Proof Security Statement
Proof's Security Statement, last updated January 22, 2024, details that Proof implements and maintains comprehensive technical, physical, and organizational security measures compliant with multiple rigorous frameworks—including AICPA Trust Services Criteria (SOC2), NIST SP 800-53 Rev 5 at moderate level, WebTrust, Massachusetts CMR 17.00, and PCI DSS via third-party processors—and meets additional legal requirements such as HIPAA and FERPA, all validated through annual audits and assessments to protect user data from unauthorized access, disclosure, alteration, loss, or destruction.
Security Statement
Last Modified Date: January 22, 2024
Capitalized terms not otherwise defined have the meanings given in Proof General Terms ("General Terms") or the Proof Glossary.
1. Information Security Controls
Proof has implemented and will maintain reasonable technical, physical, and organizational measures that meet or exceed legal requirements and frameworks in compliance with applicable law, intended to protect User Data against accidental, unauthorized, or unlawful access, disclosure, alteration, loss, or destruction.
2. Frameworks, Compliance, and Audits
2.1 Frameworks
Proof’s security program includes controls that meet the requirements of the following:
- AICPA Trust Services Criteria: Validated by annual SOC2 audits and resulting reports.
- NIST Special Publication 800-53 Revision 5: Security and Privacy Controls for Information Systems and Organizations, at the moderate level, and related security requirements in NIST Special Publication 800-63A at Identity Assurance Level 2 (IAL2), validated by annual audits.
- WebTrust Principles and Criteria For Registration Authorities: Validated by annual audits.
- 201 Code of Massachusetts Regulations (CMR) 17.00: Standards for the protection of personal information of residents of the Commonwealth, as documented in Proof’s Written Information Security Policy.
- PCI Controls: Applicable to e-commerce merchants who outsource all payment processing to PCI DSS validated third parties, with no electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises, validated by annual completion of Self-Assessment Questionnaire (SAQ) A.
2.2 Additional Legal Requirements
Based on Proof’s controls as implemented under the previously listed frameworks and legal requirements, Proof also meets:
- HIPAA: Requirements applicable to Business Associates as defined in HIPAA.
- FERPA: Requirements applicable under the “School Official” requirements and relevant guidance from the Department of Education.
- Gramm Leach Bliley: Requirements applicable to Service Providers as defined in Gramm Leach Bliley.
- NIST Special Publication 800-171 Revision 2.
3. Security Incidents
3.1 Incident Response Plan
Proof maintains a cyber-incident breach response plan in accordance with Proof’s Written Information Security Policy ("Incident Response Plan") and implements the procedures required under such plan on the occurrence of a Security Incident.
3.2 Security Incident Notification
If Proof becomes aware of a Security Incident, Proof, after initial investigation and without unreasonable delay:
- 1.Provides notification of the Security Incident to one or more of Subscriber’s administrators by email.
- 2.Investigates the Security Incident and, after completing its investigation, provides Subscriber with information about the Security Incident.
- 3.Uses reasonable efforts to mitigate the effects and minimize any damage resulting from the Security Incident, and informs Subscriber of the steps taken.
- 4.Once determined, informs Subscriber of any modifications Proof makes to its security procedures intended to prevent similar incidents in the future.
3.3 Information Security Incident Management
- Incident Response Process: Proof maintains a record of Security Incidents with a description, time period, consequences, reporting person, to whom it was reported, and the procedure for recovering any affected data. Proof tracks Security Incidents, including what data has been disclosed and to whom, or what data has been lost, damaged, destroyed, or altered, and at what time.
- Service Monitoring: Following a Security Incident, Proof security personnel review relevant service-related logs to propose remediation efforts, if necessary.
Incident Priority Levels
| Priority Level | Conditions |
|---|---|
| Level 1 | Critical Business Impact. The Incident seriously affects the functionality of the Services (or component thereof) and cannot be circumvented such that most of the significant functionality is unavailable. |
| Level 2 | Significant Business Impact. The Incident partially affects the functionality of the Services (or component thereof), but can be circumvented so that most significant functionality is available. |
| Level 3 | Minimal Business Impact. The Incident can be circumvented such that the Services (or component thereof) can be used with only slight inconvenience. The problem is insignificant and has no significant effect on usability. |
Conditions for Closure of Help-Desk Ticket
- Level 1 & 2: Incident is resolved and closed when an Incident Resolution has been fully implemented.
- Level 3: Incident is resolved and closed when either (i) an Incident Resolution has been fully implemented, or (ii) 10 business days have elapsed since Proof’s communication of information reasonably believed to resolve the Incident (communicated by email to Subscriber’s designated contact), and Subscriber has not responded. The Incident can be reopened later if not resolved.
On-Demand Notary Availability Downtime Credits
| Cumulative On-Demand Notary Availability Downtime (per calendar month) | On-Demand Notary Downtime Credit |
|---|---|
| Up to 240 minutes | No Credit |
| 241-360 minutes | 1% |
| 361-480 minutes | 3% |
| 481-600 minutes | 5% |
| 601 minutes or greater | 7% |
Platform Availability Percentage Credits
| Platform Availability Percentage (per calendar month) | Platform Downtime Credit |
|---|---|
| 99.9% or higher | No Credit |
| 97% - 99.9% | 1% |
| 95% - 97% | 3% |
| 93% - 95% | 5% |
| Below 93% | 7% |
Incident Priority Response Times
| Incident Priority | Acknowledgement Time (Business Hours) | Provision of Incident Resolution or Interim Process | If Interim Process is provided, Maximum Timeframe for Provision of Incident Resolution |
|---|---|---|---|
| Level 1 | 1 hour | 8 hours | 36 hours |
| Level 2 | 4 hours | 24 hours | 5 days |
Personal Information Categories (California)
Personal Identifiers
- Sources: Directly from you; indirectly from you as you use services; notaries; data analytics providers; social networks; advertising networks; internet/mobile service providers; counterparties in a transaction; credential analysis companies; identity verification services. For job applicants: directly from you; background check providers; recruiters; recruiting software providers.
- Purpose: Provide services; communicate; protect and secure environment; verify, maintain, improve, upgrade, or enhance products/services; identify and repair errors; advertise/market. For job applicants: assess application; satisfy legal obligations.
- Recipients: Affiliates; advertising networks; social networks; technology service providers; customer relationship management providers; payment processors; mobile application platforms; tag management platforms; video sharing platforms; notaries; customer support platforms; data analytics providers; marketing platforms; mobile linking platforms; counterparties in a transaction; single sign-on providers; collaboration software providers; customer engagement and communication platforms; identity verification and anti-fraud solution providers; background screening companies; mortgage process digitization providers; electronic signature and digital transaction management providers; financial services companies; web mapping platforms.
- Retention: Length of business relationship plus any legally required additional retention period or as long as business needs require, whichever is longer.
California Customer Records Personal Information
- Sources: Directly from you; counterparties in a transaction; credential analysis companies; identity verification services. For job applicants: directly from you; background check providers; recruiters; recruiting software providers.
- Purpose: Provide services; communicate; protect and secure environment; verify, maintain, improve, upgrade, or enhance products/services; identify and repair errors; advertise/market. For job applicants: process application; satisfy legal obligations.
- Recipients: Affiliates; advertising networks; social networks; technology service providers; customer relationship management providers; payment processors; mobile application platforms; tag management platforms; customer support platforms; data analytics providers; marketing platforms; mobile linking platforms; counterparties in a transaction; collaboration software providers; customer engagement and communication platforms; identity verification and anti-fraud solution providers; background screening companies; mortgage process digitization providers; electronic signature and digital transaction management providers; financial services companies; web mapping platforms.
- Retention: Length of business relationship plus any legally required additional retention period or as long as business needs require, whichever is longer.
Characteristics of Protected Classifications
- Sources: Directly from you; indirectly from you as you use services; notaries; data analytics providers; social networks; advertising networks; internet/mobile service providers; counterparties in a transaction; credential analysis companies; identity verification services. For job applicants: directly from you; background check providers; recruiters; recruiting software providers.
- Purpose: Provide services; communicate; protect and secure environment; verify, maintain, improve, upgrade, or enhance products/services; identify and repair errors; advertise/market; meet legal obligations.
- Recipients: Affiliates; advertising networks; social networks; technology service providers; customer relationship management providers; payment processors; mobile application platforms; tag management platforms; video sharing platforms; notaries; customer support platforms; data analytics providers; marketing platforms; mobile linking platforms; counterparties in a transaction; collaboration software providers; customer engagement and communication platforms; identity verification and anti-fraud solution providers; background screening companies; mortgage process digitization providers; electronic signature and digital transaction management providers.
- Retention: Length of business relationship plus any legally required additional retention period or as long as business needs require, whichever is longer.
Commercial Information
- Sources: Directly from you; indirectly from you as you use services; notaries; data analytics providers; social networks; advertising networks; internet/mobile service providers; counterparties in a transaction.
- Purpose: Provide services; communicate; protect and secure environment; verify, maintain, improve, upgrade, or enhance products/services; identify and repair errors; advertise/market; meet legal obligations; maintain transaction records.
- Recipients: Affiliates; advertising networks; social networks; technology service providers; customer relationship management providers; payment processors; mobile application platforms; tag management platforms; video sharing platforms; notaries; customer support platforms; data analytics providers; marketing platforms; mobile linking platforms; counterparties in a transaction; collaboration software providers; customer engagement and communication platforms; identity verification and anti-fraud solution providers; mortgage process digitization providers; electronic signature and digital transaction management providers; financial services companies; web mapping platforms.
- Retention: Length of business relationship plus any legally required additional retention period or as long as business needs require, whichever is longer.
Biometric Information
- Sources: Directly from you; indirectly from you as you use services; internet/mobile service providers; credential analysis companies; identity verification services.
- Purpose: Provide services; communicate; protect and secure environment; verify, maintain, improve, upgrade, or enhance products/services; identify and repair errors; meet legal obligations; maintain transaction records.
- Recipients: Affiliates; technology service providers.
- Retention: Length of business relationship plus any legally required additional retention period or as long as business needs require, whichever is longer.
Internet and Other Electronic Network Activity Information
- Sources: Indirectly from you as you use services; data analytics providers; social networks; advertising networks; internet/mobile service providers.
- Purpose: Provide services; detect security incidents; protect against malicious, deceptive, fraudulent, or illegal activity; verify, maintain, improve, upgrade, or enhance a service or device; identify and repair errors; advertise/market; perform analytics.
- Recipients: Affiliates; advertising networks; social networks; technology service providers; customer relationship management providers; payment processors; mobile application platforms; tag management platforms; video sharing platforms; customer support platforms; data analytics providers; marketing platforms; mobile linking platforms; single sign-on providers; collaboration software providers; customer engagement and communication platforms; identity verification and anti-fraud solution providers; mortgage process digitization providers; electronic signature and digital transaction management providers; financial services companies; web mapping platforms.
- Retention: Length of business relationship plus any legally required additional retention period or as long as business needs require, whichever is longer.
Geolocation Data
- Sources: Indirectly from you; devices you use to access services; data analytics providers; social networks; advertising networks; internet/mobile service providers.
- Purpose: Provide services; protect and secure environment; verify, maintain, improve, upgrade, or enhance products/services; identify and repair errors; advertise/market.
- Recipients: Advertising networks; social networks; technology service providers; customer relationship management providers; mobile application platforms; tag management platforms; video sharing platforms; customer support platforms; data analytics providers; marketing platforms; mobile linking platforms; collaboration software providers; customer engagement and communication platforms; identity verification and anti-fraud solution providers; web mapping platforms.
- Retention: Length of business relationship plus any legally required additional retention period or as long as business needs require, whichever is longer.
Sensory Data
- Sources: Directly from you; indirectly from you as you use services; internet/mobile service providers; credential analysis companies; identity verification services.
- Purpose: Provide services; communicate; protect and secure environment; verify, maintain, improve, upgrade, or enhance products/services; identify and repair errors; meet legal obligations; maintain transaction records.
- Recipients: Affiliates; technology service providers; counterparties in a transaction.
- Retention: Length of business relationship plus any legally required additional retention period or as long as business needs require, whichever is longer.
Professional or Employment-Related Information
- Sources: Directly from you; notaries; data analytics providers; social networks; advertising networks; counterparties in a transaction; credential analysis companies; identity verification services. For job applicants: directly from you; background check providers; recruiters; recruiting software providers.
- Purpose: Provide services; communicate; protect and secure environment; verify, maintain, improve, upgrade, or enhance products/services; identify and repair errors; advertise/market. For job applicants: process application.
- Recipients: Affiliates; advertising networks; social networks; technology service providers; customer relationship management providers; payment processors; mobile application platforms; tag management platforms; video sharing platforms; notaries; customer support platforms; data analytics providers; marketing platforms; mobile linking platforms; counterparties in a transaction; collaboration software providers; customer engagement and communication platforms; identity verification and anti-fraud solution providers; background screening companies; mortgage process digitization providers; electronic signature and digital transaction management providers; financial services companies.
- Retention: Length of business relationship plus any legally required additional retention period or as long as business needs require, whichever is longer. For job applicants: up to 7 years for non-hired applicants, barring any legally required additional retention period.
Non-Public Education Information (FERPA)
- Sources: For job applicants: directly from you; recruiting software providers; background check providers; recruiters.
- Purpose: For job applicants: process application.
- Recipients: Affiliates; background screening companies; technology service providers.
- Retention: For job applicants: up to 7 years for non-hired applicants, barring any legally required additional retention period.
Inferences Drawn from Information
- Sources: Indirectly from you; devices you use to access services; data analytics providers; social networks; advertising networks; internet/mobile service providers.
- Purpose: Provide services; advertise/market; perform analytics; maintain, improve, upgrade, or enhance products/services.
- Recipients: Affiliates; advertising networks; social networks; technology service providers; customer relationship management providers; mobile application platforms; tag management platforms; video sharing platforms; customer support platforms; data analytics providers; marketing platforms; mobile linking platforms; collaboration software providers; customer engagement and communication platforms; web mapping platforms.
- Retention: Length of business relationship plus any legally required additional retention period or as long as business needs require, whichever is longer.