Document Scanning Confidentiality & SOC 2 Reporting
Your documents contain critical information that must be kept confidential to ensure the trust of your employees, customers and vendors as well as satisfying legal requirements like HIPAA. But when your documents are scanned and processed by a document scanning company that has received its SOC 2 Type 2 Report, confidentiality is one less thing you have to worry about.
A SOC 2 Type 2 Report establishes that a document scanning company has passed an outside audit proving procedures are documented and followed in at least one of five control principles, one of them being confidentiality. Working with a document scanning provider that has received a SOC 2 Type 2 Report for confidentiality, or is in the process of an audit, is the best way to ensure you’ve completed due diligence regarding the confidential handling of your documents while in their facility.
Below is a list of just some of the controls in place regarding the confidential handling of your documents while being processed in a document scanning facility that has received a SOC 2 Type 2 Report.
- Corporate Security Policy (CSP): a formal policy is in place and followed having been designed to ensure the confidentiality and security of sensitive information. Oversight, risk assessment and policy exceptions are addressed in the CSP. The CSP is updated at least once annually.
- Sensitive & Confidential Information: All customer data and documents are defined as sensitive information. Policies are in place to address protection requirements, access rights and access restriction, as well as retention and destruction procedures.
- Transmission Encryption: all electronic client data that is sent over the internet via secure File Transfer Protocol (SFTP) or email, or physically shipped on DVD or other electronic media is encrypted.
- Hosted Encryption: when using hosting services, all electronic client information is encrypted when uploaded by SFTP to their individual cloud document management software account.
- In-House Encryption: all electronic client information stored on internal servers is encrypted.
- Data Center Encryption: all electronic client information held in a document scanning company’s data center or on physical media while at the facility is encrypted, including document images during scanning and quality control.
- New Employee Hiring Protocols: Individuals must satisfy a background check and a formal interview process before being hired.
- New Employee Training: New employees are trained on the CSP during orientation, given access to the policies and required to sign an acknowledgement as part of their new hire orientation.
- Ongoing Employee Training: Employee training on all security policies is conducted annually.
- Non-Disclosure Agreements: New employees and all third parties with access to client data must sign a confidentiality/non-disclosure agreement (NDA).
- Employee Handbook: Addresses non-compliance with confidentiality and security policies.
- Handling Suspected Violations: Human resources maintains and implements appropriate policies for investigating suspected employee violations of the CSP and imposing disciplinary measure.
- Information Sharing: A “Third Party Connection Policy” describes the secure and confidential process for sharing information with external entities.
- Vendor Controls: A “Vendor Outsourcing Policy” addresses vendor due diligence for vendor outsourcing. Vendor contract requirements address security, confidential and service level agreements (SLAs). Annual reviews of key vendors are held.
See For Yourself
Ask to see a document scanning company’s SOC 2 Report. If they don’t have a report, it’s going to be more difficult to determine how confidentially they will handle your documents and requires a leap of faith on your part. Just as important, visit their facility to see their processes in action.