Compliance

Envoy’s Compliance

EU and UK General Data Protection Regulations (GDPR)

The General Data Protection Regulation (“GDPR”) is a set of regulations, enacted in the European Union and the United Kingdom, designed to harmonize data privacy laws and strengthen privacy protections for EU and UK residents. In addition to all organizations within the EU and UK, the GDPR also applies to organizations in other countries who offer goods or services to residents of those regions.

Is Envoy GDPR Compliant?

Yes, Envoy services comply with the GDPR. According to the regulation, there are different roles for companies based on how a company interacts with user data. Envoy is considered a data processor because we process personal data on behalf of our customers, who are considered data controllers.

As a data processor we comply with the GDPR by:
  • Disclosing how we process personal data in our privacy policy
  • Confirming that the vendors we use also adhere to the GDPR
  • Anonymizing customer data upon their request
  • Entering data processing agreements with our customers and vendors that establish our respective rights and obligations regarding the use and protection of our customer’s data
Envoy’s Data Processing Addendum (“DPA”) is available here.

How does Envoy satisfy the requirement for importing EU and UK data into the US?

Envoy relies on the Court of Justice of the European Union Schrems II decision, which confirmed that Standard Contractual Clauses (SCCs) remain a valid mechanism for the transfer of data from the EU into the US. For transfers from the EU, Envoy utilizes the most recent SCCs released by the European Commission. For transfers from the UK, Envoy utilizes the UK International Data Transfer Addendum. Envoy’s DPA incorporates both mechanisms, and we leverage this DPA with customers that have EU and UK locations to ensure cross-border transfers of personal data comply with data protection laws.

California Consumer Privacy Act

The California Privacy Rights Act (“CPRA”) gives California residents additional control over personal information that businesses collect about them. For-profit businesses operating in California who are over a certain size, or who collect a significant volume of personal information, are required to comply with CPRA and its related regulations.

Is Envoy CPRA Compliant?

Yes! Much of the work Envoy put into complying with the GDPR also applies to the CPRA. We disclose how we use California residents’ data in our privacy policy, respond to residents’ requests to delete, or provide them with, their data, and sign written agreements with our customers and vendors that implement the rights and obligations required to comply with the CPRA.

California businesses who do not have locations in Europe or the UK may review our CPRA-specific agreement here: https://envoy.com/cpra-dpa/.

Service Organization Controls (SOC)

Service Organization Controls (“SOC”) are internal control reports created by the American Institute of Certified Public Accountants (AICPA). SOC-certified service organizations undergo regular audits involving the controls over information technology and related processes, policies and procedures, including operational activities.

SOC 2 specifically focuses on data security compliance around five trust service principles: security, availability, processing integrity, confidentiality, and privacy.

Does Envoy have a SOC 2 certification?

Yes! Envoy hires an independent auditor annually to review Envoy’s organizational controls. That auditor issues a report attesting that Envoy meets the particular SOC 2 criteria being evaluated. We currently have a SOC 2, Type 2 report. This report describes our systems and whether their design is suitable to meet relevant trust principles. Here’s what that means for you:
  • Our SOC 2, Type 2 report validates that our security controls are appropriately designed to effectively mitigate risk. So you can feel confident in our team’s ability to maintain the security of your information.
  • You’ll know that security is at the forefront of our company priorities, with verifiable processes and controls throughout our day-to-day work—like always using 2-factor authentication, encrypting data, logging administrator actions, tracking access grants using verified policies, and following repeatable processes for a consistent secure customer experience.
  • It’s now easier than ever to verify our security practices and make sure they measure up to your company’s needs. Upon request we will share our SOC 2, Type 2 report with you so you can see for yourself.
  • Part of SOC 2, Type 2 is the agreement to have ongoing audits of our security practices. So you’ll know that we are always up to date and keeping security in mind.
If you require a copy of our SOC 2, Type 2 report, please request to view our compliance documents.

Supporting your compliance needs

At Envoy, we take the security and privacy of your data seriously. Envoy adheres to GDPR, CPRA, and other privacy and security regulations. We also have policies and controls for you to manage security threats, keep your data safe and help you meet your compliance obligations.
Customers like LightEdge and Meggitt trust Envoy to help them meet high security standards and meet compliance requirements.

How Envoy helps you stay compliant (broadly)

Envoy enables your teams to collect important information required to meet some compliance regulations. Key features that help with this include:
  • Customize sign-in fields and requirements by visitor type
  • Confirm visitors’ consent to data collection
  • Anonymize visitor data
  • Verify visitors’ identities and deny access to those who are not permitted. This is available via:
    - ID scanning
    - Capturing photos at check-in
    - Screening against third party watch lists and custom block lists
  • Collect signatures for NDAs and any other legal documents
    -Leverage file sharing integrations for added security (Box, DocuSign, Dropbox)
  • Maintain visitor logs, forming a repository of sign-ins and sign-outs
  • Create badges that identify visitors and display their level of authorization
  • Require a valid purpose of visit and escort (host) upon sign-in

General Data Protection Regulation (GDPR)

Using Envoy Visitors can help support your GDPR compliance efforts by:
  • Keeping visitor data private by having visitors sign in on an iPad, not an exposed logbook
  • Allowing visitors to opt-out of providing their personal information
  • Presenting guests with your own privacy policy directly in the Envoy on the iPad.
  • Requesting the anonymization of your visitor data when deemed necessary
  • Setting a desired data retention period, so that Envoy stores your Visitor data for a selected period of time
If you have questions about Envoy’s GDPR compliance, please contact dataprivacy@envoy.com.

Service Organization Controls (SOC 2)

SOC 2 reports describe how a specific organization’s systems are designed to meet the SOC trust principles. Although each SOC 2 report is unique, Envoy Visitors has features that may help customers design and maintain systems to meet SOC 2 principles, depending on their needs.
  • Maintain visitor logs, forming a repository of sign-ins and sign-outs
  • Verify visitors’ identities (via ID scanning, photo capture, and watch and block list screening) and deny access to those who are not permitted
  • Create badges that identify visitors and display their level of authorization

International Traffic in Arms Regulations (ITAR)

Export and temporary import of defense articles and services are controlled by the International Traffic in Arms Regulations (ITAR). The United States government requires manufacturers, exporters and brokers of defense articles, defense services or related technical data to be ITAR compliant.

How Envoy Visitors can help with your ITAR compliance

Envoy Visitors can help organizations meet ITAR requirements around verifying citizenship and visitor access.
  • Verify visitor identity (photo capture, ID check, registration) and deny access to those who are not permitted
  • Create unique sign-in flows based on country of origin or citizenship
  • Require the visitor choose their country of origin or citizenship, with the option to display their response on the visitor badge
  • Require an escort (host), with option to display the escort name on the visitor badge Customize badge layout based on authorization levels

FDA Food Safety Modernization Act (FSMA)

The Food Safety Modernization Act (FSMA) was enacted in 2011 to ensure food safety in the United States. The FSMA aims to shift the focus toward preventing intentional adulteration of the food supply rather than responding to contamination. As such, requirements cover the mitigation of threats that make food production facilities vulnerable.

How Envoy Visitors can help with your FSMA compliance

Unauthorized visitors make food production facilities vulnerable to contamination, and Envoy Visitors can help organizations ensure that everyone who enters the facility is authorized and accounted for.
  • Verify visitor identity (photo capture, ID check, registration) and deny access to those who are not permitted
  • Maintain visitor logs, forming a repository of sign-ins and sign-outs
  • Require a valid purpose of visit and escort (host) upon sign-in
  • Require visitors to sign legal document or good manufacturing
  • practicesCreate badges that identify visitors and display their level of authorization

Payment Card Industry Data Security Standard (PCI DSS)

The PCI Security Standards Council was founded by American Express, Discover, JCB International, MasterCard and Visa Inc. to ensure the safety of cardholder data. Complying with PCI standards involves many components of an organization’s policies and procedures, including physical and data security.

How Envoy Visitors can help with your PCI DSS compliance

Envoy Visitors can help any organization, including data centers that host service provider or merchant data, meet the requirements of the PCI Self-Assessment Questionnaire related to restricting physical access to cardholder data.
  • Verify visitor identity (photo capture, ID check, registration) and deny access to those who are not permitted
  • Maintain visitor logs, forming a repository of sign-ins and sign-outs
  • Customize sign-in flow to include visitor name, firm represented and employee authorizing physical access (host)
  • Create badges that clearly identify visitors from employees and show an expiration date
  • Badges can be worn on the visitor’s person
  • Badges can be returned and either filed or destroyed upon sign-out

Gramm-Leach-Billey Act (GLBA)

The Gramm-Leach-Bliley Act requires companies that offer consumers financial products and services—like loans, insurance, and financial or investment advice—to explain their information-sharing practices to their customers and to safeguard sensitive data.

How Envoy Visitors can help with your GLBA compliance

GLBA requirements are designed to be flexible, so different organizations can implement safeguards appropriate to their own needs. Although each GLBA information security plan is unique, Envoy Visitors has features that help our customers meet and maintain compliance around physical security and access control.
  • Verify visitor identity (photo capture, ID check, registration) and deny access to those who are not permitted
  • Maintain visitor logs, forming a repository of sign-ins and sign-outs
  • Create badges that identify visitors and display their level of authorization

Customs Trade Partnership Against Terrorism (CTPAT)

Customs Trade Partnership Against Terrorism (CTPAT) is a program led by the U.S. Customs and Border Protection. This voluntary public-private sector partnership impacts importers, carriers, consolidators, licensed customs brokers, and manufacturers who choose to protect the supply chain, identify security gaps, and implement specific security measures and best practices.

How Envoy Visitors can help with your CTPAT compliance

Compliant organizations must meet the CTPAT Minimum Security Criteria and Guidelines for their specified type of business. The following Envoy Visitors features help organizations meet the required regulations for visitor management.
  • Verify visitor identity (photo capture, ID check, registration) and deny access to those who are not permitted
  • Maintain visitor logs, forming a repository of sign-ins and sign-outs
  • Create badges that identify visitors and display their level of authorization
  • Badges can be worn on the visitor’s person
  • Require an escort (host), with option to display the escort name on the visitor badges

Federal Information Security Modernization Act (FISMA)

The Federal Information Security Modernization Act (FISMA) is United States legislation created to protect government information, operations, and assets. It requires that all federal agencies develop and maintain information system security plans. State agencies and private sector companies may also be affected depending on involvement in federally-funded initiatives.

How Envoy Visitors can help with your FISMA compliance

FISMA requirements are designed to be flexible in order to fit the mission, needs, and environment of the organization. Although each FISMA plan is unique, Envoy Visitors has features that help our customers meet and maintain compliance around physical security and access control.
  • Verify visitor identity (photo capture, ID check, registration) and deny access to those who are not permitted
  • Maintain visitor logs, forming a repository of sign-ins and sign-outs
  • Create badges that identify visitors and display their level of authorization
  • Badges can be worn on the visitor’s person
  • Require an escort (host), with option to display the escort name on the visitor badges
* The Envoy solutions may be used to assist customers with compliance matters in certain circumstances but the use and configuration of the solutions and the compliance with the rest of the corresponding requirements is solely the responsibility of each customer. Envoy disclaims any and all responsibility and liability for compliance with the any laws, rules, regulations and standards.
Last updated on February 1st, 2023
Demo
Contact