October 8, 2024
Data security is as important to you as it is to us. That’s why we’re pleased to let you know that Fathom has received ISO27001 certification and been issued with the SOC 2 Type 1 report.
These external audits recognize Fathom as being compliant with security frameworks that best protect the interests of our customers and the data they hold.
To learn more about SOC2 and ISO27001, and what this means for you when using Fathom, please read on.
ISO/IEC 27001:2013 (normally known as ISO 27001) is an independent accredited certification, making it the world's best-known standard for Information Security Management Systems (ISMS).
Being awarded the ISO27001 certification shows that Fathom has implemented the steps required to manage risks related to the security of data owned or handled by the company, and that this system respects all the best practices and principles enshrined in this International Standard.
The ISO27001 uses three principles of information security, known as the CIA triad, to provide confidence that there are the right processes in place to ensure that risks are adequately managed:
There are a total of 93 security controls that are part of the ISMS, and despite the ISO27001 not requiring all 93, sufficient evidence is required for security controls that are not investigated.
The security controls are bucketed into the following four categories:
If data security is important for you and your organization, then it is important to partner with a company with ISO27001. As an independent certification, it ensures that all appropriate security controls are investigated, and the company has been adequately assessed.
Fathom prides itself on ensuring our security and data processes are of the highest caliber, leading to this recognition at the international level.
If you wish to receive a copy of Fathom’s ISO27001 certificate, please contact support@fathomhq.com.
System and Organizations Controls 2 or more commonly SOC 2, is a United States auditing examination covering the five Trust Services Criteria (TSC): security, availability, processing integrity, confidentiality and privacy.
This examination is then collated into a Type I or Type II report.
Created by the American Institute of Certified Public Accountants (AICPA) in the early 2000’s, the main goal was to ensure that companies were storing customer data securely and safely in a growing digital landscape, while establishing trust between service providers and customers.
As the only mandatory TSC, the scope is quite large, investigating a wide range of security checks, including data usage, creation, utilization, processing, transfer, and preservation, with the ultimate analysis to view how the company is protecting customer information from vulnerabilities and unauthorized access.
The security TSC is broken down into 9 categories:
AICPA defines the availability trust services criteria as “Information and systems are available for operation and use to meet the entity’s objectives.” As a service organization is offering an outsourced service to their clients, it is important to note that the service is available for the client.
Availability is a commonly included TSC, as providing evidence that systems are available for operation is key to many clients of service organizations.
Processing integrity covers whether the system processing is complete, valid, accurate, timely, and authorized to meet the entity’s objectives. This criteria tests that there are no errors in processing, how data is stored and maintained, and if there are any errors, that they are detected quickly and corrected.
The confidentiality trust services criteria look at how information designated as confidential is protected to meet the entity’s objectives. As confidential information can vary between organizations, the same applies to its examination. The key component is looking at contractual obligations of customer confidentiality and how this is being processed.
As defined by AICPA, privacy trust services criteria cover the following: Personal information is collected, used, retained, disclosed, and destroyed in conformity with the commitments in the entity’s privacy notice and with the criteria set forth in generally accepted privacy principles (GAPP).
The main difference between privacy and confidentiality is that privacy TSC protects personal information while confidentiality TSC protects non-personal information and data.
Due to the sensitive nature of the SOC 2 report, there is a specific process that will need to be followed. If you would like to learn more about the process or about our SOC 2 Type I report, please contact support@fathomhq.com.
We understand that when you use Fathom, you are entrusting us with one of your most valuable assets - the financial data of your company or client. We treat this responsibility very seriously. The SOC 2 Type 1 report and the ISO27001 certification are testament to Fathom’s strong security foundations. We are now actively working towards attainment of SOC 2 Type 2. If you would like to know more about Fathom’s security measures and certifications, please contact support@fathomhq.com.
Luke is a Product Manager at Fathom. He values customer relationships and insights as a driving factor behind product strategy and roadmaps. Luke has a background in both Technology and Finance, having worked as a Product Manager and Financial Analyst. Luke holds Bachelor’s in Business and IT, a Masters in Applied Finance, and can talk endlessly about craft beer and homebrew.
