We value the trust you place in Everbridge. We are committed to providing our customers and partners with a secure environment utilizing state of the art technologies to safeguard your information. The Everbridge Privacy and Website Cookie Policies are designed to assist you in understanding how we collect, use and safeguard the information you provide to us.
Everbridge’s security framework is based on the comprehensive set of security requirements and controls within US National Institute of Standards and Technology (NIST) Special Publication 800-53 – Security and Privacy Controls for Information Systems and Organizations. Annually, Everbridge achieves certification and accreditation from an independent third party assessment organization (3PAO) approved under the Federal Risk and Authorization Management Program (FedRAMP). The 3PAO security assessors verify Everbridge’s compliance in over 150 security and data protection areas within 17 different security categories including access control, incident response, security training, system integrity, identification and authentication, contingency planning, etc. via various assessment techniques including vulnerability analysis and penetration testing. Everbridge selected the NIST 800-53 security requirement standard because it provides a complete and holistic approach to information security and has direct mappings to the global information security standards ISO 27001: Information technology–Security techniques–Information security management systems and ISO 15408: Information technology – Security techniques – Evaluation criteria for IT security
Globally Applicable Certifications
Everbridge publishes a Service Organization Controls 3 (SOC 3) report. The SOC 3 report is a publicly-available summary of the Everbridge SOC 2 Type II report. The SOC 3 report includes the auditor’s statement on Everbridge’s achievement on all trust services criteria (based on the AICPA’s Trust Services Principles assessed in the SOC 2 report), the assertion from Everbridge management regarding the effectiveness of these internal controls, and an overview of the Everbridge Suite platform. The SOC 3 report provides assurance that Everbridge’s internal controls have been verified to achieve the AICPA’s Trust Services Principles for data security, availability, and confidentiality.
US Government Certifications
The United States Department of Homeland Security (DHS) has designated and certified Everbridge under the SAFETY Act (Support Anti-terrorism by Fostering Effective Technology). Pursuant to the SAFETY Act, the designation provides legal liability protections to both Everbridge and our customers in the result of technology failures during a DHS declared terrorist attack. Applications on the Everbridge critical communications platform are now on the DHS SAFETY Act’s “Approved Technologies List.”
Everbridge has received Federal Information Security Management Act (FISMA) Authorization and Accreditation (A&A) from the U.S. General Services Administration (GSA) in accordance with the Risk Management Framework (RMF) process defined in NIST 800-37 which is being adopted Department of Defense (DoD) to replace the DoD Information Assurance Certification and Accreditation Process (DIACAP). FISMA requires federal agencies to develop, document, and implement an information security system for its data and infrastructure. Government entities can now utilize Everbridge solutions while meeting security requirements for applications demanding the stringent security practices for the FIPS 199 Moderate impact level. FISMA compliance requires Everbridge to implement and operate an extensive set of security configurations and controls. This includes documenting the management, operational, and technical processes used to secure our solutions and infrastructure throughout their life cycles as well as conducting third party assessments.
Everbridge is currently in process to achieve Federal Risk and Authorization Management Program, or FedRAMP, compliance. FedRAMP is a United States government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. Everbridge has completed testing by an accredited Third Party Assessment Organization (3PAO) to verify compliance with the stringent FedRAMP requirements (NIST SP 800-53).
EU Privacy Compliance
General Data Protection Rule (GDPR)
On May 25, 2018, a new European privacy regulation called the General Data Protection Regulation ("GDPR") will come into effect. As a company that will be required to comply with GDPR, Everbridge has begun the process of planning for the regulation in time to meet the effective date. We are reviewing our business processes and forms to confirm our compliance with the new requirements, including an individual's right to access their personal data, their right to be forgotten, their right to data portability, and their right to be notified of a breach. Everbridge systems, however, will not need to be modified to comply with many of these key aspects of GDPR. Everbridge currently complies with current EU legislation, including the Data Protection Directive 95/46/EC, the UK Data Protection Act, and the German Federal Data Protection Act (Bundesdatenschutgesetz). The company is also certified under the EU-US Privacy Shield (see below).
Everbridge participates in and has certified its compliance with the EU-U.S. Privacy Shield Framework. Everbridge is committed to subjecting all personal data received from European Union (EU) member countries, in reliance on the Privacy Shield Framework, to the Framework's applicable Principles. To learn more about the Privacy Shield Framework, visit the U.S. Department of Commerce's Privacy Shield website at https://www.privacyshield.gov/welcome.