Skip to content
Mette Kirk Kjærsgaard Jul 9, 2020 9 min read

8 Reasons Why You Should Choose a Supplier with an ISAE 3000

If you think compliance is expensive, try non-compliance.

In today's data-heavy environment, being compliant in every aspect of a company's business is vital. Especially talking data processing and information security.

In the EU, this has been made obligatory primarily through the General Data Protection Regulation (GDPR), and similar data protection regulations are apparent in other parts of the world. Regulations like GDPR require that companies uphold different obligations such as a continually updated Data Protection Addendum and agreement between a Data Processor and Data Controller, stating and regulating on what legal basis data is processed, etc. 

Request ISAE 3000 Report

Entering a relationship with a vendor or supplier, it is of the utmost importance to know that your company’s data is being handled professionally, with integrity and confidentiality, and in compliance with applicable law. 

But how do you make sure that your data is protected? On what basis can you trust a company with your data or the data of your clients? How can you be sure that your data processor is qualified to ensure data protection?

We recommend that you only work with suppliers who have achieved independent third party audit reports on Information Security.

Ensuring compliance when processing data by obtaining an externally approved report of data processing activities, such as an ISAE 3000 standard report of compliance, is beneficial for both a vendor or supplier and their customers.

This gives the customer confidence and security, that data is processed in compliance with the applicable law.

Why Should You Choose a Vendor That Has an Independent 3rd Party ISAE 3000 Report on Data Processing and Information Security?

Working with a supplier who holds an ISAE 3000 report proves that your data is being treated with integrity and confidentiality, and that all data processing activities and potential risks are being documented and controlled accordingly.

This is a huge advantage for you as a customer as it gives you comfort, security and assurance that the system or services you are considering to implement maintain the highest security standards, assess risks accordingly, and perform excellent quality control.  

We have listed eight key reasons why you should always choose a supplier that holds a 3rd party ISAE 3000 report: 

  1. Trust
    Entering an agreement with a company that has an ISAE 3000 report means you enter a relationship built on trust. 

  2. Credibility and Security
    We all have probably ticked the box 'Accept terms and conditions' without really reading them. When implementing a system in your organization this, of course, will not work. Therefore, you need to make sure that the vendor you are considering as a partner is treating personal and company data with care. This is where an ISAE 3000 report comes in handy. It is externally audited, but it also holds all the information you need to understand and learn how your data is processed.

  3. An Exact Description of Data Processing Activities
    Ever wondered what type of data is processed by the supplier? And with what purpose? Or how risks are being assessed? The data processing activities are extensively elaborated in an ISAE 3000 report. If you need to know what kind of data a company's sub-processors are using, it is an advantage to be presented with an ISAE 3000 report instead of having to investigate this yourself, with the knowledge that the information you find, has not been externally audited, and hence not controlled.

  4. External Auditors Give a Third Party Stamp of Approval
    We all want to believe that a company processes our data with integrity, confidentiality, while being responsible and following regulations. However, we cannot be 100% sure, when the only assurers are the companies themselves. With an ISAE 3000 report you have an externally audited document that describes data processing and adherence to regulations, giving you a third-party stamp of approval.

  5. Make Data Processing Suspicion Redundant
    The fact is that all companies that process personal data are subjected to the same standards. But unfortunately, this does not guarantee that they uphold these standards in real life. You are ensured of this when working with a supplier with an ISAE 3000 report. 

  6. Knowledge of Controls
    Ever heard the term "Technical and organizational activities and measures"? In an ISAE 3000 report, a vendor must submit any data processing and data protection activities implemented in the rest of the organization, which are comparable to the terms set in the General Data Protection Regulation. The description of events is converted into a set of controls tested by the external auditing firm. Controls are therefore in place to ensure that the implemented technical and organizational measures are in compliance with applicable law.

  7. Breach Notification
    Working with data, there is always the risk of a data breach. This means, your data may be accessible to people to whom you have not given your consent. If such breach occurs, a company must act fast following a set of guidelines to restore and rectify data. All companies are bound to notify their customers if a breach occurs. With an ISAE 3000 report, you can be assured that this happens, since a set of procedures are implemented and checked regularly. 

  8. Constant Recording of Processing Activities
    If the company changes the handling of processing activities, how are do you make sure you are informed? The answer is that when a company obtains an ISAE 3000 report, they also must fulfill the terms that say that any changes to processing activities are both recorded and notified to customers. No changes can go unnoticed, so you are sure that you always have the full picture. 

AskCody's ISAE 3000 report

At AskCody, we are constantly improving our data protection, both in regard to securing the data that is shared with us, as well as complying with the laws and regulations on data protection. 

As part of our promise to provide an enterprise grade platform with the highest security standards implemented, AskCody performs on a yearly basis a third party audit and inspection to verify the compliance of data processing with respect to our DPA, GDPR, our Information Security Policy and all other security and compliance matters in AskCody.

Therefore, an independent third party (BDO) – a state-certified company auditor – has controlled and certified our security measures, our compliance, etc.  to clarify and document that we have implemented security measures and that those measures work efficiently.

Thus, we can provide our trusted Customer and Business Partners the assurance they need that AskCody process data responsibly. In turn, they can assure their users and employees that personal data is handled with care and in compliance with data protection laws (GDPR).

The report ISAE 3000 Report is also useful when it comes to assessing our compliance with your instructions and the data processing agreement that we have entered into with you.

Request ISAE 3000 Report

avatar

Mette Kirk Kjærsgaard

Mette is the Business and Compliance Administrator at AskCody. She is enthusiastic about her work, which is why she always brings a smile to the office. She has worked in E-commerce, CMS systems, Adobe software, Business Administration, Content creation, Social Media, and other fields. Overall, she possesses a variety of skills and is expert at combining them in her day-to-day working life. Mette graduated from Aalborg University with a master's degree in International Business Communication.