Data Security and Compliance
Blackthorn.io takes steps to ensure data security by not storing personal, sensitive, financial, or confidential customer data in its systems; the only data stored is topical, related to events. All data is encrypted during transit using TLS 1.2 or better, and at rest within the customer’s Salesforce organization using industry standard encryption.
Need to dig a little deeper? Visit our trust center to access Blackthorn’s comprehensive security documentation.
Visit Our Trust CenterSOC 2
Businesses need to work with vendors they can trust to keep their data private and secure. To address this, Blackthorn.io‘s SOC 2 report provides an independent, third-party validation that shows Blackthorn.io‘s information security practices meet industry standards stipulated by the AICPA.
If you’d like to review the report, please visit our Trust Center.
Our Data Flows
Blackthorn data flows are across Blackthorn Events and Blackthorn Payments. We are not the system of record, as all data is stored in Salesforce. However, to support the performance of Blackthorn events, specific data is temporarily stored outside of Salesforce. For details regarding the type of data and how it is cached, please review the information here or fill out the form below, and our security team will respond to you shortly. Blackthorn.io‘s information security practices meet industry standards stipulated by the AICPA.
FedRAMP Certification
FedRAMP: For select US Government entities
Blackthorn provides customers with a managed package of objects that get uploaded and used inside of Salesforce accounts. Salesforce, which is FedRAMP certified, is where all customer data and personally identifiable information is stored.
Since Blackthorn stores no customer data (as it is stored in your own Salesforce ‘org’), Blackthorn does not fall within FedRAMP PII parameters. Blackthorn leverages AWS (Amazon Web Services), to surface event web pages like landing pages, registration pages, and calendars. We cache non-sensitive event data like event names, images, and dates on Postgres, hosted by AWS, for fast loading and reduced queries.
FedRAMP certified. Our US-accessed AWS instances for our applications are hosted on the “AWS US East-West” regions, that are within FedRAMP compliance.
FERPA Compliance
FERPA is a privacy act related to academic records and students’ associated directory information. The act states academic data may be made available to parents until the student turns eighteen or attends school past the high school level. Since Blackthorn.io’s apps don’t store the data – and acts as a passthrough- the governance for FERPA falls on the college.
Credit Card PCI Compliance
PCI DSS: Payment Card Industry Data Security Standard
Every business aims to be “PCI-compliant”. This largely boils down to the handling of card numbers and CVV codes. Blackthorn has never stored card numbers or CVV codes on any version of our application. PCI compliance is much more involved than this, such as how tokenization occurs, if card numbers are encrypted or not stored at all (stored instead in the gateway, such as Stripe or Authorize.net), access to card data, etc.
PCI standards have different tiers of compliance. Blackthorn is PCI SAQ D compliant. Here is Blackthorn’s complete Attestation of Compliance, signed by a third-party auditor.
Broken down more specifically, all of our interfaces, such as our Events checkout, PayLink, DocumentLink, and our Virtual Terminal, all perform client-side tokenization, which means that the card details are sent directly from the user’s browser to the gateway. The card details never hit the database (Salesforce). Only the tokenized form of the card is then stored, which is a PCI-compliant approach.
PII: GDPR, HIPAA, CCPA
PII – Personally Identifiable Information is a modern term for any information about an individual, such as their email address or phone number, from which they can be personally identified. A number of sets of legislation that differ by country were created around the handling of PII.
GDPR – General Data Protection Regulation is a large set of policies that give your end customers the right to be forgotten, either completely or on a selective basis, and to handle a customer’s PII. Blackthorn has no separate data store; all PII is stored in your Salesforce environment. Customer data is managed by each organization we work with and not by Blackthorn, such as a customer asking to have their data removed. GDPR generally applies to European-based organizations and also to European-based customers.
HIPAA – Health Insurance Portability and Accountability Act compliance, in the context of Blackthorn, is similar to GDPR, in the customer data is only stored in your Salesforce environment. The handling of this data depends upon your organization’s policies.
CCPA – California Consumer Privacy Act is a state-wide data privacy law that provides California residents with the right to know what personal data is being collected about them, to whom it is being sold, and to request that their data be deleted. Blackthorn operates in a way that ensures compliance with CCPA by storing all customer data within your Salesforce environment. The responsibility of managing and responding to consumer requests under CCPA falls on the organizations we partner with, rather than Blackthorn itself.
Data Processing – Blackthorn is GDPR compliant and will maintain GDPR compliance for all the processors and sub-processors in our technology stack, where we decide how data will be processed on your behalf. View our Data Processing Agreement (DPA) here.
Website Accessibility
VPAT: WCAG, ADA, and 508 Standards
There are suggested standards around people with disabilities accessing websites, with varying levels of compliance. They’re listed by Web Content Accessibility Guidelines, Americans with Disabilities Act, 508 Standards, and they’re aggregated as theVoluntary Product Accessibility Template. Blackthorn is AA compliant with its VPAT. The feature is accessed via the image below. To enable it, please contact our support team.