Certinia Information Security Program


Certinia applications were designed from the ground up using core information security principles:

Certinia is committed to achieving and maintaining these principles and the trust of our customers. Integral to this is providing a robust information security and privacy program that carefully considers security and data protection across our services, including data submitted by customers to our services (“customer data”). Over 1000 customers in 34 countries trust Certinia applications. Our customers are in a wide range of verticals, some with stringent security requirements, including financial services, healthcare, technology, energy and government.

Security at Certinia

Certinia has a dedicated Information Security function led by the Head of Information Security and driven by a risk-based information security strategy. Our security policy and standards, controls and verification efforts are designed to protect customer information assets against a range of rapidly evolving threats. Our Information Security Program includes identifying, mitigating and reporting on information and cyber security risks, and complying with security and privacy regulations and commitments.

Responsible Disclosure

We operate a public bug bounty program on BugCrowd which allows independent security researchers from across the globe to find and report security vulnerabilities affecting our systems in exchange for monetary rewards. Enabling this kind of crowdsourced security testing means the top hackers in the world are continuously validating our defenses to keep our systems and our customers secure.

Further details about our bug bounty program can be found on BugCrowd.

Attack Surface Management

Certinia uses state-of-the-art security technology to protect our digital landscape, including input from industry leading vendors and custom-built Attack Surface Management solutions designed to harden and reduce our attack surface.

Cloud Security Alliance

As part of our commitment to Trust, Certinia has made available to the public a detailed description of our cloud security controls under the Cloud Security Alliance (CSA) STAR Level 1 – Self-Assessment program. This self-assessment uses the CSA Consensus Assessments Initiative Questionnaire to answer nearly 300 standardized questions that provide transparency into cloud vendor security practices and controls supporting their cloud service delivery and applications.


Certinia Applications

Service Organization Controls (SOC) Reports

As part of our commitment to Trust, Certinia maintains the American Institute of Certified Public Accountants (AICPA) Service Organization Controls (SOC 1 Type II, SOC 2 Type II and SOC 3) attestations. The SOC 1 Report helps to provide Certinia customers with the assurance that our applications are developed and delivered in accordance with transparent standards designed for quality and security applicable for financial reporting. The SOC 2 Report gives assurance over controls around security and confidentiality of customer data. The SOC 3 Report report is a publicly facing document which reflects the overall content and audit opinion of our SOC 2 Type II Report but does not disclose confidential information about Certinia such as the specific internal controls assessed by the third-party auditors.

To access the latest Certinia SOC 3 Report, please see our Public Whistic Profile.

The SOC Reports provide our customers assurance that the Certinia Description of Services is fairly presented in all material respects, that controls put in place by Certinia are suitably designed to meet their control objectives, and that those controls were tested and operated effectively during the audit period.

If you would like to request a copy of our SOC 1 Type II or SOC 2 Type II Reports, please get in touch with your Certinia Account Executive to request access to our Full Whistic Profile. Our SOC 1 Type II and SOC 2 Type II Reports are only made securely available through our Full Whistic Profile.

Additionally, especially for our SOC 1 report, we publish Bridge/Gap Letters on a strictly quarterly basis to extend coverage of our report to meet the needs of our customers’ audit teams. Bridge/Gap Letters are only made securely available through our Full Whistic Profile alongside our SOC reports.


The safety, security and availability of our customers’ data is a top priority of Certinia. As part of this commitment, Certinia supports compliance with the U.S. Health Insurance Portability and Accountability Act (HIPAA) by our customers that are covered entities or business associates under HIPAA.

Certinia complies with the specific requirements of the HIPAA Security Rule that apply to Certinia in its capacity as a business associate. In addition, Certinia applications provide configurable security features that can help our customers address their security and compliance requirements under HIPAA.

Certinia customers that are subject to HIPAA and wish to use our applications for electronic Protected Health Information (ePHI) must first sign a Certinia business associate addendum.

Please review our Certinia and the HIPAA Security Rule whitepaper for an overview of Certinia application features and controls relevant to the HIPAA Security Rule and how our customers can leverage those controls to meet HIPAA compliance requirements.

Additional Security Resources

If you have a security or privacy related question, comments or concerns please contact us.