PRIVACY AND SECURITY
Your Security and Data Protection are our Priority
We value the trust you place in Everbridge. We are committed to providing our customers and partners with a secure environment utilizing state of the art technologies to safeguard your information. The Everbridge Privacy and Website Cookie Policies are designed to assist you in understanding how we collect, use and safeguard the information you provide to us.
Everbridge’s security framework is governed by ISO/IEC 27001:2013 Information Security Standard and utilizes the comprehensive set of security requirements and controls within US National Institute of Standards and Technology (NIST) Special Publication 800-53 – Security and Privacy Controls for Information Systems. Everbridge has achieved internationally recognized ISO/IEC 27001:2013 certification. In addition, Everbridge has obtained authorization under the Federal Risk and Authorization Management Program (FedRAMP). To maintain these certifications, Everbridge undergoes comprehensive annual audits from an independent third party assessment organization (3PAO). The 3PAO security assessors verify Everbridge’s compliance in over 150 security and data protection areas within 17 different security categories including access control, incident response, security training, system integrity, identification and authentication, contingency planning, etc. via various assessment techniques including vulnerability analysis and penetration testing.
Globally Applicable Certifications
Established by the International Organization for Standardization (ISO), the prestigious and internationally recognized ISO 27001 standard requires the certification of an organization’s information security management controls for areas such as data security and business continuity. Everbridge’s information security management system has been inspected and certified by Coalfire, an accredited certifying body. The Everbridge suite of products that are ISO-certified include Mass Notification, Safety Connection™, Crisis Management, Visual Command Center®, IT Alerting, SMARTweather and ThreatView, and Everbridge’s mobile apps, both in the United States and Europe.
SSAE-18 SOC 3
Everbridge publishes a Service Organization Controls 3 (SOC 3) report. The SOC 3 report is a publicly-available summary of the Everbridge SOC 2 Type II report. The SOC 3 report includes the auditor’s statement on Everbridge’s achievement on all trust services criteria (based on the AICPA’s Trust Services Principles assessed in the SOC 2 report), the assertion from Everbridge management regarding the effectiveness of these internal controls, and an overview of the Everbridge Suite platform. The SOC 3 report provides assurance that Everbridge’s internal controls have been verified to achieve the AICPA’s Trust Services Principles for data security, availability, and confidentiality.
Established by the International Organization for Standardization (ISO), ISO 27701 is the first global privacy standard that focuses on the protection of personally identifiable information (PII). ISO 27701 extends the requirements of ISO 27001 to include data privacy, and provides a framework for implementing, maintaining, and continuously improving a Privacy Information Management System (PIMS). ISO 27701 clauses directly map to GDPR articles and also take into account other national and regional data protection laws (such as California Consumer Privacy Act). Everbridge’s PIMS has been inspected and certified by Coalfire, an accredited certifying body. The Everbridge suite of products that are ISO-certified for PII processing include Mass Notification, Safety Connection™, Crisis Management, Visual Command Center®, IT Alerting, SMARTweather and ThreatView, and Everbridge’s mobile apps, both in the United States and Europe.
US Government Certifications
The United States Department of Homeland Security (DHS) has designated and certified Everbridge under the SAFETY Act (Support Anti-terrorism by Fostering Effective Technology). Pursuant to the SAFETY Act, the designation provides legal liability protections to both Everbridge and our customers in the result of technology failures during a DHS declared terrorist attack. Applications on the Everbridge critical communications platform are now on the DHS SAFETY Act’s “Approved Technologies List.”
Everbridge Suite has achieved the prestigious and rigorous Federal Risk and Authorization Management Program, or FedRAMP, compliance and authorization. FedRAMP is a United States government-wide program that provides a standardized approach (based on NIST SP 800-53 revision 4) to security assessment, authorization, and continuous monitoring for cloud products and services.
EU Privacy and Security Compliance
General Data Protection Regulation (GDPR)
On May 25, 2018, a new European privacy regulation called the General Data Protection Regulation (“GDPR”) went into effect. As a company, Everbridge is GDPR ready having reviewed our business processes and forms to confirm our compliance with the new requirements, including an individual’s right to access their personal data, their right to be forgotten, their right to data portability, and their right to be notified of a breach. Everbridge currently complies with current EU legislation, including the Data Protection Directive 95/46/EC, the UK Data Protection Act, and the German Federal Data Protection Act (Bundesdatenschutgesetz). The company is also certified under the EU-US Privacy Shield (see below).
Everbridge participates in and has certified its compliance with the EU-U.S. Privacy Shield Framework. Everbridge is committed to subjecting all personal data received from European Union (EU) member countries, in reliance on the Privacy Shield Framework, to the Framework’s applicable Principles. To learn more about the Privacy Shield Framework, visit the U.S. Department of Commerce’s Privacy Shield website at https://www.privacyshield.gov/welcome.
Cloud Computing Compliance Controls Catalog (C5) is a German Government-backed attestation scheme introduced by the Federal Office for Information Security (BSI) to help organizations demonstrate operational security against common cyber-attacks within the context of the German Government’s “Security Recommendations for Cloud Providers.” The Everbridge Critical Event Management platform has undergone a third-party audit to ensure it complies with security requirements defined by C5. Customers in German states can rest assured that their use of the Everbridge platform complies with stringent local requirements. Using our C5 audit report, customers can effortlessly evaluate how legal regulations (i.e. data privacy), their own policies, or the threat environment relate to their use of the Everbridge platform.
UK Government Listings
The Everbridge Critical Event Management platform is a listed vendor within the G-Cloud framework. G-Cloud is the UK government’s latest framework that is designed to simplify and accelerate adoption of cloud-based services within the public sector. The Everbridge platform, and suite of enterprise applications, are entirely SaaS-based, and designed to automate and accelerate an organization’s operational response to critical events in order to keep people safe and businesses running.
Everbridge is registered by the Information Commissioner’s Office. This UK-based governmental office upholds information rights in the public interest, promoting openness by public bodies and data privacy. The registration confirms Everbridge’s commitment to safeguarding user information and adhering to security and privacy protection standards.