SOC 2 reports are intended to meet the needs of a broad range of users that need to understand internal control at a service organization as it relates to applicable Trust Services Principles and Criteria which include security, availability, processing integrity, confidentiality and privacy trust principles.
A Type II reports on the fairness of presentation of management’s description of a service organization’s system and the suitability of the design and operating effectiveness of controls over a period of time, not just a point in time.
The SOC 2 Type II report provides a detailed review, by an independent audit firm, of Appian Cloud’s security, availability, and confidentiality controls.
Appian Cloud’s SOC 3 report is publicly available and provides a summary of the Appian Cloud SOC 2 report. The SOC 3 provides assurance about Appian Cloud’s security, availability, and confidentiality controls in alignment with the AICPA’s Trust Services Principles. This includes an external auditor opinion on the effectiveness of operation of controls.
The Payment Card Industry (PCI) Security Standards Council offers standards to enhance payment card data security. The PCI Data Security Standard (PCI DSS) provides a framework for developing a robust payment card data security process; including prevention, detection, and appropriate handling of security incidents. Customers can leverage Appian Cloud’s PCI-DSS certification to reduce their own PCI compliance complexity after agreeing to the Appian Cloud PCI-DSS terms.
Appian Cloud has been assessed by an external independent auditor and is compliant with PCI DSS.
The United States Health Insurance Portability and Accountability Act of 1996 (HIPAA) regulates the security and privacy of Protected Health Information (PHI).
Appian Cloud is compliant with the HIPAA security requirements. With HIPAA compliance, customers can securely process and store protected health information (PHI) in Appian Cloud after executing a Business Associate Agreement.
For more information about HIPAA and Appian, Click Here.
The Federal Risk and Authorization Management Program (FedRAMP) is a United States government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. Being FedRAMP Compliant means a cloud system has an established and highly secure environment that has withstood comprehensive audit review before federal agencies are authorized to engage the system.
Appian Cloud is FedRAMP compliant and has received an Agency Authorization to Operate (ATO) at the Moderate level.
By achieving FedRAMP compliance, Appian Cloud has been deemed a viable solution to provide significant time and cost savings, improved security risk management, and enhanced program transparency for mission-critical federal operations. This authorization can be re-used by other Federal agencies to save both time and staff over working with non-FedRAMP systems.
To access the Appian Cloud FedRAMP compliant package, please visit https://www.fedramp.gov/marketplace/compliant-systems/.
DISA Level 2
FedRAMP+ is the United States Department of Defense’s (DoD) adaptation of the FedRAMP process, where they independently approve cloud-based systems for DoD use.
Appian Cloud currently has a DoD Provisional Authorization (PA) rated at Level 2 Impact Level. For additional information on DoD Cloud Security Impact Levels please visit the DoD Cloud Security portal.
DoD customers can leverage Appian Cloud’s PA when assessing and authorizing their system to operate on Appian Cloud.
The Federal Information Security Management Act (FISMA), enacted in 2002 and amended in 2014, provides a comprehensive framework for ensuring the effectiveness of information security controls for United States federal government IT systems. Together the Office of Management and Budget (OMB), Department of Homeland Security (DHS), and the National Institute of Standards and Technology (NIST) have put a program in place to set the standards and oversee compliance.
Appian Cloud has a security framework with a robust security control structure in place that enables federal organizations to achieve Authorization to Operate (ATO).
Pharmaceutical and Life Sciences companies are required by law to meet Validation and Good Practice Standards (GxP) when building systems that touch or implicate predicate records. These include such records and processes associated with Clinical Trials, Laboratory work, Quality Assurance, Regulatory Information Management, Manufacturing, and Electronic Health Records
Appian Cloud has undergone an independent assessment performed by life science industry experts to evaluate Appian Cloud’s controls and their alignment to GxP computer system validation requirements and standards.
Customers can leverage this independent assessment report to supplement and support their GxP compliance and diligence efforts.
The Food and Drug Administration (FDA) introduced 21 CFR Part 11 as a requirement for commercial life science companies that maintain FDA-required records and signatures in electronic format to meet specific standards and comply with good clinical, laboratory, and manufacturing practices. The primary goals of this regulation are to ensure data integrity; that changes made to the system are documented, reasoned, and non-repudiated; computer systems used are trustworthy; and applications are validated to intended use.
Appian Cloud supports the necessary capabilities and technology to allow customers to build applications that are compliant with 21 CFR Part 11.
EU-U.S. and Swiss-U.S. Privacy Shield Frameworks
The EU-U.S. and Swiss-U.S. Privacy Shield Frameworks were designed by the U.S. Department of Commerce, and the European Commission and Swiss Administration, respectively, to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States in support of transatlantic commerce.
The privacy shield frameworks replaced the U.S – EU Safe Harbor framework in 2016 ( EU) and 2017 (Swiss). Additional detail on these frameworks can be found at privacyshield.gov.
Appian is compliant with the EU-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union to the United States. Appian’s Privacy Shield certification can be viewed on the the Privacy Shield List.
508 / VPAT
The Rehabilitation Act of 1973, Section 508, requires that Federal agencies’ electronic and information technology is accessible to people with disabilities.
The Voluntary Product Accessibility Template (VPAT) is a tool used to document a product’s conformance with the accessibility standards under Section 508 of the Rehabilitation Act.
Appian has completed the VPAT and the Appian product is compliant with Section 508.
SOC 1 / ISAE 3402
Service Organization Controls (SOC) reports (formerly SAS 70 reports) are designed to help information systems operators and providers build trust and confidence in their service processes and controls.
Appian publishes a SOC 1 Type II report and an International Standards for Assurance Engagements (ISAE) 3402 report. Performed by an independent Certified Public Accountant, this audit engagement examines a service organization’s internal controls over a period of time that could impact the financial reporting of a customer that utilizes the services under audit. These reports are often important components of customer evaluations of their internal controls over financial reporting for purposes of supporting customers’ financial statement audit and compliance needs.
A Type II engagement provides an opinion on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design and operating effectiveness of the controls to achieve the related control objectives included in the description throughout a specified period, rather than just for a point in time.
Cloud Security Alliance
The Cloud Security Alliance’s (CSA) Security, Trust and Assurance Registry (STAR) Program provides a comprehensive framework for cloud provider trust and assurance. The CSA STAR Program is a publicly accessible registry designed to recognize the varying assurance requirements and maturity levels of providers and consumers, and is used by customers, providers, industries and governments around the world. The STAR program allows cloud providers to assess their controls against the CSA Cloud Controls Matrix.
Appian Cloud is registered in the CSA Security, Trust and Assurance Registry, having completed the Consensus Assessments Initiative Questionnaire (CAIQ) covering 133 controls across 16 domains.
For more information and to view Appian Cloud’s STAR submission, visit the Cloud Security Alliance.