Compliance certifications

Last updated on November 8th, 2018

Compliance certifications

Last updated on November 8th, 2018

Supporting your compliance needs

At Envoy, we understand the impact that compliance requirements have on your business. That’s why were committed to providing features that may assist you with your compliance strategies, in addition to enhancing our own body of certifications.*

We have customers from a variety of highly regulated industries—like OnRamp (data center), AMAG (pharmaceutical) and Planet Labs (government), just to name a few. They all trust Envoy to help them meet high security standards and obtain certifications.

EU General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) is a set of regulations designed to harmonize data privacy laws across Europe and strengthen privacy regulations for citizens of the European Union. In addition to all organizations within the EU, GDPR also applies to organizations in other countries who offer goods or services to EU citizens.

Is Envoy GDPR Compliant?

Yes, Envoy services comply with the GDPR. According to the regulation, there are different roles for companies based on how a company interacts with user data. Envoy is considered a data processor because we process personal data on behalf of our customers, who are considered data controllers.

As a data processor we have prepared for GDPR by:

  • Updating our privacy policy to clearly surface how we process customers’ data
  • Confirming the vendors we use also adhere to GDPR
  • Developing an internal process that allows our customers to request the anonymization of their data
  • Publishing a Data Processing Addendum that help our customers comply with GDPR contractual obligations

To enter into Envoy’s Data Processing Addendum (DPA), please contact [email protected] to receive a copy for review and signature.

How Envoy Visitors can help support your GDPR compliance efforts

Because you’re collecting personal data for your company’s use, Envoy customers are considered data controllers. Using Envoy Visitors can help support your GDPR compliance efforts in the following ways:

  • Keep visitor data private by having visitors sign in on an iPad, not an exposed logbook
  • Allow visitors to opt-out of providing their personal information
  • Create a custom privacy policy document in Envoy and let guests view it directly on the iPad
  • Request the anonymization of your visitor data when deemed necessary

If you have questions about Envoy’s GDPR compliance, please contact [email protected].

Service Organization Controls (SOC)

Service Organization Controls (SOC) are regulations established by the American Institute of Certified Public Accountants (AICPA). SOC certified service organizations undergo regular audits involving the controls over information technology and related processes, policies and procedures, including operational activities.

SOC 2 specifically focuses on data security compliance around five trust service principles: security, availability, processing integrity, confidentiality and privacy.

Is Envoy SOC compliant?

In short, yes! As the only visitor management system to meet SOC 2 standards, Envoy can give you the confidence to enhance your workplace security while continuing to provide an incredibly smooth, effortless experience for guests arriving at your front door.

We currently have a SOC 2, Type 2 report. This report describes our systems and whether their design is suitable to meet relevant trust principles. Here’s what that means for you:

  • Our SOC 2, Type 2 report validates that our security controls are appropriately designed to effectively mitigate risk. So you can feel confident in our team’s ability to maintain the security of your information.
  • You’ll know that security is at the forefront of our company priorities, with verifiable processes and controls throughout our day-to-day work—like always using 2-factor authentication, encrypting data, logging administrator actions, tracking access grants using verified policies, and following repeatable processes for a consistent secure customer experience.
  • It’s now easier than ever to verify our security practices and make sure they measure up to your company’s needs. Upon request we will share our SOC 2, Type 2 report with you so you can see for yourself.
  • Part of SOC 2, Type 2 is the agreement to have ongoing audits of our security practices. So you’ll know that we are always up to date and keeping security in mind.

If you require a copy of our SOC 2, Type 2 report or have any questions, please contact [email protected].

How Envoy Visitors can help with your SOC 2 compliance

SOC 2 reports describe how a specific organization’s system are designed to meet the SOC trust principles. Although each SOC 2 report is unique, Envoy Visitors has features that may help customers meet and maintain SOC 2 compliance, depending on their needs.

  • Verify visitor identity (photo capture, ID check, pre-registration) and deny access to those who are not permitted
  • Maintain visitor logs, forming a repository of sign-ins and sign-outs
  • Create badges that identify visitors and display their level of authorization

International Traffic in Arms Regulations (ITAR)

Export and temporary import of defense articles and services are controlled by the International Traffic in Arms Regulations (ITAR). The United States government requires manufacturers, exporters and brokers of defense articles, defense services or related technical data to be ITAR compliant.

How Envoy Visitors can help with your ITAR compliance

Envoy Visitors can help organizations meet ITAR’s regulations around verifying citizenship and visitor access.

  • Verify visitor identity (photo capture, ID check, pre-registration) and deny access to those who are not permitted
  • Create unique sign-in flows based on country of origin or citizenship
  • Require the visitor choose their country of origin or citizenship, with the option to display their response on the visitor badge
  • Require an escort (host), with option to display the escort name on the visitor badge
  • Customize badge layout based on authorization levels

FDA Food Safety Modernization Act (FSMA)

The Food Safety Modernization Act (FSMA) was enacted in 2011 to ensure food safety in the United States. FSMA aims to shift the focus toward preventing intentional adulteration of the food supply rather than responding to contamination. As such, requirements cover the mitigation of threats that make food productions facilities vulnerable.

How Envoy Visitors can help with your FSMA compliance

Unauthorized visitors make food productions facilities vulnerable to contamination, and Envoy Visitors can help organizations ensure that everyone who enters the facility is authorized and accounted for.

  • Verify visitor identity (photo capture, ID check, pre-registration) and deny access to those who are not permitted
  • Maintain visitor logs, forming a repository of sign-ins and sign-outs
  • Require a valid purpose of visit and escort (host) upon sign-in
  • Require visitors to sign legal document or good manufacturing practices
  • Create badges that identify visitors and display their level of authorization

Payment Card Industry Data Security Standard (PCI DSS)

The PCI Security Standards Council was founded by American Express, Discover, JCB International, MasterCard and Visa Inc. to ensure the safety of cardholder data. PCI compliance audits many components of an organization’s policies and procedures, including physical and data security.

How Envoy Visitors can help with your PCI DSS compliance

Envoy Visitors can help any organization, including data centers that host service provider or merchant data, meet the requirements of the PCI Self-Assessment Questionnaire, sections 9.1-9.4 (Restrict physical access to cardholder data).

  • Verify visitor identity (photo capture, ID check, pre-registration) and deny access to those who are not permitted
  • Maintain visitor logs, forming a repository of sign-ins and sign-outs
  • Customize sign-in flow to include visitor name, firm represented and employee authorizing physical access (host)
  • Create badges that clearly identify visitors from employees and show an expiration date
  • Badges can be worn on the visitor’s person
  • Badges can be handed back and either filed or destroyed upon sign-out

Gramm-Leach-Billey Act (GLBA)

The Gramm-Leach-Bliley Act requires companies that offer consumers financial products and services—like loans, insurance, and financial or investment advice—to explain their information-sharing practices to their customers and to safeguard sensitive data.

How Envoy Visitors can help with your GLBA compliance

GLBA requirements are designed to be flexible, so different organizations can implement safeguards appropriate to their own needs. Although each GLBA information security plan is unique, Envoy Visitors has features that help our customers meet and maintain compliance around physical security and access control.

  • Verify visitor identity (photo capture, ID check, pre-registration) and deny access to those who are not permitted
  • Maintain visitor logs, forming a repository of sign-ins and sign-outs
  • Create badges that identify visitors and display their level of authorization

Customs-Trade Partnership Against Terrorism (C-TPAT)

Customs-Trade Partnership Against Terrorism (C-TPAT), led by the U.S. Customs and Border Protection. This voluntary public-private sector partnership impacts importers, carriers, consolidators, licensed customs brokers, and manufacturers who choose to protect the supply chain, identify security gaps, and implement specific security measures and best practices.

How Envoy Visitors can help with your C-TPAT compliance

Compliant organizations must meet the C-TPAT Minimum Security Criteria and Guidelines for their specified type of business. The following Envoy Visitors features help organizations meet the required regulations for visitor management.

  • Verify visitor identity (photo capture, ID check, pre-registration) and deny access to those who are not permitted
  • Maintain visitor logs, forming a repository of sign-ins and sign-outs
  • Create badges that identify visitors and display their level of authorization
  • Badges can be worn on the visitor’s person
  • Require an escort (host), with option to display the escort name on the visitor badges

Federal Information Security Modernization Act (FISMA)

The Federal Information Security Modernization Act (FISMA) is United States legislation created to protect government information, operations and assets. It requires that all federal agencies develop and maintain information system security plans. State agencies and private sector companies may also be affected depending on involvement in federally funded initiatives.

How Envoy Visitors can help with your FISMA compliance

FISMA requirements are designed to be flexible in order to fit the mission, needs and environment the organization. Although each FISMA plan is unique, Envoy Visitors has features that help our customers meet and maintain compliance around physical security and access control.

  • Verify visitor identity (photo capture, ID check, pre-registration) and deny access to those who are not permitted
  • Maintain visitor logs, forming a repository of sign-ins and sign-outs
  • Create badges that identify visitors and display their level of authorization
  • Badges can be worn on the visitor’s person
  • Require an escort (host), with option to display the escort name on the visitor badge

* The Envoy solutions may be used to assist customers with compliance matters in certain circumstances but the use and configuration of the solutions and the compliance with the rest of the corresponding requirements is solely the responsibility of each customer. Envoy disclaims any and all responsibility and liability for compliance with the any laws, rules, regulations and standards.

Last updated on November 8th, 2018