As more companies invest in Digital Adoption Platforms, many of their IT teams have questions about data security. How can you protect your data as you add tools on top of your existing software and processes?
In this post we’re taking a closer what a Digital Adoption Platform is, what you need to know about how DAPs interact with data and what certifications you should look for from your DAP vendor.
What is a Digital Adoption Platform and How Does it Handle Data?
DAP is a software solution integrated on top of another software application which guides the users through walkthroughs, tasks and functions to save time and increase productivity. Digital Adoption Platforms aka DAP can be used to increase the adoption and usage of any web-based enterprise application or SaaS product.
One of the first questions people ask when demoing a solution like Apty is how will it handle my data? A well-designed DAP shouldn’t access or store your sensitive data from the host application.
For example, a common feature of a DAP is data validations. In Apty’s case this is the only time the software will analyze field inputs, but this process is performed in real time and the checked values are not collected and stored in the database. Apty only stores two types of data:
- Instructional content – the help content created in Apty.
- Analytical data – Stats on how users interact with the help content you created.
For more information on Apty’s data processing and security, see this support article.
5 Certifications to Look for in a Digital Adoption Platform Vendor
- PCI DSS
- ISO 27001
- SOC Verification
- FIPS 140-2
In addition to reviewing the data security architecture, your IT team will most likely check to make sure a digital adoption solution has one or all of these key certifications:
The Payment Card Industry Data Security Standard (PCI DSS) is an infosec standard given to organizations for handling branded credit card transactions, it applies to all the service providers and merchants who process and store the cardholder data.
PCI standards is mandated by credit card companies to reduce credit card fraud and to increase the control over cardholder’s data for their protection. PCI standard is administered by the PCI security standards council, which is a global forum that helps payment industries to develop and integrate data security guidelines for safe payments all over the world. This is an important certification to have in a DAP organization or in any organization as it deals with the threats related to online frauds.
Apty has been validated and certified for Payment Card Industry Data Security Standard (PCI DSS) compliant technology as Level 1 service provider.
ISO 27001 is an information security standard well known for providing requirements for ISMS (Information Security Management system). ISMS is an organized approach to manage confidential company information so that it remains secure. ISMS can help small, medium and large businesses of any sector keep information sources secure.
This information security standard specifies a management system that is considering in bringing security under the organizational control and gives specific requirements. Organizations that meet the requirements for the certification, will be accredited with ISO 27001 certification after the successful completion of an audit.
Companies opting for a Digital Adoption Platform (DAP) should verify for ISO 27001 certification as it is an important part of data privacy and security. Apty has achieved ISO 27001 certification covering all the data centers, Infrastructures and all the major cloud-based services.
Service Organization Controls verification assists companies establish reliance and confidence in their service delivery processes and controls. The reports are analysed by a third party that should be a CPA (Certified Public Accountant). Apty as a company is SOC verified as it includes AWS which now publishes SOC.
The Federal Information Processing Standard (FIPS) is a mandatory standard for cryptographic systems used by Federal agencies to protect sensitive information, it is regulated by the U.S government.
Who wants or needs FIPS 140?
Federal agencies purchasing platforms like Digital Adoption which uses cryptographic systems need to look for the products which have gone through the FIPS validation process. Commercial and private companies too can go for FIPS validated product companies as the security standards are controlled by the U.S Government, Financial and Digital cinema industries also adopted FIPS as a standard for security products.
To support customers with a validated FIPS requirements, Apty has the Amazon Virtual Private Cloud VPN endpoints and SSL-terminating load balancers in Amazon Web services GovCloud (US) operating the FIPS 140-2 validated hardware. AWS provides the information for the customers to help manage compliance when using the AWS GovCloud (US) region of AWS.
The Federal Information Security Management Act (FISMA) was part of eGovernment Act of 2002 which focused on recognizing the importance of Information security to the national security interests of the United States. The act called for federal agencies to develop and implement an agency wide program to provide security for the Information systems that supports the operations of the federal agencies, including those managed by other agencies or third-party sources.
Federal agencies looking for Digital Adoption Platforms must check for the FISMA compliance. Apty includes AWS which enables federal agency customers to sustain and fulfil compliance with the Federal Information Security Management Act (FISMA) which includes documenting all the company processes as well as the third-party audit of the established processes and jurisdictions.
Consider these certificates as the checklist when looking for a Digital Adoption Platform. Having these certificates makes a vendor an Enterprise ready solution.