Last Updated: August 9, 2021
EARNUP TRUST POLICY
Our Approach to Compliance
At EarnUp, we take compliance seriously. We understand our customers’ needs when it comes to compliance and information security, as well as the serious ramifications of non-compliance. We have diligently built processes to make our services compliant with the standards which may govern your business.
Please contact our compliance team (via email: [email protected]) for access to our documentation package which includes our systems description. This documentation package is available under NDA.
Compliance Certifications
Soc2 Compliance:
- AWS System and Organization Controls (SOC) Report is an independent third-party examination report that demonstrates how EarnUp achieves key compliance controls and objectives. The purpose of this report is to help you and your auditors understand the EarnUp controls established to support operations and compliance.
- SOC 2 Type II Third-Party Attestation is available.
Policies & Procedures
Here’s a list of some of the many policies and procedures we’ve put in place to meet compliance standards:
- Information Security Policy
- Acceptable Use Policy
- Code of Conduct
- Background checks for all employees
- Endpoint encryption for all company owned/issued devices
- Release Management Procedure
- Change Management Procedure
- Release Notes
- Access Provisioning, Termination, and User Access Review Procedure
- Incident Response Plan
- Business Continuity and Disaster Recovery Plan
- Penetration Testing Program
- Breach Notification Policy
- Cloud Security Alliance CAIQ
Security
At EarnUp the security and privacy of customer data is our #1 priority.
Our Sub Service Providers
On an annual basis, EarnUp performs a review of our most critical sub-service providers. In the event these reviews have material findings that we determine presents risks to EarnUp or our customers, we’ll work with the sub-service provider to understand any potential impact to customer data and track their remediation efforts until the issue is resolved.
Security Incidents & Reports
If you see something, say something. If you need to submit a potential security incident to EarnUp, please provide a summary report to the EarnUp Security Team as an attachment to [email protected]. The Information Security team will evaluate the report and arrange to discuss specifics.
Encryption
Customer Data is stored behind a firewall and authenticated against the sender’s session every time a request for that data is made. We enforce the use of industry best practice for the transmission of data to our platform (Transport Layer Security TLS) and Customer Data is stored in a SOC 1 Type II, SOC 2 Type I, and ISO 27001 certified data centers. Customer Data is stored and encrypted at rest using AES 256-bit encryption.
Audit Trails
The non-editable audit trail ensures that every action on your data is thoroughly tracked and time stamped, to provide clear proof of access.
Infrastructure Security
EarnUp uses Amazon Web Services (AWS) as its Infrastructure as a Service (IaaS) provider with Amazon data centers hosting our data within the U.S. We utilize AWS features like AWS WAF, AWS Macie, GuardDuty, Virtual Private Cloud (VPC), Security Groups, disk level encryption, etc., to ensure the confidentiality of our customer data in the cloud.
Security Team
EarnUp has a formal information security program in place which includes Security, Compliance and Privacy.
Employee Security
At EarnUp employees undergo comprehensive background checks and undergo annual security awareness training.
Privacy
At EarnUp we’re committed to protecting your personal information. Our privacy policy clearly describes how we handle and protect your information. On an annual basis our independent third-party auditors test our security and confidentiality related controls and provide their reports and opinions which we can provide to you upon request once available (subject to NDA). To report an issue relating to privacy please email us at [email protected].
Data Deletion/Destruction
Upon request EarnUp will consider data deletion / expungement on a case-by-case basis in accordance with applicable law and regulation as well as business practices. To initiate a data deletion / data destruction event please contact our support team.
Version 2.0 date: 8/9/2021