Last Updated: January 1, 2024
The AssistRing Security Standards apply to all vendors, suppliers, and service providers (“Provider”) engaged by AssistRing. These standards reinforce our commitment to data integrity, privacy, and global compliance. In the event of a conflict between these standards and a specific service agreement, these standards shall govern all data protection obligations.
AssistRing requires all Providers to maintain a robust security posture consistent with top-tier international benchmarks.
ISO/IEC 27001 Compliance: Providers must maintain comprehensive safeguards aligned with ISO/IEC 27001:2022 standards. Annual third-party certification is mandatory.
SSAE 18 (SOC 2 Type II): Providers processing personal data must provide annual SSAE 18 Type II audit reports. Any material vulnerabilities must be reported to AssistRing within 10 days of discovery and remediated immediately.
PCI-DSS Requirements: Any Provider handling credit card or payment data must maintain a current PCI-DSS Attestation of Compliance and adhere to all standards issued by the PCI Security Standards Council.
Risk Assessments: Providers must complete the AssistRing Vendor Risk Assessment upon onboarding and annually thereafter.
To prevent unauthorized access, AssistRing mandates industry-leading encryption for data at rest and in transit.
Encryption in Transit: All personal data must be encrypted using TLS 1.2 or stronger, consistent with FIPS 140-2 and NIST guidance (SP 800-52).
Encryption at Rest: Providers must use strong cryptographic protocols for data stored on end-user devices or servers, aligned with NIST SP 800-111.
Access Logging: Providers must maintain electronic records of all data transfers and access attempts using advanced identity and access management (IAM) tools.
AssistRing enforces a “Clean Floor” policy and strict logical segmentation to protect client resources.
Logical Segmentation: Personal Data from AssistRing must be physically and logically isolated from other client data at all times.
Physical Safeguards: Authorized locations must feature 24/7 video surveillance (90-day retention), badge-restricted access, and floor-to-ceiling physical barriers.
Prohibited Items: Personal electronic devices (phones, cameras), bags, and recording tools are strictly prohibited in areas where data is processed.
Network Monitoring: Complete and accurate access logs must be maintained for the duration of the contract plus six years.
Time is critical during a security event. AssistRing mandates a rapid, transparent response protocol.
8-Hour Notification: Providers must notify AssistRing within 8 hours of any suspected or actual security incident.
Response Plan: Providers must maintain a written Incident Response Plan, tested annually, which defines clear roles, remediation steps, and communication channels.
Full Cooperation: AssistRing reserves the right to involve its own investigators. Providers must provide full access to logs, affected systems, and forensic data.
Transparency is verified through regular, rigorous inspections.
Right to Audit: AssistRing (or a designated third party) may conduct up to four scheduled audits per year, plus unannounced spot audits during operating hours.
Penetration Testing: AssistRing may perform annual pen testing to simulate internal or external attacks on provider systems to identify and remediate weaknesses.
Suspension Rights: AssistRing reserves the right to suspend connectivity or payments immediately if a critical security breach is detected or if an audit reveals non-compliance.
Providers must designate a primary security contact available 24/7 to assist with incident resolution. Inquiries regarding these standards should be directed to the AssistRing Global Security Team.
