Thunderhead complies with the U.S.-EU and Swiss-U.S. Privacy Shield framework, as set forth by the U.S. Department of Commerce, regarding the collection, use, and retention of personal information from European Union member countries and Switzerland.
Thunderhead is committed to the privacy of your data and providing services that enable compliance with GDPR. Read our FAQs to find out more.
ISO 27001 Certified
Thunderhead is committed to information security and maintains certification to ISO 27001 the International Standard for Information Security Management. This covers requirements for information security management systems, providing a systematic approach to managing sensitive company information so that it remains secure. It includes people, processes and IT systems by applying a risk management process.
As a Service Organization Control (SOC) 2 Type 2 certified company, Thunderhead’s operations are independently audited against the attestation standards established by the American Institute of Certified Public Accountants (AICPA). The SOC 2 report provides assurance that we have suitable and effective controls for managing customer data and complies with the SOC 2 trust principles for Security, Confidentially, and Availability.
Health Insurance Portability and Accountability Act (HIPAA)
Thunderhead supports compliance with the Health Insurance Portability and Accountability Act (HIPAA) security and privacy standards governing the use and disclosure of sensitive protected health information (PHI).
Compliance with HIPAA provides assurance that proper and continual measures are taken to protect PHI and enables HIPAA-regulated customers to use Thunderhead’s services to securely process PHI.
Thunderhead is proud to participate in Veracode Verified, a program validating a company’s Secure Software Development Processes.
We enact a model of ‘security by design’ by implementing regular security checks and discussions throughout our SDLC. This approach ensures that the features and quality of our software meet a high standard, while also reducing security risks. Organizations with their security development practices validated and their application accepted into the Standard Tier have demonstrated that the following security gates have been implemented into their software development practice:
• Assesses first-party code with static analysis
• Documents that the application does not allow Very High flaws in first-party code
• Provides developers with remediation guidance when new flaws are introduced