Skip to main content
GDPR Kit CIAM Buyer's Guide Contact Us
 

Mobile Menu

Compliance

Janrain maintains certification/compliance with ISO 27001:2013, ISO 27018:2014 (PII Protections in the cloud), SOC 2 Type II ( Security Common Criteria, Availability, Confidentiality, Processing Integrity and Privacy Trust Principles), HIPAA (storage of healthcare data), HITECH (transmission of healthcare data), Cloud Security Alliance (CSA star) Level 2 Certification by Attestation, U.S.-E.U. Privacy Shield Framework (reviewed by TRUSTe), and TRUSTe privacy program (TRUSTe).

The effectiveness of Janrain’s Information Security Management System (ISMS) is also measured by quarterly and annual metrics that accurately reflect the status of the implementation and operation of Janrain security systems and controls. Internal Audits and formal Risk Assessments are performed annually. Janrain performs vulnerability testing with each major software release. Independent, external performance, penetration and vulnerability testing is performed annually.

Cloud Security Alliance (CSA Star) Level 1 Questionnaire

Cloud Security Alliance Level 2 Certification

ISO 27001:2013 Certification

ISO 27018:2014 Certification

ISO 27005 Compliance

SOC 1 Compliance

SOC 2 Compliance

SOC 3 Compliance

HIPAA Compliance

HITECH Compliance

Open ID Connect (OIDC) Certification

PIPEDA Compliance

COPPA Compliance

GxP (FDA CFR 21 Part 11) Compliance

ISO 27001:2013 Certification

What it is: ISO/IEC 27001 is the best-known standard providing requirements on what should be included in building a security program and risk management program otherwise known as an information security management system (ISMS).Janrain’s security program was built around the ISO 27001 controls. Details can be found here: https://www.iso.org/isoiec-27001-information-security.html

Why we do it: Demonstrate that Janrain has an overarching and rigorous security program built on an internationally recognized standard and that Janrain’s strong risk assessment processes have been externally validated

About Janrain’s ISO 27001 Certification: Janrain first obtained ISO 27001 certification in 2014 with the 2005 controls. Janrain was re-certified in 2015 with the updated 2013 controls. In 2016, Janrain did a full Type 1 ISO 27001:2013 audit on top of the mandated surveillance review. In 2017, Janrain was recertified again for ISO 27001:2013. Janrain as an organization uses ISO 27002 as the code of practice for our information security controls.

About Data Center ISO 27001 Certification: 
https://aws.amazon.com/compliance/iso-27001-faqs/

Scope: The entire Janrain Identity Cloud and the entire Janrain organization is in scope. Janrain is audited for every ISO 27001:2013 control.

Links to Certifications 
Janrain ISO 27001 Certification
AWS ISO 27001 Certification
Sinnet ISO 27001 Certification (China Datacenter)

ISO 27018:2014 Certification

What it is: ISO 27018:2014 is an add on certification to ISO 27001:2013 with additional controls pertinent to the protection of Personally Identifiable Information in the cloud.

Why we do it: Janrain operates solely in the cloud and, in order to demonstrate to our clients that we are proactive in keepting the Janrain Identity Cloud secure, it was imperative that Janrain get this certification that was created specifically for personal data protections in the cloud. Also, since many of the ISO 27018 controls directly link to many GDPR requirements and data subject rights, it helps demonstrate Janrain’s GDPR readiness.

About Janrain’s ISO 27018:2014 Certification: Obtaining ISO 27018:2014 certification reflected the importance that Janrain places on securing PII in the cloud. ISO 27018 is not a stand alone certification but rather is an “add-on” to ISO 27001. Some organizations choose, for marketing reasons, to obtain a separate, non-accredited certificate but Janrain believed that discerning clients would prefer Janrain’s ISO 27018 certification to be accredited by ANAB. Hence, we have a combined accredited ISO 27001:2013 and ISO 27018:2014 certificate.

About Data Center ISO 27018:2014 Certification: https://aws.amazon.com/compliance/iso-27018-faqs/

Scope: The entire Janrain Identity Cloud and the entire Janrain organization is in scope.

Links to Certifications

Janrain ISO 27001 Certification

ISO 27005 Certification

ISO 27001 is a risk management standard for information security. ISO 27005 provides additional guidance on information security risk management. Being ISO 27001 certified, our auditors have informed us that Janrain meets requirements of ISO 27005.

Cloud Security Alliance (CSA Star) Level 1

What it is: The Cloud Security Alliance (CSA), is a not-for-profit organization that formed to promote the use of best practices for providing security assurance within cloud computing. The CSA is continually gaining in importance as more of the world moves away from on-premise solutions and into the cloud. CSA STAR is the industry forerunner in cloud security standards.

CSA Star Level 1 is a self assessment questionnaire that can be uploaded to the CSA Website. 
https://cloudsecurityalliance.org/star/self-assessment/#_overview

Why we do it: To be transparent to our clients and prospects on how Janrain implements security.

About Janrain’s CSA Star Level 1: Janrain is the only CIAM platform to be independently audited for the CSA controls to obtain Level 2 CSA Certification.Janrain also fills out a CAIQ available upon request for clients and prospects with an NDA.

Data Center CSA Star Level 1: AWS has completed the CSA STAR Self-Assessment and published the results to the AWS website. Please refer to the AWS CSA Consensus Assessments Initiative Questionnaire. This is the latest CAIQ (v3) released by the CSA.

Scope: The entire Janrain Identity Cloud and the entire Janrain organization is in scope.

Cloud Security Alliance (CSA Star) Level 2 Certification

What it is: The Cloud Security Alliance (CSA), is a not-for-profit organization that formed to promote the use of best practices for providing security assurance within cloud computing. The CSA is continually gaining in importance as more of the world moves away from on-premise solutions and into the cloud. CSA STAR is the industry forerunner in cloud security standards.

The CSA Star Overview outlines the three different ways to get CSA third party assessment based Level 2 certification:

  1. via certification through ISO 27001
  2. via a Attestation through SOC 2 (CSA Star Attestation is a collaboration between CSA and the AICPA to provide guidelines for CPAs to conduct SOC 2 engagements using criteria from the AICPA (Trust Service Principles, AT 101) and the CSA Cloud Controls Matrix. ) or,
  3. C-Star for China only, via a special Assessment.

Why we do it: CSA STAR leads the industry in defining cloud security standards. Since the Janrain Identity Cloud operates exclusively in the cloud it was necessary to obtain certification that Janrain aligns with cloud security best practices. The audit included an independent examination of the security of Janrain’s api’s which is not included in ISO and SOC audits.

About Janrain’s CSA Star Level 2 Certification by Attestation: Janrain has obtained Cloud Security Alliance (CSA) Level 2 Certification by Attestation which is the highest level of CSA Star certification currently available. (Level 3 Continuous Monitoring Certification does not yet exist).

Scope: The entire Janrain Identity Cloud and the entire Janrain organization is in scope. Please also view https://cloudsecurityalliance.org/star-registrant/janrain/#att from which you can download additional information related to the scope of Janrain’s CSA Star Certification

Links to Certifications: Janain’s 2017 CSA Star Attestation Report is available upon request to clients and prospects with an NDA. Janrain’s CSA Level 2 Certification via Attestation as may be viewed by clicking on ‘J’ at the CSA Star Registry (https://cloudsecurityalliance.org/star/#_registry ) with further details available by clicking on the “Attestation” button.

Cloud Security Alliance (CSA Star) Level 3 Continuous Monitoring Certification

This CSA STAR Continuous is in development. Since it does not yet exist, Janrain holds the highest CSA certification currently possible with CSA Star Level 2 Certification by Attestation.

SOC 1 Compliance

What it is: Also known as the Statement on Standards for Attestation Engagements (SSAE) 18, the SOC 1 report focuses on a service organization’s controls that are likely to be relevant to an audit of a user entity’s (customer’s) financial statements. (SAS 70 was deprecated and was replaced with SSAE 16 (SOC 1) and SOC 2. SSAE 16 which became SSAE 18 on May 1 2017.) SOC 1 pertains testing controls which impact a client's financial statement i.e. the money in and money out

Janrain: SOC 1 does not apply to Janrain since we do not process our client’s financial data.

Data Center: AWS SOC 1 Report - Download with AWS Artifact

SOC 2

What it is: SOC 2 Type 2 is an independent audit report that focusses on a business’ operational controls. There are five Trust Services Principles that each have their own controls.

  1. Security Trust Principle consist of common security criteria and controls. There is a heavy focus on production operations and technical support.
  2. Availability Trust Principle focuses on criteria and controls related to high availability. An audit report for Availability must be combined with a SOC 2 Type 2 Security Trust Principle Report.
  3. Confidentiality Trust Principle focuses on criteria and controls related to how customer data is treated inside an organization. An audit report for Confidentiality must be combined with a SOC 2 Type 2 Security Trust Principle Report.
  4. Processing Integrity Trust Principle
  5. Privacy Trust Principle To align with the SOC 2 Privacy Trust Principle Janrain has a collection of policies, procedures, legal documents, and other best practices to ensure the safety and security of our client’s highly sensitive and confidential consumer data and our employees and client employees Personally Identifiable Information (PII).

Why is it important: The purpose of these reports is to help you and your auditors understand the Janrain operational controls established to support operations and compliance. The success or failure of these controls has a direct or indirect impact on the reputation, financial statements and stability of our clients.

About Janrain SOC 2 Type 2 Compliance: Janrain is compliant with all 5 SOC 2 Type 2 Trust Principles.

Janrain’s SOC 2 Type 2 Security (Common Criteria), Availability and Janrain’s Confidentiality Report and Janrain’s SOC 2 Type 2 Processing Integrity and Privacy report are both available upon request from clients and prospects with an NDA.

About Data Center: AWS SOC 2: Security, Availability, & Confidentiality Report - Download with AWS Artifact

Scope: The entire Janrain Identity Cloud and the entire Janrain organization is in scope.

SOC 3

What it is: A SOC 3 Report is a summarized version of a SOC 2 report for a more generalized audience.

About Janrain: Janrain cannot get a SOC 3 report because Janrain has a carve-out in its SOC 2 for the AWS infrastructure.

About Data Center: https://d0.awsstatic.com/whitepapers/compliance/soc3_amazon_web_services.pdf

HIPAA Compliance

What it is: Protected Storage of Health Data.Janrain enables covered entities and their business associates subject to the U.S. Health Insurance Portability and Accountability Act (HIPAA) to process, maintain, and store protected health information in the Janrain Identity Cloud.

Why we do it:

About Janrain: Janrain treats all client customer data at the highest data classification level and hence all client customer data is stored with the same safeguards as if it were protected health information.

Janrain has obtained an independent attestation that Janrain complies with the HIPAA/HITECH security rules and regulations including administrative safeguards, physical safeguards, technical safeguards, and breach notification as well as complies with the HIPAA/HITECH organizational, policies, procedures and documentation requirements.

About Data Center: https://aws.amazon.com/compliance/hipaa-compliance/

Scope: The entire Janrain Identity Cloud and the entire Janrain organization is in scope.

Links to Certifications: Janrain’s combined HIPAA/HITECH report is available to clients and prospects with an NDA upon request. Janrain's review period for the HIPAA/HITECH engagement was May 1, 2016 Through April 30, 2017.

HITECH Compliance [US]

What it is: Protected Transmission of Health Data. Janrain enables covered entities and their business associates subject to the U.S. Health Insurance Portability and Accountability Act (HIPAA) to process, maintain, and store protected health information in the Janrain Identity Cloud.

Why we do it:

About Janrain: Janrain treats all client customer data at the highest data classification level and hence all client customer data is transmitted with the same safeguards as if it were protected health information.

Janrain has obtained an independent attestation that Janrain complies with the HIPAA/HITECH security rules and regulations including administrative safeguards, physical safeguards, technical safeguards, and breach notification as well as complies with the HIPAA/HITECH organizational, policies, procedures and documentation requirements.

About Data Center: https://aws.amazon.com/compliance/hipaa-compliance/

Scope: The entire Janrain Identity Cloud and the entire Janrain organization is in scope.

Links to Certifications: Janrain’s combined HIPAA/HITECH report is available to clients and prospects with an NDA upon request. Janrain's review period for the HIPAA/HITECH engagement was May 1, 2016 Through April 30, 2017.

Open ID Connect (OIDC) Certification

OpenID Foundation’s OpenID Connect (OIDC) certification program and launch of the Relying Party (RP) conformance tests were done to make interoperability easier and identity systems more secure. Janrain was proud to be a launch partner for the RP certification program, working with others in the identity community to drive further adoption of the OIDC standard.

http://www.oixnet.org/openid-certifications/janrain/  
http://www.janrain.com/openid-connect-certification/

COPPA Compliance

What it is: Children's Online Privacy Protection Rule ("COPPA"). COPPA imposes certain requirements on operators of websites or online services directed to children under 13 years of age, and on operators of other websites or online services that have actual knowledge that they are collecting personal information online from a child under 13 years of age. It includes accountability, identifying purposes, obtaining consent, limiting collection/use/disclosure/retention, accuracy, and safeguards

About Using Janrain as a solution for COPPA Compliance: To facilitate COPPA compliance by a customer, Janrain offers a specialized registration solution for child registration that eliminates the collection of PII for users under 13 years of age.

PIPEDA [Canada]

What it is: The Personal Information Protection and Electronic Documents Act (PIPEDA) is the Canadian federal privacy law for private-sector organizations. It governs how Canadian private sector organizations collect, use and disclose personal information in the course of commercial business.

https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/

Janrain:While clients are responsible for their own PIPEDA compliance, the Janrain Identity Cloud can be used to enable Janrain’s clients to comply with the PIPEDA regulations.

Data Center: https://aws.amazon.com/compliance/pipeda/

GxP (FDA CFR 21 Part 11)

Janain employs procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records entrusted to Janrain to store and transmit as required by CFR - Code of Federal Regulations Title 21, Part 11 since Janrain has been audited for compliance with HIPAA, HITECH. SOC 2 Type 2 (Security, Availability, Confidentiality) and is certified for ISO 27001:2013, CSA Star Level 2, and ISO 27018:2014. All customer data is encrypted in transit and at rest.

There is NO official certification for CFR - Code of Federal Regulations Title 21, Part 11 We are not aware of any “certification” that could be obtained by a service provider outside of the FDA itself, who performs inspections of companies periodically to help monitor for compliance.

Please note that while 21 CFR, Part 11 contains the requirements for computer systems that create, modify, maintain, archive, retrieve, or distribute electronic records and electronic signatures in support of GxP-regulated activities, that Janrain would never create or modify such records nor make decisions about whether to or when to retrieve or distribute such records.