Certifications

A SOC 1 report documents a cloud service provider’s internal controls that may be relevant to a customer’s financial reporting. This report is particularly useful for organizations that audit financial statements.
SSAE 18 / ISAE 3402 Type II
The Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA) created the Statement on Standards for Attestation Engagements No. 18 (SSAE 18) to keep pace with globally recognized international accounting standards.
SSAE 18 aligns closely with the International Standard on Assurance Engagements 3402 (ISAE 3402).
SSAE 18 and ISAE 3402 are used to generate a report by an objective third party attesting to a set of assertions made by an organization about its controls. The Service Organization Controls (SOC) framework is the method by which the control of financial information is measured.
NSPECT.IO Uses Google Cloud  Platform for marketplace and other operations which undergoes a regular third-party audit to certify individual products against this standard.

American Institute of Certified Public Accountants (AICPA SOC1)

A Service Organization Control 1 or SOC 1 report is documentation of the internal controls that are likely to be relevant to an audit of a customer's financial statements.

The SOC 2 is a report based on the Auditing Standards Board of the American Institute of Certified Public Accountants' (AICPA) existing Trust Services Criteria (TSC). The purpose of this report is to evaluate an organization’s information systems relevant to security, availability, processing integrity, confidentiality, and privacy.
SSAE 18 / ISAE 3402 Type II
The AICPA created the Statement on Standards for Attestation Engagements No. 18 (SSAE 18) to keep pace with globally recognized international accounting standards.
SSAE 18 aligns closely with the International Standard on Assurance Engagements 3402 (ISAE 3402), both of which are used to generate a report by an objective third party attesting to a set of assertions made by an organization about its controls. The Service Organization Controls (SOC) framework is the method by which the control of financial information is measured.
NSPECT.IO Uses Google Cloud  Platform for marketplace and other operations which  undergoes a regular third-party audit to certify individual products against this standard.

American Institute of Certified Public Accountants (AICPA SOC2)

Developed by the American Institute of CPAs (AICPA), SOC 2 defines criteria for managing customer data based on five “trust service principles”—security, availability, processing integrity, confidentiality and privacy.

Like SOC 2, the SOC 3 report has been developed based on the Auditing Standards Board of the American Institute of Certified Public Accountants’ (AICPA) Trust Service Criteria (TSC). The SOC 3 is a public report of internal controls over security, availability, processing integrity, and confidentiality.
SSAE 18 / ISAE 3402 Type II
The AICPA created the Statement on Standards for Attestation Engagements No. 18 (SSAE 18) to keep pace with globally recognized international accounting standards.
SSAE 18 aligns closely with the International Standard on Assurance Engagements 3402 (ISAE 3402).
SSAE 18 and ISAE 3402 are used to generate a report by an objective third-party attesting to a set of assertions made by an organization about its controls. The Service Organization Controls (SOC) framework is the method by which the control of financial information is measured.
NSPECT.IO Uses Google Cloud  Platform for marketplace and other operations which undergoes a regular third-party audit to certify individual products against this standard. Our SOC 3 reports for Google Cloud Platform and Google Workspace can be downloaded instantly.

American Institute of Certified Public Accountants (AICPA SOC3)

The SOC 3 is a public report of internal controls over security, availability, processing integrity, and confidentiality.

The California Consumer Privacy Act (CCPA) is a data privacy law that provides California consumers with a number of privacy protections, including right to access, delete, and opt-out of the “sale” of their personal information. Starting January 1, 2020, businesses that collect California residents’ personal information and meet certain thresholds (e.g., revenue, volume of data processing) will need to comply with these obligations. The California Privacy Rights Act (CPRA) is a data privacy law that amends and expands upon the CCPA. The law takes effect on January 1, 2023.
Google is very committed to helping our customers meet their obligations under these data regulations by offering convenient tools and building robust privacy and security protections into our services and contracts. You can find more information about your responsibilities as a business under the CCPA on the California Office of the Attorney General’s website. NSPECT.IO Uses Google  for marketplace operations which commits to CCPA.

California Consumer Privacy Act (CCPA)

The California Consumer Privacy Act (CCPA) is a state statute intended to enhance privacy rights and consumer protection for residents of California, United States. The bill was passed by the California State Legislature and signed into law by Jerry Brown, Governor of California, on June 28, 2018, to amend Part 4 of Division 3 of the California Civil Code.Officially called AB-375, the act was introduced by Ed Chau, member of the California State Assembly, and State Senator Robert Hertzberg.

The Cloud Computing Compliance Criteria Catalogue, also referred to as C5:2020, was developed by the German Federal Office for Information Security (BSI) as a way to assess the information security of cloud services that leverage internationally recognized security standards like ISO/IEC 27001 to set a consistent audit baseline that helps establish a framework of trust between cloud providers and their customers. 
Google previously received an attestation for the BSI’s Cloud Computing Compliance Controls Catalog (“C5”). The BSI revised the guidance as C5:2020 in 2020. The C5:2020 expands the scope of C5 and addresses new requirements, including a section on product safety and security. 

C5:2020 is based on established standards, including ISO/IEC 27001, Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM), AICPA Trust Services Principles and Criteria, BSI IT-Grundschutz Catalogue, and others. However, C5:2020 adds additional transparency controls to provide information on data location, provision of services, place of jurisdiction, existing certifications, and information disclosure obligations towards government agencies. This emphasis on transparency helps potential cloud customers decide whether the cloud services meet their compliance with legal requirements like data protection, company policies, or the ability to address the threat of industrial espionage.
NSPECT.IO Uses Google  for marketplace and other operations which  has achieved an attestation against the C5:2020 requirements. Current and potential customers can use the C5:2020 attestation as verification of compliance and as part of their assessment for using Google Cloud services.

Cloud Computing Compliance Criteria Catalogue (C5:2020)

In 2016, the German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, or BSI) created the Cloud Computing Compliance Criteria Catalogue (C5) as an auditing standard. It is intended for cloud service providers (CSPs), their auditors, and customers of the CSPs. C5 established a mandatory minimum baseline for cloud security and the adoption of public cloud solutions by German government agencies and organizations that work with government. C5 is also being increasingly adopted by the private sector.

The Cloud Security Alliance is a non-profit organization whose mission is to “promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing.”
The CSA’s Security, Trust & Assurance Registry Program (CSA STAR) is designed to help customers assess and select a Cloud Service Provider through a three-step program of self-assessment, third-party audit, and continuous monitoring.
NSPECT.IO Uses Google  for marketplace and other operations which  has achieved the third-party assessment-based certification (CSA STAR Level 2: Attestation) for Google Cloud Platform (GCP) and Google Workspace, resulting in a CSA Star SOC2+ report.
Google is also a CSA sponsor and a member of CSA’s International Standardization Council (ISC), and a founding member of the CSA GDPR Center of Excellence.

Cloud Security Alliance (CSA)

Cloud Security Alliance (CSA) is a not-for-profit organization with the mission to “promote the use of best practices for providing security assurance within cloud computing, and to provide education on the uses of cloud computing to help secure all other forms of computing."

The U.S. Federal Government established the Federal Risk and Authorization Management Program (FedRAMP), a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. All Federal agency cloud deployments and service models, other than certain on-premises private clouds, must meet FedRAMP requirements at the appropriate risk impact level (Low, Moderate, or High).
NSPECT.IO Uses Google Cloud  Platform for marketplace and other operations . Google’s FedRAMP status is posted on the government’s website: FedRAMP Marketplace.

Federal Risk and Authorization Management Program (FedRAMP)

FedRAMP stands for the “Federal Risk and Authorization Management Program.” It standardizes security assessment and authorization for cloud products and services used by U.S. federal agencies.
The goal is to make sure federal data is consistently protected at a high level in the cloud.

The General Data Protection Regulation (GDPR) is a privacy legislation that replaced the 95/46/EC Directive on Data Protection of 24 October 1995 on May 25, 2018. GDPR lays out specific requirements for businesses and organizations who are established in Europe or who serve users in Europe. It:
• Regulates how businesses can collect, use, and store personal data
• Builds upon current documentation and reporting requirements to increase accountability
• Authorizes fines on businesses who fail to meet its requirements


NSPECT.IO Uses Google Cloud  Platform and Wix for marketplace and other operations 
Google Cloud, prioritizes and improve the security and privacy of customer personal data. Google Cloud,  supports GDPR compliance efforts by:
1. Committing in our contracts to comply with the GDPR in relation to our processing of customer personal data in all Google Cloud Platform and Google Workspace services
2. Offering additional security features that may help you to better protect the personal data that is most sensitive
3. Giving you the documentation and resources to assist you in your privacy assessment of our services
4. Continuing to evolve our capabilities as the regulatory landscape changes

Wix.com is 100% committed to data protection

Customer trust is Wix's absolute top priority. 
Wix has worked with a team of experts and have implemented the required adjustments to products, services, and documentation, to ensure compliance with the GDPR. This empowers Wix to get more control over personal data and gain the tools necessary to protect the information of visitors to Wix sites. 
Wix is  dedicated to data protection and have effectively reinforced this over the past 10 years. 

Wix deploys and maintains a range of technical and organizational security measures to protect our customers’ data and assets.Wix security team leads the facilitation and development of procedures, processes and controls that govern the security and integrity of Wix and its users.

General Data Protection Regulation (GDPR)

The General Data Protection Regulation (EU) 2016/679 (GDPR) is a regulation in EU law on data protection and privacy in the European Union (EU) and the European Economic Area (EEA). The GDPR is an important component of EU privacy law and of human rights law, in particular Article 8(1) of the Charter of Fundamental Rights of the European Union. It also addresses the transfer of personal data outside the EU and EEA areas. The GDPR's primary aim is to enhance individuals' control and rights over their personal data and to simplify the regulatory environment for international business.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that
establishes data privacy and security requirements for organizations that are charged with
safeguarding individuals' protected health information (PHI). These organizations meet the
definition of “covered entities” or “business associates” under HIPAA.
Customers that are subject to HIPAA and want to utilize any Google Cloud products in
connection with PHI must review and accept Google's Business Associate Agreement (BAA).
Google ensures that the Google products covered under the BAA meet the requirements under
HIPAA and align with our ISO/IEC 27001, 27017, and 27018 certifications and SOC 2 report.
NSPECT.IO Uses Google Cloud Platform for marketplace and other operations .The Google
Cloud Platform BAA covers GCP’s entire infrastructure .
The Health Insurance Portability and Accountability Act of 996 (HIPAA) is a regulation designed
to make it easier for American employees to maintain their health insurance coverage when
they change or lose their jobs. This regulation also encourages the use of electronic health
records to improve the efficiency and quality of the US healthcare system through enhanced
information sharing.
HIPAA includes provisions that increase the use of electronic medical records as well as ensure
the security and confidentiality of protected health information (PHI). PHI includes
comprehensive personal health information and health-related data, including insurance and
billing information, diagnostic data, clinical care data, and laboratory results such as images and
test results. HIPAA rules apply to covered organizations, including hospitals, medical service
providers, employer-sponsored health plans, research facilities, and insurance companies that
deal directly with patients and patient data. The HIPAA requirement that provides PHI
protection also applies to partners.
The Health Information Technology for Economic and Clinical Health Act (HITECH) expanded
HIPAA guidelines in 2009. Together, HIPAA and HITECH set a set of federal standards to protect
PHI's security and privacy. These provisions are contained in what are known as "Management
Simplification" rules. HIPAA and HITECH impose requirements regarding the use and disclosure
of PHI, appropriate safeguards to protect PHI, personal rights and administrative
responsibilities.
For more information on how health information is protected by HIPAA and HITECH, see the US
Department of Health and Human Services' Health Information Privacy webpage.
What is HIPAA and what does it cover?
HIPAA is a federal law that protects certain medical information from unauthorized access. The
law requires all healthcare providers, such as hospitals and doctor's offices, to keep health
information safe and secure from unauthorized access.
HIPAA specifically requires healthcare providers to take steps to:
1) Protect the privacy of PHI (Health Information) by limiting access only to those who need it
for treatment or care, and;
2). Ensuring PHI security By following appropriate procedures when an individual's healthrelated
information is disclosed or accessible from outside the organization.
To comply with this law, you must have appropriate safety precautions. You can use encryption
codes in your electronic data and prevent third parties from accessing patient information.
Regulatory bodies such as the Federal Trade Commission (FTC) also look at compliance with
HIPAA.
How to securely share patient information
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a law that protects
patients' privacy and health records. HIPAA also gives businesses the ability to safely and
securely share information with their customers.
If you're like most businesses, you don't know how to comply with HIPAA. In this post, we'll go
over the basics of HIPAA compliance and explain some of the more common issues you may
encounter.
As mentioned earlier, HIPAA is a law that protects your patients' private information. This
means that if you have sensitive medical information on file, such as family members' health
records, you must ensure that no one outside of your company can access this information
without your express consent.
You will also need to consider how people outside of your company might use this information
to join a particular healthcare plan or enjoy certain benefits.
How to protect your business data
Businesses must comply with HIPAA regulations to protect the privacy of their customers,
employees and the public. The law regulates how personal information is shared with third
parties, who can access that information, and whether businesses are allowed to share it.
Many states have laws that allow businesses that collect business data to use anonymized
names and addresses instead of real names.
If your business wants to comply with HIPAA regulations without being absolutely sure that you
will avoid legal liability, it is important to understand what HIPAA means for your business.
Here are some basics:
A company (or organization) must verify that the customer is a "qualified individual" before
releasing a customer's personal health information (PHI). Qualified individuals include minors,
pregnant women, and people with "physical or mental disabilities."
Companies must also ensure that PHI is stored securely so that it cannot be accessed by
unauthorized persons.
If a third party needs access to your company's PHI, you must agree in writing what rules apply
(and why) for that person to gain access from your company.
How to comply with HIPAA regulations?
Before using HIPAA, you need to understand a few important things about HIPAA compliance. It
is important to know the difference between covered entities and covered entities that do
business with other covered entities. There is also a difference between "consumers" and
"individuals", so it's important to know which is which.
There are three categories of businesses that must comply with HIPAA regulations: healthcare
providers; health plans (businesses that sell insurance); and healthcare clearinghouses
(healthcare providers).
While each category has its own rules, they all share the same goal: to protect the privacy of
individuals and to allow them to share their personal information with trusted third parties
when necessary.
Eligibility requirements for healthcare facilities
One of the most important things to know about HIPAA is that it gives you and your patients
the right to protect their privacy. You will want to make sure you and your employees are
complying with the law…
The Department of Health and Human Services (HHS) has established a set of regulations for
healthcare facilities and healthcare organizations known as HIPAA. HHS has also released new
guidance on HIPAA compliance for healthcare organizations, including information technology
(IT) providers.
If you're a healthcare facility or organization, we'd like to help you stay compliant by providing
an overview of how HHS defines a "covered organization" for HIPAA purposes, as well as some
key aspects of the information. privacy rule
Compliance requirements for mental health services
Mental health services are often covered by government-sponsored insurance plans.
Ultimately, mental health is one area where businesses can make money through HIPAA
compliance.
The first thing you should know about HIPAA is that it is an act of Congress aimed at protecting
consumer privacy and security.
Compliance requirements for research organizations
Sensitive health information for your patients is a popular topic among hospitals, doctors, and
medical research organizations. HIPAA is the law that governs how you can share patient
information. It's important to know what you need to do to comply with HIPAA regulations.
Whether you're sharing data for research or marketing purposes, it's important to clearly define
what information is being shared. It is also important that you tell your patients with whom
their data is shared and how this information will be used.
Your patients deserve to trust the way their information is processed so they can make
informed decisions about their health needs.

Health Insurance Portability and Accountability Act (HIPAA)

For a healthcare business to remain compliant with the guidelines and requirements set forth by the Health Insurance Portability and Accountability Act (HIPAA), it must safeguard its patients’ and clients’ personal information. An integral policy of the U.S. Department of Health and Human Services (HHS), HIPAA is a federal law that protects sensitive health information from being disclosed without the patient’s consent or knowledge.

The International Organization for Standardization (ISO) is an independent, non-governmental international organization with a membership of 163 national standards bodies.
ISO/IEC 27701 is a global privacy standard that focuses on the collection and processing of personally identifiable information (PII). This standard was developed to help organizations comply with international privacy frameworks and laws, and focuses on three main factors :
Extends the requirements of ISO/IEC 27001 and ISO/IEC 27002 to include data privacy;
Provides a framework for implementing, maintaining, and continuously improving a Privacy Information Management System (PIMS);
Includes requirements and guidance for organizations acting as PII controllers and PII processors.
NSPCET.IO Uses Google  for marketplace operations which  have received an accredited ISO/IEC 27701 certification as a PII processor after undergoing an audit by an independent third party.

Information Security Management System (ISO/IEC 27701)

ISO/IEC 27701:2019 (formerly known as ISO/IEC 27552 during the drafting period) is a privacy extension to ISO/IEC 27001. The design goal is to enhance the existing Information Security Management System (ISMS) with additional requirements in order to establish, implement, maintain, and continually improve a Privacy Information Management System (PIMS).[1] The standard outlines a framework for Personally Identifiable Information (PII) Controllers and PII Processors to manage privacy controls to reduce the risk to the privacy rights of individuals.

ISO/IEC 27001 is widely known, providing requirements for an information security management system (ISMS), though there are more than a dozen standards in the ISO/IEC 27000 family. Using them enables organizations of any kind to manage the security of assets such as financial information, intellectual property, employee details or information entrusted by third parties.


ISO/IEC 27001:2013 specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. The requirements set out in ISO/IEC 27001:2013 are generic and are intended to be applicable to all organizations, regardless of type, size or nature.

ISO/IEC 27001 is an international standard on how to manage information security. The standard was originally published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) in 2005 and then revised in 2013. It details requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS) – the aim of which is to help organizations make the information assets they hold more secure.A European update of the standard was published in 2017.Organizations that meet the standard's requirements can choose to be certified by an accredited certification body following successful completion of an audit. The effectiveness of the ISO/IEC 27001 certification process and the overall standard has been addressed in a recent large-scale study. 
NSPECt.IO Customer payment platform runs on WIX that Wix has been audited and certified as ISO 27001 compliant. The ISO 27001 certification outlines industry best practices for managing security risks.

Information Security Management System (ISO/IEC 27001)

ISO/IEC 27001 is widely known, providing requirements for an information security management system (ISMS), though there are more than a dozen standards in the ISO/IEC 27000 family.

The International Organization for Standardization (ISO) is an independent, non-governmental organization with an international membership of 163 national standards bodies.
The ISO/IEC 27017:2015 gives guidelines for information security controls applicable to the provision and use of cloud services by providing:
• Additional implementation guidance for relevant controls specified in ISO/IEC 27002
• Additional controls with implementation guidance that specifically relate to cloud services
This standard provides controls and implementation guidance for both cloud service providers like Google and our cloud service customers.
ISO/IEC 27017 provides cloud-based guidance on 37 ISO/IEC 27002 controls, along with seven new cloud controls that address:
• Who is responsible for what between the cloud service provider and the cloud customer
• The removal/return of assets when a contract is terminated
• Protection and separation of the customer’s virtual environment
• Virtual machine configuration
• Administrative operations and procedures associated with the cloud environment
• Customer monitoring of activity within the cloud
• Virtual and cloud network environment alignment
NSPECT.IO Uses Google  for marketplace and other operations where Google Cloud Platform, Google Workspace, Chrome, and Apigee are certified as ISO/IEC 27017 compliant.

Information Security Management System (ISO/IEC 27017)

ISO/IEC 27017 is a security standard developed for cloud service providers and users to make a safer cloud-based environment and reduce the risk of security problems. It was published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) under the joint ISO and IEC subcommittee, ISO/IEC JTC 1/SC 27.It is part of the ISO/IEC 27000 family of standards, standards which provides best practice recommendations on information security management.