Data Security and Privacy Compliance

The processes and systems necessary to develop, operate, and maintain Thunderhead are designed to comply with globally recognized best practices and regulations for data security and privacy.

ISO 27001 Certified

Thunderhead is committed to information security and maintains certification to ISO 27001 the International Standard for Information Security Management. This covers requirements for information security management systems, providing a systematic approach to managing sensitive company information so that it remains secure. It includes people, processes and IT systems by applying a risk management process. 

Learn more


ISO27001 Certified

GDPR Compliant

Thunderhead is committed to the privacy of your data and providing services that enable compliance with GDPR. Read our FAQs to find out more.


As a Service Organization Control (SOC) 2 Type 2 certified company, Thunderhead’s operations are independently audited against the attestation standards established by the American Institute of Certified Public Accountants (AICPA). The SOC 2 report provides assurance that we have suitable and effective controls for managing customer data and complies with the SOC 2 trust principles for Security, Confidentially, and Availability.


Veracode Verified

Thunderhead is proud to participate in Veracode Verified, a program validating a company’s Secure Software Development Processes.

We enact a model of ‘security by design’ by implementing regular security checks and discussions throughout our SDLC. This approach ensures that the features and quality of our software meet a high standard, while also reducing security risks. Organizations with their security development practices validated and their application accepted into the Standard Tier have demonstrated that the following security gates have been implemented into their software development practice:

Assesses first-party code with static analysis
Documents that the application does not allow Very High flaws in first-party code
Provides developers with remediation guidance when new flaws are introduced

Varacode Verified Logo

Health Insurance Portability and Accountability Act (HIPAA)

Thunderhead supports compliance with the Health Insurance Portability and Accountability Act (HIPAA) security and privacy standards governing the use and disclosure of sensitive protected health information (PHI).

Compliance with HIPAA provides assurance that proper and continual measures are taken to protect PHI and enables HIPAA-regulated customers to use Thunderhead’s services to securely process PHI.


Privacy Shield

Thunderhead complies with the U.S.-EU and Swiss-U.S. Privacy Shield framework, as set forth by the U.S. Department of Commerce, regarding the collection, use, and retention of personal information from European Union member countries and Switzerland.

Learn more


Privacy Shield

Law Enforcement Requests Report

We are committed to being transparent about information requests from law enforcement agencies and other government entities that may impact the privacy of our customers.