Data security and compliance
Blackthorn does not store user data. When your organization uses our apps, all PII (personally identifiable information) and financial details remain safely stored in Salesforce. Get an overview of our data security and compliance practices below, or visit our Trust Center for more details.
Our practices
To support certain Blackthorn functionality, specific data may be temporarily stored outside of Salesforce. This is done in accordance with industry standards defined by the AICPA.
To review our SOC 2 report providing independent, third-party validation that Blackthorn’s information security practices meet AICPA standards, please visit our Trust Center.
Blackthorn does not store your organization’s data, so we aren’t governed by the Federal Risk and Authorization Management Program (FedRAMP). Salesforce, which does store your data, is FedRAMP-certified.
Blackthorn leverages Amazon Web Services (AWS) to surface things like landing pages, registration pages, and calendars, and we cache non-sensitive event data like event names, images, and dates on Postgres for fast loading and reduced queries. Blackthorn’s AWS instances accessed in the U.S. are hosted in FedRAMP-compliant AWS U.S. East-West regions.
The Family Educational Rights and Privacy Act (FERPA) is a U.S. federal law related to academic records and students’ associated directory information. Since Blackthorn does not store your organization’s data, compliance with FERPA is the responsibility of the academic institutions that use Blackthorn apps.
PCI DSS refers to the Payment Card Industry Data Security Standard. Blackthorn is PCI SAQ D compliant. Click here to view our Attestation of Compliance, signed by a third-party auditor.
Blackthorn does not store credit card numbers or CVV codes in any version of our applications. Our interfaces use client-side tokenization, which means that card details are sent directly from the user’s browser to the payment gateway (e.g., Apple Pay). These details are replaced with non-sensitive “tokens” before being saved in Salesforce.
Since Blackthorn does not store your organization’s data, compliance with the PII regulations outlined by the Health Insurance Portability and Accountability Act (HIPAA), the California Consumer Privacy Act (CCPA), and the EU’s General Data Protection Regulation law (GDPR) is the responsibility of the organizations that use Blackthorn apps.
Blackthorn maintains GDPR compliance for all the processors and sub-processors in our technology stack, where we decide how data will be processed on our users’ behalf. View our Data Processing Agreement (DPA) here.
Accessibility best practices are built into Blackthorn’s design and development processes. Our products are tested for compliance with user accessibility standards based on the World Wide Web Consortium’s Web Content Accessibility Guidelines (WCAG) 2.1 (Levels A, AA, and AAA). Our Voluntary Product Accessibility Template (VPAT) is Level AA compliant; click here to view it.
To enable accessibility tools, click the button in the lower left corner of your screen.