Thrive Global is committed to protecting the security and privacy of our customer and user data. We have designed our Information Security Management System (ISMS) and Privacy Information Management System (PIMS) to meet ISO/IEC 27001 and 27701, AICPA SOC 2 and HIPAA/HITECH requirements. We have been SOC 2 Type II certified through A-LIGN since 2020 and achieved ISO 27001/27701 in 2022.
Thrive Global is committed to maintaining compliance with GDPR, CCPA and other local security and privacy regulations. Our policies and procedures incorporate these requirements and are reviewed not less than annually.
The objectives of our overall security and privacy programs are:
- Ensuring the confidentiality, integrity, and availability (CIA) of Thrive Global and user data.
Confidentiality: The system ensures that Thrive Global data is accessed by authorized users and for authorized uses only.
Integrity: The system ensures that changes made to ISMS/PIMS data are known and, if improper, correctable.
Availability: The system ensures that Thrive Global’s data remains available for intended purposes.
- Continuous improvement of the system, and adherence to information security best practices
- Ensuring any personally identifiable information and data is protected, and privacy concerns are addressed.
- Provide for employee awareness of information security and privacy obligations and best practices.
- Enforcing the principle of least privilege across all Thrive Global systems.
Overview of Controls
- All data in transit is encrypted. Our product uses TLS 1.2 or higher encryption with modern cipher suites.
- All data at rest must be encrypted. Our Microsoft Azure hosted infrastructure uses AES-256 encryption.
- Thrive Global uses Microsoft Azure to host our production infrastructure with automated backups across multiple US regions.
Application and Product Security
- Thrive Global follows a Privacy-By-Design process. Product and engineering teams consult with the security team at the start of development efforts to review the design of new features.
- Our Secure Development Life Cycle (SDLC) includes static and dynamic scanning, peer review, manual and automated testing. Thrive Global maintains a vulnerability management policy that specifies priority and timeline for remediating identified issues.
- Thrive Global uses third parties to conduct an annual penetration test of our mobile and web applications, performing both an application review and a source code review.
- Our product includes authentication options including single sign-on (SSO) to protect user accounts.
- Thrive Global has a dedicated security team to support our product and operational teams who implement and enforce our security and privacy policies.
- All employees complete annual security & privacy training.
- Thrive Global uses Role Based Access Control and limits employee access to the minimum necessary to do their job.
- Thrive Global utilizes SSO with multi-factor authentication to protect all corporate systems.