Information Security Solutions

We offer the Cartus Privacy Promise as our commitment to keeping your information safe and secure via our people, processes, and technology. Our information security initiatives derive from an integrated strategy developed, implemented, updated, and controlled by our Global Information Security Team.

Increased security through verification and controls

The effectiveness of our approach has been validated by numerous client reviews (which includes many of the largest companies in the world—including more than 50 percent of the Fortune 50) as well as by annual external audits such as SOC1, SOC2, and the ISAE 3402. Cartus was also one of the first organizations to register for the EU-U.S. and EU-Swiss Privacy Shield Frameworks—programs developed by the United States Department of Commerce and the European Commission to safeguard the personal data of EU citizens.

Regarding the EU General Data Protection Regulation (GDPR), which replaced the 1995 Data Protection Directive on May 25, 2018, Cartus has been working on a number of areas in our role as Processor for our clients to aid in their readiness for GDPR compliance. Please see our GDPR blog post and survey for more information.

Personal Security

  • Policy and process is part of the Cartus culture
  • 100% of Cartus employees are trained annually on business ethics, privacy/security, and anti-corruption/bribery
  • Background and criminal checks are conducted where allowed by law, with additional screening available

Managing Access

  • We employ the Principle of Least Privilege as well as segregation of duties
  • All access is centrally managed and approved by management
  • Privileged access is reviewed quarterly

Securing Infrastructure

  • Encryption of data at rest and in transmission
  • Defense-in-depth strategy utilizing a tiered infrastructure with firewalls, IPS, DMZ and endpoint security
  • Centralized Security Operations Center (SOC)
  • Mature Vulnerability Management Program

Continuing Operations

  • Encrypted backups conducted almost in real-time to offsite facility
  • Annual disaster recovery testing
  • Ten years of successful recovery testing
  • Regular business continuity testing

Compliance

  • Penetration Testing of our applications and the environment
  • Annual SOC1, SOC2, and ISAE 3402 assessments
  • Employee training and testing to improve our resilience to phishing and external threats
  • SOX compliant
  • SOX PWC
  • GDPR Readiness Program
  • Privacy Shield certified (EU and Swiss)
  • Cyber Essentials certified
  • Client audits and assessments - more than 250 per year