The Celigo platform is built using best-of-breed technology frameworks and secure software development practices. Production and testing environments are completely segregated from each other, and customer data is never used in QA or developer testing.
Celigo has a designated Sr. Director of Security and Compliance and Data Protection Officer to lead the Security and Compliance Team and work with technical staff to support the implementation of the security requirements needed to operate at the levels of security and compliance that our management and our customers expect.
For more information:
-
Incoming connections: TLS 1.2
-
HTTPS client traffic: TLS 1.2
-
Endpoint/FTP connections: HTTP and HTTPS TLS 1.0 to TLS 1.3 (highest available automatically selected)
Account owners and administrators completely control authorization per user and per application.
Keep track of activity on your account for up to a year. Monitor integration and flow changes over the course of the resource’s lifecycle.
Celigo handles all data at the highest level required for regulatory and voluntary compliance requirements, ensuring cloud security at multiple levels:
-
California CCPA/CRPA - Ready
-
Nevada Chapter 603-A – Covered by GDPR and CCPA- Ready
-
New York SHIELD ACT – Covered by GDPR and CCPA- Ready
-
Virginia Consumer Data Protection Act (VCDPA) - Ready
-
Texas Data Privacy and Security Act (TDPSA) - Ready
-
SOC-2 – Type 2 compliant
-
As a customer or a prospect, you may request a copy of the SOC 2 report under Mutual NDA from compliance@celigo.com.
-
-
HIPAA – HIPAA-ready, though not HIPAA-certified
-
HiTech – Not HiTech standard-certified, though qualified to support HiTech standard-certified companies (as a Business Associate to either a Covered Entity or another Business Associate) under the certified HiTech service providers’ infrastructure
-
Status – The Celigo Security Team has completed implementation for infrastructure encryption: restricted access to ePHI data, trained select staff, and provided secure laptops with full-disk encryption
-
-
FERPA-ready
-
FedRAMP – Not certified, since Celigo is not directly U.S. government-facing, but we can support companies that are FedRAMP certified as part of the certified FedRAMP service providers’ infrastructure
-
US, EU, UK, and Swiss Data Privacy Framework Certified
The error data retention period lasts for 30 or more days, based on your Celigo license. You can delete records if you choose to or if your customers exercise their Right to Delete.
Data is encrypted in motion and at rest, according to country-specific data protection and privacy guidelines:
-
All data in motion inside AWS VPC – Encrypted at TLS 1.2 or better
-
All data temporarily stored in AWS – Encrypted at AES 256
-
Stored credentials – Encrypted at either AES 256 or pbkdf2
We support the highest level of HTTPS API TLS encryption available. For example, when NetSuite supports TLS 1.2, then the Celigo connection is also encrypted to TLS 1.2. Therefore, it is the customer's responsibility to ensure that the endpoint encryption is at least TLS 1.2. Otherwise, that particular segment of the data flow may not be considered securely encrypted – or encrypted at all in the case of an HTTP API. (Note that TLS 1.0 and 1.1 have been deprecated by the security community.)
Celigo has enabled SSE-S3 for all Amazon S3 buckets. Each file saved in S3 is encrypted and its Key is encrypted using a master key stored separately.
Endpoint API credentials are provided by Celigo customers, who are responsible for updating tokens and passwords according to their security policies.
Comments
Please sign in to leave a comment.