU law on data protection and privacy in the European Union (EU) and the European Economic Area (EEA). The GDPR is an important component of EU privacy law and of human rights law, in particular Article 8(1) of the Charter of Fundamental Rights of the European Union. It also addresses the transfer of personal data outside the EU and EEA areas. The GDPR's primary aim is to enhance individuals' control and rights over their personal data and to simplify the regulatory environment for international business.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that establishes data privacy and security requirements for organizations that are charged with safeguarding individuals' protected health information (PHI). These organizations meet the definition of “covered entities” or “business associates” under HIPAA.
Customers that are subject to HIPAA and want to utilize any Google Cloud products in connection with PHI must review and accept Google's Business Associate Agreement (BAA). Google ensures that the Google products covered under the BAA meet the requirements under HIPAA and align with our ISO/IEC 27001, 27017, and 27018 certifications and SOC 2 report.
NSPECT.IO Uses Google Cloud  Platform for marketplace and other operations .The Google Cloud Platform BAA covers GCP’s entire infrastructure .

HIPAA

For a healthcare business to remain compliant with the guidelines and requirements set forth by the Health Insurance Portability and Accountability Act (HIPAA), it must safeguard its patients’ and clients’ personal information. An integral policy of the U.S. Department of Health and Human Services (HHS), HIPAA is a federal law that protects sensitive health information from being disclosed without the patient’s consent or knowledge.

IRAP—the Information Security Registered Assessors Program—provides a framework for assessing the implementation and effectiveness of an organization’s security controls against the Australian government’s security requirements, as outlined in the Information Manual (ISM) and Protective Security Policy Framework (PSPF). IRAP was created by the Australian Cyber Security Center (ASCS) which is a part of the Australian Signals Directorate (ASD).
Previously, IRAP certification meant an organization would be listed on the ASD's Cloud Services List (CCSL). In July 2020, the ACSC deprecated the CCSL and concurrently released the Cloud Security Guidance package. This guidance provides organizations, cloud service providers (CSPs), and IRAP assessors with a framework on how to perform a comprehensive assessment of CSPs in order to make a risk-informed decision about their suitability to handle organizations’ data.
NSPECT.IO Uses Google  for marketplace and other operations.An independent third-party assessor evaluated Google Cloud Platform and Google Workspace against OFFICIAL and PROTECTED ISM controls, and found both to be strongly aligned with PROTECTED level control requirements. These requirements include guidelines for cyber security roles, detecting and managing cyber security incidents, physical and personnel security, system hardening, networking, and cryptography. The evaluation was performed based on the ACSC’s updated IRAP framework, outlined in the Cloud Security Guidance package.
IRAP certification not only provides a path for our customers to work with the Australian government, it also opens the door for Australian federal, state, and local government agencies to store data and run workloads on GCP and Google Workspace.
IRAP reports may be requested via the Compliance Reports Manager. Potential customers can reach out to sales for more information.

IRAP (Information Security Registered Assessors Program)

The Australian Signals Directorate is supporting higher standards for security assessments and training through the enhanced Infosec Registered Assessor Program (IRAP).

ISO/IEC 27001 is widely known, providing requirements for an information security management system (ISMS), though there are more than a dozen standards in the ISO/IEC 27000 family. Using them enables organizations of any kind to manage the security of assets such as financial information, intellectual property, employee details or information entrusted by third parties.


ISO/IEC 27001:2013 specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. The requirements set out in ISO/IEC 27001:2013 are generic and are intended to be applicable to all organizations, regardless of type, size or nature.

ISO/IEC 27001 is an international standard on how to manage information security. The standard was originally published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) in 2005 and then revised in 2013. It details requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS) – the aim of which is to help organizations make the information assets they hold more secure.A European update of the standard was published in 2017.Organizations that meet the standard's requirements can choose to be certified by an accredited certification body following successful completion of an audit. The effectiveness of the ISO/IEC 27001 certification process and the overall standard has been addressed in a recent large-scale study. 
NSPECt.IO Customer payment platform runs on WIX that Wix has been audited and certified as ISO 27001 compliant. The ISO 27001 certification outlines industry best practices for managing security risks.

ISO/IEC 27001

ISO/IEC 27001 is widely known, providing requirements for an information security management system (ISMS), though there are more than a dozen standards in the ISO/IEC 27000 family.

The International Organization for Standardization (ISO) is an independent, non-governmental organization with an international membership of 163 national standards bodies.
The ISO/IEC 27017:2015 gives guidelines for information security controls applicable to the provision and use of cloud services by providing:
• Additional implementation guidance for relevant controls specified in ISO/IEC 27002
• Additional controls with implementation guidance that specifically relate to cloud services
This standard provides controls and implementation guidance for both cloud service providers like Google and our cloud service customers.
ISO/IEC 27017 provides cloud-based guidance on 37 ISO/IEC 27002 controls, along with seven new cloud controls that address:
• Who is responsible for what between the cloud service provider and the cloud customer
• The removal/return of assets when a contract is terminated
• Protection and separation of the customer’s virtual environment
• Virtual machine configuration
• Administrative operations and procedures associated with the cloud environment
• Customer monitoring of activity within the cloud
• Virtual and cloud network environment alignment
NSPECT.IO Uses Google  for marketplace and other operations where Google Cloud Platform, Google Workspace, Chrome, and Apigee are certified as ISO/IEC 27017 compliant.

ISO/IEC 27017

ISO/IEC 27017 is a security standard developed for cloud service providers and users to make a safer cloud-based environment and reduce the risk of security problems. It was published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) under the joint ISO and IEC subcommittee, ISO/IEC JTC 1/SC 27.It is part of the ISO/IEC 27000 family of standards, standards which provides best practice recommendations on information security management.

The International Organization for Standardization (ISO) is an independent, non-governmental international organization with a membership of 163 national standards bodies.
ISO/IEC 27018 relates to one of the most critical components of cloud privacy: the protection of personally identifiable information (PII). This standard focuses in two ways on security controls for public-cloud service providers that process PII:
• Builds upon existing ISO/IEC 27002 controls by adding specific items for cloud privacy
• Provides entirely new security controls for personal data
NSPECT.IO Uses Google  for marketplace and other operations where  Google Cloud Platform, Google Workspace, Chrome, and Apigee are certified as ISO/IEC 27018 compliant.

ISO/IEC 27018 is a security standard part of the ISO/IEC 27000 family of standards. It was the first international standard about the privacy in cloud computing services which was promoted by the industry. It was created in 2014 as an addendum to ISO/IEC 27001, the first international code of practice for cloud privacy. It helps cloud service providers who process personally identifiable information (PII) to assess risk and implement controls for protecting PII.[1] It was published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) under the joint ISO and IEC subcommittee, ISO/IEC JTC 1/SC 27.

NSPECT.IO Uses Wix  for marketplace which has been audited and certified as ISO 27018 compliant. The ISO 27018 certification outlines industry best practices for handling  personally Identifiable Information (PII) in a public cloud computing environment.

ISO/IEC 27018

ISO/IEC 27018:2019 is a code of practice that focuses on protection of personal data in the cloud. It is based on ISO/IEC information security standard 27002 and provides implementation guidance on ISO/IEC 27002 controls applicable to public cloud Personally Identifiable Information (PII). It also provides a set of additional controls and associated guidance intended to address public cloud PII protection requirements not addressed by the existing ISO/IEC 27002 control set.

The International Organization for Standardization (ISO) is an independent, non-governmental international organization with a membership of 163 national standards bodies.
ISO/IEC 27701 is a global privacy standard that focuses on the collection and processing of personally identifiable information (PII). This standard was developed to help organizations comply with international privacy frameworks and laws, and focuses on three main factors :
Extends the requirements of ISO/IEC 27001 and ISO/IEC 27002 to include data privacy;
Provides a framework for implementing, maintaining, and continuously improving a Privacy Information Management System (PIMS);
Includes requirements and guidance for organizations acting as PII controllers and PII processors.
NSPCET.IO Uses Google  for marketplace operations which  have received an accredited ISO/IEC 27701 certification as a PII processor after undergoing an audit by an independent third party.

ISO/IEC 27701

ISO/IEC 27701:2019 (formerly known as ISO/IEC 27552 during the drafting period) is a privacy extension to ISO/IEC 27001. The design goal is to enhance the existing Information Security Management System (ISMS) with additional requirements in order to establish, implement, maintain, and continually improve a Privacy Information Management System (PIMS).[1] The standard outlines a framework for Personally Identifiable Information (PII) Controllers and PII Processors to manage privacy controls to reduce the risk to the privacy rights of individuals.

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that ALL companies that accept, process, store or transmit credit card information maintain a secure environment.
The Payment Card Industry Security Standards Council (PCI SSC) was launched on September 7, 2006 to manage the ongoing evolution of the Payment Card Industry (PCI) security standards with a focus on improving payment account security throughout the transaction process. The PCI DSS is administered and managed by the PCI SSC (www.pcisecuritystandards.org), an independent body that was created by the major payment card brands (Visa, MasterCard, American Express, Discover and JCB.)

As NSPECT.IO we use WIX to touch our customers and complete any payment operations that are required to acquire our services. Wix is Payment Card Industry Data Security Standards (PCI DSS) compliant and is accredited as a level 1 service provider and merchant. 

The PCI DSS is an information security standard for organizations or companies that accept credit card payments. This standard helps to create a secure environment by increasing cardholder data, thus reducing credit card fraud.

PCI DSS

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that ALL companies that accept, process, store or transmit credit card information maintain a secure environment.