SmartPath takes client security very seriously. Without our customer and client's trust, it would be impossible for us to provide the service offerings we do. This page serves as an overview of common questions and high-level aspects of our security practices.
Security and Compliance
SmartPath initially obtained its SOC2, Type II attestation for the Security control in July 2020. SmartPath has obtained attestation reports in 2020, 2021, 2022, and 2023.
Our latest SOC2 report is available upon completion of NDA and by contacting firstname.lastname@example.org.
SmartPath's systems rely solely on hardened cloud infrastructure. We do not maintain our own network or servers.
All SmartPath data is encrypted at rest, in transit, and in front of our users.
SmartPath system encryption keys are managed by our cloud infrastructure, which prevents direct access by any individuals, including SmartPath employees and our service providers.
Network and system diagrams are available upon request.
SmartPath conducts annual penetration testing on its production application. Initial and remediation testing are conducted by Cobalt.io.
A letter detailing the findings is available upon request.
SmartPath leverages automated tools to ensure dynamic vulnerability coverage of our code throughout our Secure Development Lifecycle (SDLC).
All corporate devices are centrally managed and are equipped with mobile device management software and anti-malware protection. We use MDM software to enforce secure configuration of devices with policies including disk encryption, screen lock configuration, and enforced software updates.
SmartPath requires all employees to complete extensive security training during onboarding, and requires employees to renew training annually. Topics include password security, storage devices, secure browsing practices, phishing and more.
SmartPath's security team shares security related information during regular, company-wide meetings that may require action or special attention.
Some SmartPath services are powered by third-party vendors. For example, for webinars, we use BigMarker. SmartPath leverages best practices like pseudonymization, enforced multi-factor authentication, and limited system and data access in these systems.
Vendors are reviewed annually for their security practices and potential risk and impacts on SmartPath customer's and our data.