Fastpath Assure is a cloud-based risk and compliance management platform designed to help companies achieve process efficiency, reduced costs, and enhanced control over their fraud, auditing, and compliance efforts.
Fastpath takes compliance with privacy regulations and standards, like GPDR and CCPA, very seriously. This FAQ will help all stakeholders of Fastpath – vendors, customers, partners, and end-users – better understand the actions Fastpath has taken, as a provider of cloud-based solutions, to address questions you may have regarding Fastpath and data privacy regulatory compliance. This FAQ will also help readers understand Fastpath’s general approach to other regulations and standards. We encourage all customers and prospects to evaluate their compliance with such regulations and make sure their software vendors have taken appropriate steps to ensure personal data privacy and security in the solutions they deploy. Many of the questions represented here are questions that should be asked of any software vendor, Fastpath included. Our goal at Fastpath is to support each customer as if they are our only customer, particularly in critical areas like GDPR or other regulations where Fastpath may be a part of the customer's controls to address the requirements of such regulations.
The General Data Protection Regulation (GDPR) is a law that establishes guidelines for collecting and processing the personal information of European Union (EU) citizens, regardless of where they are located or where the company that stores their data is located.
The California Consumer Privacy Act (CCPA) is similar in many respects to GDPR. It gives California residents the right to view, delete, and restrict the use of their personal information collected by companies. Although we focus here primarily on GDPR, this information also applies to the corresponding sections of the CCPA.
Several definitions apply to the parties responsible for GDPR compliance:
With the foregoing in mind:
Fastpath Customers are responsible for identifying their responsibilities regarding their clients' personal data and placing controls around that data to ensure compliance with the articles of GDPR. Fastpath does provide solutions to assist the Customer in GDPR compliance (Segregation of Duties, Access Reviews, Access Certifications, and Audit Trail), but the application of these modules is controlled by the Fastpath Customer, as the Controller, and not Fastpath.
Fastpath does not have physical access to Customer data. Fastpath relies on the Platform as a Service (PaaS) offering from Microsoft Azure to complement the Software as a Service (SaaS) solution Fastpath provides to their Customers. Fastpath cannot copy or access any Customer data and has no logins into the Customer environment. The only access Fastpath has for its Customers is through an Azure administrative account to initially provision the Customer's application.
Fastpath has engaged Microsoft to host their solutions, and these solutions may contain Customer data. As a Sub-Processor to Fastpath, Microsoft is responsible for the controls around any personal data obtained by Fastpath Customers since this data resides on Microsoft hardware.
Fastpath conducts annual reviews of the Microsoft Azure System and Organization Controls (SOC) reports to ensure the controls Microsoft has in place are adequate and functioning as designed. Fastpath performs annual reviews of the SOC 1 and SOC 2 reports for Microsoft's Azure datacenters in the US, UK, Germany, Canada, and Australia.
A SOC 1 report determines whether an organization has the appropriate controls in place related to the processing of financial systems and the generation of financials. A SOC 2 examination reviews the controls in place for managing Customer data based on criteria the America Institute of Certified Public Accountants (AICPA) has developed around security, availability, processing integrity, confidentiality, and privacy.
Fastpath has taken the additional step to have SOC 1 and SOC 2 examinations conducted annually of the Fastpath Assure cloud platform, even though no Customer data resides on Fastpath hardware or facilities. These reviews cover the processes Fastpath has internally for their operations, including application development, backup and recovery, change management, and other areas defined in the SOC 1 and SOC 2 review criteria from the AICPA.
Fastpath is used by its clients to verify whether certain users should have access to view or edit specific fields in the client's business software. Fastpath does not typically read the values of those fields, only whether a user has access to them. As a general rule, Fastpath is only concerned with user access to the Customer's business system, so the only personal information which Fastpath would typically access are those of the Fastpath Customer's staff and is limited to first name, last name, email address, login/UserID, and job title. The Fastpath Separation of Duties (SOD), Access Review, and Access Certification functions fall into this area.
A possible exception is related to the Fastpath Audit Trail function, which records changes made to values within a business application. A Customer could choose to track changes made by their staff to high-risk information data fields, such as SSN, credit card numbers, passport numbers, etc., using the Audit Trail product. Fastpath does not govern which fields a Customer decides to track with Audit Trail.
Data processing is typically performed at an Azure datacenter in the US. Data, if it is stored anywhere, can be stored in a different geographical datacenter (UK, Germany, Australia, etc.) as needed.
Fastpath's Audit Trail product retains information on data changes for auditing purposes. The before and after snapshots are retained in the Customer's environment (ERP, CRM, etc.) and not on Azure. The only exception to this is Fastpath Audit Trail for NetSuite, which stores its data in an Azure Data Center.
Fastpath never downloads or has physical access to customer data.
Fastpath does not have control over how a Customer implements Fastpath. Instead, the Customer makes the decisions governing the setup, configuration, and data management of Fastpath. Therefore, Fastpath does not guarantee that it will address a given Customer's GDPR needs since Fastpath does not verify the Customer implementation of Fastpath in accordance with GDPR.
However, Fastpath tools are designed to provide appropriate controls around monitoring and reporting user access and data changes. In addition, Fastpath relies on Microsoft as a Sub-Processer to have the appropriate controls to ensure the security and privacy of a Customer's data. If implemented correctly, Fastpath should give the Customer the desired controls in this area. However, monitoring user access and data changes is only a small part of GDPR compliance.
GDPR is a complex regulation with 99 Articles organized into 11 Chapters, 173 Recitals, and includes the 8 "Rights" that drive much of what companies put in place around GDPR. There is much more to GDPR than just who has access to personal data and what they might be doing with that access. No software product will "make you compliant". Compliance with any regulation or standard (GDPR, CCPA, SOX, HIPAA, etc.) involves people, process, and technology. When they all work together correctly, then it is possible to achieve compliance success. Fastpath provides technical tools to address specific access requirements outlined in GDPR, but there are many additional areas related to GDPR where the Customer (as the Controller) must implement processes and controls themselves to address meeting all the requirements of GDPR.
As you move your business applications to the cloud, here are some questions that you should ask your cloud provider:
Q: Who owns the security controls?
Cloud providers stake their business on providing security for your data and maintaining advanced threat detection tools. However, some controls will remain your responsibility on the application side. Ask your hosting provider and/or software vendor to help you understand your responsibilities for running your application in the cloud. The Shared Responsibility Model and Complementary User Entity Controls sections of SOC reports are also great places to start that discussion.
Fastpath’s response: The customer still owns the responsibility for assigning users and their access rights to data that resides in Fastpath. Fastpath does not have direct access to customer data or have logins to the customer’s Fastpath Azure instance. Application-related controls, such as user access and user provisioning, are the responsibility of the customer.
Q: Does the host provider have a SOC report?
System and Organization Controls (SOC) reports are reviews based on guidance from the AICPA concerning system integrity and availability, security, change management, and physical security. These reviews reflect responsibilities formerly performed on premises but will now be managed by the cloud provider and the software vendor.
A SOC 1 report focuses on the service organization's controls that would affect an audit of the customer's financial statements. In contrast, a SOC 2 report focuses on controls that affect operations and compliance, and include security, confidentiality, trust, and privacy.
Fastpath’s response: Fastpath takes compliance, security, and privacy seriously. As such, we have SOC 1 and SOC 2 Type 2 examinations conducted of our Fastpath Assure cloud platform annually. Customers can be confident that the controls Fastpath has in place are operating as designed, providing a sound platform for customers to process, analyze, and report on their security data through Fastpath. The Fastpath Assure cloud platform resides on Microsoft Azure (in most cases, it resides on the Azure Central Data Center outside of Chicago, Illinois, specifically). Microsoft has state of the art controls in place at their Data Centers, and these controls are reviewed annually via SOC 1 and SOC 2 Type 2 examinations Microsoft has conducted by the accounting firm Deloitte. As a part of their own internal controls, Fastpath reviews the Microsoft Azure SOC reports to ensure controls are indeed operating as designed and are providing the appropriate procedures around security, privacy, trust, and other areas.
Q: How often is the code updated by the software vendor? And are there scheduled downtimes?
Software updates contain new features, bug fixes, and security patches. Knowing that software is routinely updated as new releases are available ensures you are using the latest, most secure version. Cloud providers and software vendors will typically schedule a window of time when the system will be unavailable to allow them time to install these updates. Knowing when this downtime will occur and how long the downtime is expected to last is especially critical for companies with global operations, 24x7 uptime requirements, or privacy considerations.
Fastpath’s response: Fastpath has quarterly major releases, and monthly code updates. When releases occur, all Fastpath users are notified via email well in advance of the maintenance window when Fastpath Assure will not be available. These windows usually require a one- to two-hour period on a Friday night (Central Time). In addition to the notification of the planned downtime, Fastpath users are provided a release notes document that explains the functionality updates included in the release.
Q: Where does my data physically reside? And do the hosting provider's procedures meet privacy regulations?
The answer to this question is important to fully understand the implications of how an organization will handle data from your customers, since there can be severe penalties as a consequence of violating the EU’s GDPR or the State of California's CCPA. Passing data between countries often falls under additional requirements outside of GDPR, and these additional requirements should be understood and followed by all parties: the cloud provider, the software vendor, and the customer.
Fastpath’s response: The Fastpath Assure cloud platform resides on Microsoft Azure. Microsoft has state of the art controls in place at their Data Centers, and these controls are reviewed annually via SOC 1 and SOC 2 Type 2 examinations Microsoft has conducted by the accounting firm Deloitte. In addition, Microsoft holds many certifications related to privacy, security, and compliance with various regulations and standards. Microsoft has controls in place to address the requirements of GDPR, CCPA, and many other privacy regulations.
Q: Do you, the Software Vendor, have access to my data?
It is critical that customers know who has access to their data as well as whether the customer has the ability to review this access. Without controls in place around user access, there is a risk of inappropriate access to your data, and this could introduce greater risk of fraud, and/or present issues related to compliance with privacy regulations.
Fastpath’s response: Fastpath does not have direct access to customer data, nor does it have the ability to log into the customer’s Fastpath Assure instance. The Fastpath Assure cloud platform does provide robust user logging and user access reporting to allow customers to quickly identify who has access to their environments and what the users might be doing with that access.
Q: How often is business continuity/DRP (Disaster Recovery Plan) testing conducted of your solution and what is your RPO (Recovery Point Objective) and RTO (Recovery Time Objective)?
Customers cannot directly control the recovery of cloud-based software solutions, since, by definition, the application and data do not reside on their hardware. As such, it is critical to ask your software vendor about the policies, procedures, and testing they conduct around the recovery of their software and customer data if a problem occurs. Additionally, key metrics in this area, such as RPO and RTO, should be shared with the customer to verify these performance metrics meet the customer’s recovery requirements.
Fastpath’s response: Fastpath conducts annual business continuity and disaster recovery testing. These programs are also included in the scope of the SOC 1 and SOC 2 Type 2 examinations Fastpath has conducted every year. Additionally, Microsoft has a robust business continuity and DRP to ensure they can quickly restore customer environments in Azure, including Fastpath customers, if an interruption to Azure might occur. Fastpath also has a stated RPO of one hour and an RTO of one minute.
Changes to this Statement
Fastpath will occasionally update this Personal Data Compliance page to reflect company and customer feedback. Fastpath encourages you to periodically review this page to be informed of how Fastpath is protecting your information.
Fastpath welcomes your comments regarding this Personal Data Compliance statement. If you believe that Fastpath has not adhered to this Statement, please contact Fastpath at firstname.lastname@example.org. We will use commercially reasonable efforts to promptly determine and remedy the problem. If you have a GDPR DSR request, please contact Fastpath at GDPR@gofastpath.com.