Security and Compliance

Keeping your organization’s data private and secure is extremely important to us. That’s why we are committed to end-to-end security and privacy compliance throughout our operations and architecture.

Security Features and Benefits

Reform is built on a robust cloud security infrastructure and adheres to industry best practices and standards. When you send your organization’s data to us, you can rest assured that your data, and your customers’ data, is protected. We’re compliant with and regularly audited against multiple regulations and standards, including SOC2, ISO 27001, the E.U. General Data Protection Regulation (GDPR), and the Data Privacy Framework (DPF). All of this trickles down to you – no matter how much data you send to us, it’s always protected.

Security Planning & Operations

Reform maintains an Information Security and Privacy program with a dedicated budget and staff that covers the entire scope of its operations. The security program ensures that:

  • An information security strategy, including goals and objectives, is adhered to and updated on a regular basis.
  • All security documentation, including policies and procedures, is kept up to date.
  • Regular risk assessments are conducted, and results inform the security controls that we implement.
  • Reform team members go through security awareness training on a regular basis.
  • Regular checks and measurements are made to gauge and improve performance.

Infrastructure Security

Reform is built within the Digital Ocean Cloud, and inherits security capabilities and services that increase privacy and security. These benefits are passed on to our customers. The Digital Ocean infrastructure provides:

  •  A robust security and compliance program that spans multiple domains, each with its own set of requirements and best practices. 
  • Network and web application firewall capabilities used to tightly control access to our networks, servers and applications.
  • High levels of availability and resilience.

Encryption

To prevent unauthorized access to data, Reform uses encryption for data in transit and at rest. 

Monitoring & Access Logs

Reform maintains deep visibility into all transactions performed on its system. All events are fully logged to include the who, what, where and when of the transaction. Our monitoring program ensures that:

  • Our administrators are automatically alerted when suspicious activities occur.
  • All logs are aggregated and monitored for trends in real time.
  • All logs are streamlined to support compliance reporting and investigations, if necessary.
  • Logs are manually reviewed on a recurring basis to spot anomalies.
  • All system activity is correlated against the latest threat intelligence data to pinpoint potential system reconnaissance or attacks.

Accounts and Access Control

Reform maintains strong account management and access control procedures for our staff as well as for users on our platform. To ensure access remains secure:

  • We require strong passwords for all users on the system.
  • From the administration console, we provide subscribers with the ability to restrict data access to only those who need it. 
  • Privileged and development accounts are strictly managed.
  • We require our employees to use Multi-Factor Authentication (MFA).

Secure Development Practices

To ensure the highest quality of performance and security within the Reform application, we adhere to the following development and operations practices:

  • All code changes and application updates are tracked and reviewed for quality and security.
  • Development, testing, staging and production are maintained as separate environments.
  • Software libraries and subcomponents are fully vetted before use, thereby ensuring code-level reliability and security.
  • Testing and deployment of application features are done through automated Continuous Integration and Continuous Delivery (CI/CD) pipelines.

Vulnerability Management

To protect the Reform system and data from breaches as a result of software and system vulnerabilities, we conduct:

  • Vulnerability scanning for system and software vulnerabilities.
  • Remediation and patching of vulnerabilities based on severity.

Disaster and Data Recovery

To protect the Reform system and data, and ensure quick recovery in the event of an outage or incident:

  • The platform is configured with automatic self-healing, failover, rollback, backup and scaling capabilities.
  • We regularly test our internal processes by holding simulated Business Continuity Exercises.

Privacy

Reform ensures that the data it collects and retains is kept private by maintaining:

  • Internal processes that govern removal and/or export of any subject’s personal data upon request.
  • Its company-wide Information Security and Privacy Program.
  • Strict incident response and data breach processes that ensure immediate response. These processes are tested regularly.
  • Full compliance with all applicable laws and regulations, to include the California Consumer Privacy Act (CCPA), General Data Protection Regulation (GDPR), Data Privacy Framework (DPF), and others. For more information on legal compliance, please see our Compliance and Certifications section detailed below. 
  • Ability to anonymize visitors’ IP addresses by removing the last octet of their IP address before storing event data.
  • Ability to enable non-consent mode, whereby website visitors who have not given consent will not be associated with personal data.

Compliance and Certifications

In order to maintain the highest levels of trust in our security and privacy policies, procedures and implementation, Reform conducts internal and external audits on a regular basis to ensure continuous compliance with multiple legal, regulatory and contractual obligations, as well as industry standards.

ISO 27001

Starting in 2024, Reform has an active, ISO 27001-certified Information Security Management System (ISMS) for its operations. We follow the specified security management best practices and security controls, and maintain a rigorous information security program. ISO 27001 is a widely-recognized international security standard which specifies that we:

  • Systematically evaluate our information security risks, evaluating the potential impact of threats and vulnerabilities.
  • Maintain a comprehensive suite of information security controls and other forms of risk management.
  • Operate an overarching management process to ensure that our information security controls are effective.

Reform’s ISO 27001 auditor and registrar is Sensiba. A certificate of registration is available upon request.

Sensiba-ISO-IEC-27001_Digital

SOC 2

Reform meets the criteria for security in the American Institute of Certified Public Accountants (AICPA) TSP Section 100A, Trust Services Principles and Criteria. We complete SOC 2 Type II audits on an annual basis. A copy of Reform’s most recent SOC2 report can be provided upon request.

Privacy Acts and Regulations

Reform implements and honors all aspects of the California Consumer Privacy Act (CCPA) and E.U. General Data Protection Regulation (GDPR), which protect consumer’s data privacy rights in the following ways:

  • Privacy rights for individuals:some text
    • the right to know what personal information is being collected and whether that information is sold, transferred or disclosed and to whom
    • the right to request a copy of any stored personal data
    • the right to opt-out of the sale of personal information
    • the right to access or delete personal information collected by Reform
    • the right to equal Reform services and prices, regardless of privacy choices
  • Responsibility to implement appropriate security: organizations must implement appropriate security controls and policies, to include the completion of privacy impact assessments, records on data processed and held, and strict management of vendors. 
  • Data breach response and notification: data breaches must be reported to data protection authorities, customers, and under certain circumstances, affected data subjects. 

Requests related to privacy rights should be emailed to security@reform.app.

Data Processing Addendum (DPA)

This addendum includes all required terms for GDPR compliance, plus Standard Contractual Clauses which serve as a safeguard to govern transfers of personal data out of the EU/EEA/Switzerland.

Sign Data Processing Addendum for Data Processors (via HelloSign)

Sign Data Processing Addendum for Data Controllers (via HelloSign)

Data Privacy Framework

Reform is a member of the EU-U.S. and Swiss-U.S. Data Privacy Frameworks. These frameworks were designed by the U.S. Department of Commerce, the European Commission and Swiss Administration to provide organizations on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union (EU) and Switzerland to the U.S. in support of transatlantic commerce.

Our current Data Privacy Framework status can be found on the Data Privacy Framework website.

Contact the Security Team

Want more information about Reform’s privacy and security? Contact our team at security@reform.app.