TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Privacy Tech | Data localization service receives SOC, PCI certifications Related reading: Tech vendor looks to tackle data localization compliance



Editor's Note:

Correction: Feb. 7, 2020: An earlier version of this report incorrectly stated InCountry received a Health Insurance Portability and Accountability Act certification. InCountry was evaluated by an external audit firm, which determined it had the proper processes and controls in place to be compliant with HIPAA security requirements.

Data-residency-as-a-service vendor InCountry launched last year to help organizations comply with data localization laws around the world. The company has recently unveiled new offerings to store health, finance and payment data in the more than 60 countries where it is currently deployed.

To help organizations store data in those industries, InCountry announced it has received its Payment Card Industry Data Security Standard and SOC 2 Type 2 Examination certifications and found to be compliant with the HIPAA security requirements

"The goal was to demonstrate our level of commitment to security, privacy and data protection. We are seeing a lot of traction with the health care and financial services sectors. Our original road map was to target these certifications, knowing that these are highly regulated areas," InCountry Chief Compliance Officer Renné Devasia said. "Let’s just say the stars aligned very well, and customers in those regulated sectors are coming to us and asking how we can we help them solve these problems."

The offerings have been created in addition to InCountry's existing platform. Organizations can store regulated data within country borders and meet those industry's compliance requirements. While the HIPAA and SOC certifications may have originated in the U.S., Devasia said the requirements for those two could be mapped onto laws around the world and that the vendor's research team has started to do just that.

For example, Devasia said InCountry can look at HIPAA and see its similarities to health care laws in the Netherlands or United Arab Emirates. By using HIPAA as a reference point, Devasia said it will be easier for the vendor to help customers in those countries comply with their own health care processing and storage laws.

InCountry is looking to obtain other certifications, as well. Devasia pointed to certifications that have more of a worldwide scale as its next target.

"This year, we are looking very heavily at many of the ISO standards, including 27001, 27017, 27018 and 27701. Those ones are the next areas that we are going to focus in on," Devasia said. "By stretching into those, we will have more of a global reach. They also go toward demonstrating the holistic approach that we take to compliance."

Certifications have started to gain steam as an attractive investment for organizations in the privacy market. A recent study released by Cisco found 82% of respondents said certifications were a positive buying factor when selecting a vendor or a product.

While that may be how industry professionals view certified vendors, Devasia said InCountry has no plans to slow down because it met certain standards.

"These certifications demonstrate a level of commitment that a company has, but that piece of paper does not mean that everything is perfect," Devasia said. "They are level of demonstration, but as an ongoing process, we continually are improving our privacy program, as well as our data protection."

Devasia admits it was challenging for InCountry to obtain the three certifications, especially since the company has been in existence for less than a year. He said it was able to get it done due to an organizational commitment to build privacy and data compliance into its practices from the beginning.

So far, InCountry has had the data-residency-as-a-service market to itself, but competition will likely appear on the horizon. Data localization is an issue that not going anywhere. As vendors enter this segment of the privacy tech market, they may need to quickly obtain their own certifications or run the risk of watching customers take their business elsewhere.

"In this regulated space, you really cannot play without having those certifications to demonstrate to your customers. You are asking your customers to give you their crown jewels and hold onto them. That’s not something most people want to," Devasia said. "They are going to want and demand some level of due diligence to get through a procurement process. If you don’t have these certifications, a lot of times, it’s going to be, 'You don’t have them? Then we aren’t talking to you.'" 

Photo by Nathan Roser on Unsplash

Credits: 1

Submit for CPEs


If you want to comment on this post, you need to login.

  • comment Brock Rutter • Feb 4, 2020
    What was the HIPAA certification?
  • comment Teressa Campbell • Feb 5, 2020
    There are no official HIPAA certifications that you can receive, only risk assessments that can determine whether you meet the privacy rule and security rule requirements. I would be wary of anyone claiming to be able to give you a HIPAA certification.
  • comment Renne Devasia • Feb 6, 2020
    To clarify we were evaluated by an external audit firm and found to have processes and controls in place which meet the HIPAA requirements.  The other item I wanted to point out is the ISO standards we are focusing on this year include 27001, 27017, 27018 & 27701