Mette Kirk Kjærsgaard 7/9/20 2:00 PM 9 min read

8 Reasons Why You Should Choose a Supplier with an ISAE 3000

If you think compliance is expensive, try non-compliance.

In today's data-heavy environment, being compliant in every aspect of a company's business is vital. Especially talking data processing and information security.

In the EU, this has primarily been made obligatory through the General Data Protection Regulation (GDPR), and similar data protection regulations are apparent in other parts of the world. Regulations like GDPR require that companies uphold different obligations such as a continually updated Data Protection Addendum and agreement between a Data Processor and Data Controller, stating and regulating on what legal basis data is processed, etc. 

Entering a relationship with a vendor or supplier, it is of the utmost importance to know that your company’s data is being handled professionally, with integrity and confidentiality, and in compliance with applicable law. 

But how do you make sure that your data is protected? On what basis can you trust a company with your data or the data of your clients? How can you be sure that your data processor is qualified to ensure data protection?

We recommend that you only work with suppliers who has achieved independent third party audit reports on Information Security.

Ensuring compliance when processing data, it is beneficial for both a vendor or supplier, and its customers to obtain an externally approved report of data processing activities, such as an ISAE 3000 standard report of compliance.

This gives the customer the confidence and safety, that data is processed in compliance with the applicable law.

Why should you choose a vendor that has an independent 3rd party ISAE 3000 report on data processing and Information Security?

Working with a supplier that holds an ISAE 3000 report proves that your data is being treated with integrity and confidentiality, and that all data processing activities and potential risks are being documented and controlled accordingly.

This is a huge advantage for you as a customer since it gives you comfort, security and assurance that system or services you are considering implementing has the highest security standards implemented, assess risks accordingly, and has excellent quality control.  

We have listed eight key reasons why you should always choose a supplier that holds a 3rd party ISAE 3000 report: 

  1. Trust

    Entering an agreement with a company that has an ISAE 3000 report means you enter a relationship build on trust. 

  2. Credibility and security

    We have probably all ticked the box 'Accept terms and conditions' without really reading them. When implementing a system in your organization, this, of course, will not work. Therefore, you need to be sure that the vendor you are considering as a partner is treating personal and company data with care. This is where an ISAE 3000 report comes in handy. It is externally audited, but it also holds all the information you need to understand and learn how your data is processed.

  3. An exact description of data processing activities

    Ever wondered what type of data is processed by the supplier? And with what purpose? Or how risks are being assessed? The data processing activities are extensively elaborated in an ISAE 3000 report. If you need to know what kind of data a company's sub-processors are using, it is an advantage to be presented with an ISAE 3000 report instead of having to investigate this yourself, with the knowledge that the information you find, has not been externally audited, and hence not controlled.

  4. External auditors give a third-party stamp of approval

    We all want to believe that a company processes our data with integrity, confidentiality, are being responsible and follow regulations, but we also cannot be 100% sure if the only assurers are the companies themselves. With an ISAE 3000 report, you have an externally audited document that describes data processing and adherence to regulations, giving you a third-party stamp of approval.

  5. Make data-processing suspicion redundant 

    The fact is that all companies who process personal data are subject to the same standards. But unfortunately, this does not guarantee that they uphold these standards in real life. You are ensured of this when working with a supplier with an ISAE 3000 report. 

  6. Knowledge of controls 

    Ever heard the term "Technical and organizational activities and measures?" In an ISAE 3000 report, a vendor must submit any data processing activities and data protection activities implemented in the rest of the organization, which are comparable to the terms set in the General Data Protection Regulation. The description of events is converted into a set of controls tested by the external auditing firm. Controls are therefore in place to ensure that the implemented technical and organizational measures are in compliance with applicable law.

  7. Breach notification 

    Working with data, there is always the risk of a data breach. This means, your data may be accessible to people whom you have not given your consent. If such a breach occurs, a company must act fast following a set of guidelines to restore and rectify data. All companies are bound to notify their customers if such a breach occurs. With an ISAE 3000 report, you can be assured that this happens, since a set of procedures are implemented and checked regularly. 

  8. Continued recording of processing activities 

    If the company changes the handling of processing activities, how are you sure you are informed? The answer is that when a company obtains an ISAE 3000 report, they also must fulfill the terms that say that any changes to processing activities are both recorded and notified to customers. No changes can go unnoticed, so you are sure that you always have the full picture. 

AskCody's ISAE 3000 report

At AskCody, we are constantly improving our data protection, both in regard to securing the data that is shared with us, as well as complying with the laws and regulations on data protection. 

As part of our promise to provide an enterprise grade platform with the highest security standards implemented, AskCody on a yearly basis perform a third party audit and inspection to verify the compliance of data processing with respect to our DPA, GDPR, our Information Security Policy and all other security and compliance matters in AskCody.

Therefore, an independent third party (BDO) – a state-certified company auditor – has controlled and certified our security measures, our compliance, and more to clarify and document that we have implemented security measures and that those measures work efficiently.

By this we can provide our trusted Customer and Business Partners the assurance they need, that AskCody process data responsibly, so they in turn can assure their users and employees that personal data is handled with care and in compliance with data protection laws (GDPR).

The report ISAE 3000 Report is also useful to you when it comes to assessing our compliance with your instructions and the data processing agreement that we have entered into with you.

Request our ISAE 3000 Report 

Mette Kirk Kjærsgaard

Business and Compliance Administrator, AskCody