Put Your Customers First and Let them Do the Talking. Get Your Guide on How to Build an Advocacy Growth Engine.

Compliance that Gives You Complete Confidence

Today’s technology leaders must secure and protect customer, employee, and intellectual property data in an increasingly complex and risky environment. Companies must also comply with all applicable laws, including those related to data privacy and transmission of personal data, even when a service provider holds and processes a company’s data on its behalf. It's important to ensure your loyalty vendor adheres to specific security principles and data security criteria—including the completion of IS27001 and SOC 2 Type II security compliance.

Learn more about compliance and choosing the right loyalty vendor

Annex Cloud Is Committed to Compliance

Annex Cloud maintains a formal and comprehensive security program to ensure the security and integrity of customer data, protect against security threats or data breaches, and prevent unauthorized access to our customers’ data. The specifics of Annex Cloud’s security program are detailed in our third-party security audits and international certifications. We’ve been ISO 27001 certified since 2019 and the Annex Cloud SOC 2 Type II report is an independent assessment of our control environment performed by a third party.

Annex Cloud Is Committed to Compliance
Why Companies Need an Information Security Management System (ISMS)

Why Companies Need an Information Security Management System (ISMS)

  • Without an ISMS, controls tend to be disorganized and disjointed—often implemented as point solutions for specific situations or simply a matter of convention
  • Security controls in operation typically address certain IT aspects or data security specifically, leaving non-IT information assets (such as paperwork and proprietary knowledge) less protected
  • Business continuity planning and physical security may be managed independently of IT or information security
  • Human Resources practices may make little reference to the need to define and assign information security roles and responsibilities throughout the organization

Third-Party Audits and Certifications


ISO/IEC 27001 is an international standard for how to manage information security. The standard was originally published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) in 2005, then revised in 2013. It details requirements for establishing, implementing, maintaining, and continually improving an information security management system (ISMS) to help organizations make the information assets they hold more secure. ISO/IEC 27001 is designed to cover much more than just the IT department.

ISO/IEC 27001 requires that management:

  • Systematically examine information security risks, taking account of threats, vulnerabilities, and impact
  • Design and implement a coherent and comprehensive suite of information security controls and/or other forms of risk treatment (such as risk avoidance or risk transfer) to address unacceptable risks
  • Adopt an overarching management process to ensure information security controls continue to meet information security needs on an ongoing basis
  • What controls will be tested as part of certification to ISO/IEC 27001 depends on the certification auditor. This can include any controls the organization has deemed within the scope of the ISMS. Testing can be to any depth or extent the auditor determines is needed to test the control has been implemented and is operating effectively.
ISO/IEC 27001 requires that management
Additionally, ISO27001 was strengthened with Annex Cloud  Controls, which include:

Additionally, ISO27001 was strengthened with Annex Cloud Controls, which include:

  • Information security policies
  • Organization of information security
  • Human resource security—processes applied before, during, or after employment
  • Asset management
  • Access control
  • Cryptography
  • Physical and environmental security
  • Operations security
  • Communications security
  • System acquisition, development, and maintenance
  • Information security incident management
    Information security aspects of business continuity management Compliance—with internal requirements, such as policies, and with external requirements, such as laws
SOC 2 Type 2

SOC evaluation is a multi-level evaluation across multiple principles.Compliance to SOC security standards means the vendor fully meets the established security criteria and is competent to prevent unauthorized access to data. The SOC 2 report is based on the AICPA’s Trust Services Criteria and is issued annually in accordance with the AICPA’s AT Section 101 (Attest Engagements). The SOC 2 report addresses all Trust Services Criteria (Security, Availability, Confidentiality, Processing Integrity, and Privacy).

The SOC 2 Type 2 audit is based on criteria used to evaluate controls relevant to the security, processing integrity, availability, confidentiality, and privacy of any system. The SOC 2 Type 2 report includes audit details of the service organization controls outlined by the Trust Services Criteria (TSC) set by AICPA.


IT system software and application Programs


All Manual and automated procedures


Personnel using the system


Physical, IT, and related hardware


Files, tables, data bases, transmission streams, and output processed by a system

Other areas specifically analyzed under a SOC 2 Type 2 audit include:

  • How customer data integrity is protected from entry to deletion and all points during the data lifecycle
  • How privacy is communicated to customers and enforced through company policies
  • Protecting rights customers have regarding their data
  • Steps taken to protect customer data confidentiality
  • How the company guarantees data availability
  • Whether access to data, software, functions, and other IT resources is restricted to authorized personnel only
  • Whether physical access to sensitive locations is restricted to authorized personnel only
  • Whether appropriate background screening procedures are in place
  • Whether an access control and monitoring system is implemented to detect intrusions
  • Whether incident response procedures are suitably developed and tested
  • Whether clients and employees understand their role in using the system
  • Whether hardware, software, and related infrastructure are updated regularly
  • Whether any system changes are communicated to the correct personnel in time
  • Whether a change management process is available to address deficiencies in control
  • Whether a disaster recovery plan is tested and documented
  • Whether systems for addressing environmental risks are in place
  • Whether data is processed, stored, and maintained accurately and timely
  • Whether risk assessment includes identification of potential threats to the system and analyzing risks associated with each threat
  • Whether a fully documented data retention policy is in place
  • Whether physical and logical access controls are in place

Security and Privacy are also key requirements for an enterprise-ready loyalty solution.


See Loyalty in Action

Be inspired with endless ways to make every customer interaction rewarding.


We Can Help

Let's explore how loyalty can help you become one of your customers' most beloved brands.


©2021 All Rights Reserved. AnnexCloud