Glossary

A

AICPA

AICPA stands for the American Institute of Certified Public Accountants. SOC audit and reporting standards that define the criteria for managing customer information were designed by this member association.

AuditLens

Application built for auditors to externally evaluate a company’s compliance program and assess it for adherence to a standard.

B

Breach Notification Rule (HIPAA)

Any PHI usage or disclosure that isn’t permitted under the Privacy Rule is considered a breach. When a breach occurs, Covered Entities are required to notify affected individuals.

Business Associate

A Business Associate is an entity that provides services to, or performs certain functions involving the use or disclosure of PHI on behalf of, a Covered Entity.

C

California Consumer Data Privacy Act (CCPA)

A statewide data privacy law, effective from January 1, 2020, that reinforced individuals’ rights by strengthening company laws around the use of personal information. CCPA is said to be a model of GDPR and is sometimes called the “GDPR light”.

Compliance Program

A compliance program is a company's set of internal artifacts (controls, policies, systems, etc.) put into place in order to comply with laws, rules, and regulations or to uphold the business's reputation.

Compliance Standard

A set of requirements defined by a law, or by an authority, that is widely accepted as a standard for demonstrating your trust to your customers.

Control

A control is something you follow as a company, so that you mitigate a potential risk. In TrustCloud, control is the foundational building block of a company’s program.

Covered Entities

If you are a Covered Entity, you are subject to, and legally required to, comply with all the standards set forth by HIPAA.

D

Data Rooms

Securely Invite customers: By using the Data Rooms feature in TrustShare, sales and security teams now have full control over what documents get shared with each customer, by creating a data room for each customer, where specific documents that need

E

Evidence

Each piece of evidence provides proof that a company is adhering to its controls. Auditors (and sometimes customers) require a company to provide evidence, so that they can validate that the company is actually meeting the compliance obligations it claims.

G

General Data Protection Regulation (GDPR)

This is known to be the toughest privacy and security law. Approved in 2016, and enforced in May 2018 by the EU, it made the already strict European legal environment even more challenging for businesses. It imposes uniform data security

GRC

Governance, Risk and Compliance (GRC) is the integrated collection of capabilities that enable an organization to reliably achieve objectives, address uncertainty and act with integrity.

H

HIPAA

Regulated by the United States Department of Health and Human Services’ Office for Civil Rights (OCR), the Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that established national standards to protect sensitive patient health information

HIPAA Rules

There are four rules designed to keep PHI safe and secure, and to properly notify affected parties in case of a data breach: Privacy, Security, Breach Notification, and Omnibus.

HIPAA Violation

A HIPAA violation is the failure to comply with any of the standards outlined in the rules. Even after you’ve successfully completed an audit, there is a possibility that you may violate one of the HIPAA rules. 

I

ISO 27701

ISO 27701 is a management standard that was published in 2019 in response to the growing need for a global data privacy framework. ISO (the International Organization for Standardization) and the IEC (the International Electrotechnical Commission) developed ISO 27701 as

O

Omnibus Rule

The HIPAA Omnibus Rule, which became effective in 2013, contains modifications and edits to the Security, Privacy, Breach Notification Rules and their enforcement. These modifications are intended to enhance confidentiality and security in data sharing, and strengthen the protection of

P

PHI

PHI is any personal health information that potentially identifies an individual that was created, used, or disclosed in the course of providing healthcare services, including, but not limited to: Names, Addresses, Date of birth, Social security number, Payment or billing

Policy

A policy is a document that describes the intention of the company.

Privacy Rule (HIPAA)

The Privacy Rule was developed to: Ensure that organizations that create and store health information take appropriate steps to protect this information from misuse or wrongful disclosure.

Program

A compliance program is a company's set of internal artifacts (controls, policies, systems, etc.) put into place in order to comply with laws, rules, and regulations or to uphold the business's reputation.

Protected Health Information

PHI is any personal health information that potentially identifies an individual that was created, used, or disclosed in the course of providing healthcare services, including, but not limited to: Names, Addresses, Date of birth, Social security number, Payment or billing

Protected Health Information (PHI)

PHI is any personal health information that potentially identifies an individual that was created, used, or disclosed in the course of providing healthcare services, including, but not limited to: Names, Addresses, Date of birth, Social security number, Payment or billing

R

Risk Management

Risk management is the process of identifying, assessing, and mitigating potential risks that could negatively impact an organization's objectives, goals, or projects. The objective of risk management is to minimize the likelihood and impact of risks by developing and implementing

S

Security Posture

An organization's security posture (or cybersecurity posture) is the collective security status of all software, hardware, services, networks, information, vendors and service providers. 

Security Questionnaire

Security questionnaires are lists of often complex and technical questions, usually compiled by IT teams, to determine a company's security and compliance posture.

Security Rule (HIPAA)

The Security Rule protects a subset of information covered by the privacy rule, and sets the standard for the protection of electronically stored and transmitted PHI (ePHI). It does so by requiring the implementation of administrative, technical, and physical safeguards.

SOC 2

SOC 2 is a comprehensive framework applicable to all service providers who store any kind of client data in the cloud or on-prem. Moreover, SOC 2 is the most widely adopted and requested compliance certification for SaaS vendors in the

SOC 2 Audit Firm

SOC 2 audit firms are regulated by the AICPA, and they are required to be independent CPAs. The SOC 2 auditor you choose to work with will examine your controls (which will include evidence collection) to determine whether they are

SOC 2 Report

An audit report done by an objective, third-party firm that would be responsible for assessing your cybersecurity practices. All companies that hold customer information throughout their operation should consider scheduling and go through an audit. Depending on the maturity of

SOC 2 Type I Report

A SOC 2 Type I report examines the controls that govern an entity’s security and other applicable criteria at a point in time. This involves an auditor performing a walkthrough of your processes to understand and attest to the design

SOC 2 Type II Report

SOC 2 Type II reports assess the efficacy of an entity’s security and other applicable criteria since the last SOC 2 audit. Most SOC 2 reports are renewed annually. However, it is up to the company to decide to go

SOC Trust Services Criteria (TSC)

There are five Trust Service Criteria (TSC) or Trust Service Principles (TSP) within the SOC 2 framework. All organizations, independent of size, industry, or customer needs pursuing a SOC 2 have to include the Security Criteria. The others are optional

Subcontractor

A Subcontractor is an entity to whom a Business Associate delegates a function, activity, or service, other than in the capacity of a member of the workforce of the Business Associate. 

Subservice Organization

If a vendor’s controls, in combination with your organization’s controls, are necessary to achieve your service commitments and system requirements, to meet your SOC 1 objectives, or to fulfill applicable SOC 2 trust services criteria, then the vendor is classified

System

A piece of software, either built by the company or purchased from a third-party. All the cloud-based tools that employees use on a daily basis, typically qualify as systems. For example → Salesforce, Slack, JIRA, Miro, AWS S3, Gusto, etc.

T

TCCCF

The TCCCF is a set of comprehensive controls that were developed based on common requirements from various industry security and privacy frameworks such as NIST, ISO, SOC, and HITRUST.

Team (or “Account”)

A single customer’s instance of TrustCloud. “Team” roughly equates to a company, or an Organization Unit within a company.

Test

A test checks for a single requirement in a control. All controls contain one or more tests, each of which checks for a specific requirement of the control.

Third-Party Vendor

A third party vendor is a person or company that provides services for another company (or that company's customers).

Trust Assurance

Trust Assurance is a brand new approach. Trust Assurance is a crafted, consumer-grade user experience that demystifies compliance. It pairs machine learning with intuitive design to do most of the work for you; embedding accurate testability into every workflow to

Trust Champion

The person who helps their organization measure and meet its internal compliance obligations. Their actions support revenue-generating activities, protect their organization from legal and contractual liabilities, and enable the organization to confidently and transparently showcase an intentional, robust, and differentiated

TrustHQ

TrustHQ enables companies to engage their employees in meeting their trust obligations to the company. Employees can understand, and periodically attest to their obligations to the company - such as reading and acknowledging company policies, declaring their use of third-party

TrustOps

Application that enables continuous compliance automation. TrustOps empowers teams to manage their internal trust operations and achieve one or more security and privacy compliance standards such as SOC 2, HIPAA, ISO 27001, etc.

TrustRegister

Predictive intelligence to eliminate manual, unreliable processes and optimize your risk management program. TrustRegister helps you identify risks, streamline remediation, and assess business impact so you can maintain a proactive program - good riddance to that pesky spreadsheet

TrustShare

An automatically generated, interactive website that TrustCloud customers use as a single place for all trust communication with their prospects and customers. TrustShare confidently showcases your company’s security and compliance hygiene to help you bi-pass completing security questionnaires!

TrustShare Questionnaires

TrustShare feature that uses Machine Learning to auto-generate accurate answers to security questionnaires.

U

User

An individual who uses TrustCloud, identified with their email ID. A user may be part of a single team, or multiple teams. Most users belong to a single team.

V

Vendor

A company that builds and ships a system. For example, Microsoft is the vendor for systems like Azure AD, Confluence, Office 365 etc.

OR