Compliance Certifications

#Overview

Light maintains multiple security and compliance certifications from independent auditors and standards bodies. These certifications provide assurance that Light meets industry standards for security, privacy, and operational excellence.

Light holds the following certifications:

• SOC 1 Type II
• SOC 2 Type II
• GDPR
• CSA STAR
• Trusted Cloud Providers (CSA)
• AWS Security Competency
• PCI SAQ D
• SSAE 18
• ISAE 3402

#SOC 1 Compliance

#What is SOC 1?

SOC 1 (System and Organization Controls 1) is a framework for evaluating internal controls at service organizations that are relevant to user entities' internal control over financial reporting. It is conducted by independent auditors and is particularly important for financial platforms like Light.

#SOC 1 Type II

Light maintains SOC 1 Type II certification:

• Independent Audit: Conducted annually by independent auditing firms
• Testing Period: Auditors observe Light's controls in operation over a sustained period
• Financial Controls: Focuses on controls relevant to customers' financial reporting
• Continuous Compliance: Light maintains compliance year-round

#SOC 2 Compliance

#What is SOC 2?

SOC 2 (System and Organization Controls 2) is a framework for evaluating controls at service providers. It's conducted by independent auditors and certifies that Light has appropriate controls in place for security, availability, processing integrity, confidentiality, and privacy.

#SOC 2 Type II

Light maintains SOC 2 Type II certification, the highest level:

• Independent Audit: Conducted annually by Big Four accounting firms
• 6-Month Testing Period: Auditors observe Light's controls in practice
• Comprehensive Review: Covers all systems, processes, and personnel
• Continuous Compliance: Light maintains compliance year-round

#What SOC 2 Covers

SOC 2 evaluates controls over:

• Security: Protection against unauthorized access
• Availability: Systems remain operational and available
• Processing Integrity: Data is processed accurately and completely
• Confidentiality: Sensitive data is protected from unauthorized disclosure
• Privacy: Data is collected, used, and retained appropriately

Good to know: Request Light's SOC 1 or SOC 2 Type II reports directly from your account team. Most customers receive the full audit reports under NDA.

#GDPR Compliance

#What is GDPR?

GDPR (General Data Protection Regulation) is the European Union's comprehensive data protection law applying to companies processing European residents' data.

#Light's GDPR Compliance

Light is fully GDPR compliant:

• Legal Basis: Processing has legitimate legal basis (customer request, contractual need, etc.)
• Data Subject Rights: Users can request access, correction, deletion, and portability of their data
• Data Protection Officer: Light maintains a DPO for privacy questions
• Privacy Policy: Clear, transparent privacy terms
• Consent Management: Explicit consent for processing where required

#Key GDPR Capabilities

Light provides:

• Data Export: Users and admins can export all personal data
• Right to Deletion: Users can request deletion of their data
• Data Processing Agreements (DPA): Standard DPA available for all customers
• Sub-processor Management: All sub-processors are listed and compliant
• Breach Notification: Light notifies you within 72 hours if a breach occurs

#CSA STAR Certification

#What is CSA STAR?

CSA STAR (Cloud Security Alliance Security, Trust, Assurance, and Risk) is a program for cloud security assurance. It provides a framework for cloud providers to demonstrate their security posture through independent assessments.

#Light's CSA Certifications

Light holds both CSA STAR certification and Trusted Cloud Providers (CSA) designation:

• CSA STAR: Independent assessment of Light's cloud security controls against the Cloud Controls Matrix (CCM)
• Trusted Cloud Providers: Recognition by the Cloud Security Alliance that Light meets rigorous cloud security standards
• Transparency: Light's security posture is documented in the CSA STAR Registry
• Continuous Improvement: Regular reassessment to maintain certification

#AWS Security Competency

#What is AWS Security Competency?

AWS Security Competency is an AWS Partner Network designation recognizing technology partners that have demonstrated technical proficiency and proven customer success in specialized security areas on the AWS platform.

#Light's AWS Certifications

Light holds AWS Security Competency certification:

• AWS Infrastructure: Light's platform runs on AWS with security best practices
• Security Competency: Validated by AWS for meeting rigorous security requirements
• Architecture Review: Light's architecture has been reviewed against AWS security standards
• Data Residency: Regional data storage options leveraging AWS global infrastructure

#PCI Compliance

#What is PCI?

PCI DSS (Payment Card Industry Data Security Standard) is a set of security standards designed to ensure that all companies that accept, process, store, or transmit credit card information maintain a secure environment.

#PCI SAQ D

Light maintains PCI SAQ D compliance, the most comprehensive self-assessment questionnaire:

• Full Assessment: SAQ D covers all PCI DSS requirements applicable to Light's environment
• Cardholder Data Protection: Controls for protecting payment card data
• Network Security: Secure network architecture and access controls
• Regular Testing: Ongoing vulnerability scanning and security testing
• Access Controls: Strict access controls for systems handling payment data

#SSAE 18

#What is SSAE 18?

SSAE 18 (Statement on Standards for Attestation Engagements No. 18) is the current attestation standard issued by the AICPA (American Institute of Certified Public Accountants) governing SOC examinations and other service organization reports.

#Light's SSAE 18 Compliance

Light's SOC reports are issued under the SSAE 18 standard:

• Current Standard: SSAE 18 is the governing standard for all SOC 1 and SOC 2 reports in the United States
• Vendor Oversight: Includes requirements for monitoring sub-service organizations
• Risk-Based Approach: Focuses on risks most relevant to user entities
• Annual Examination: Reports are issued annually under this standard

#ISAE 3402

#What is ISAE 3402?

ISAE 3402 (International Standard on Assurance Engagements 3402) is the international equivalent of the SSAE 18 standard, issued by the International Auditing and Assurance Standards Board (IAASB). It provides assurance on controls at service organizations for an international audience.

#Light's ISAE 3402 Compliance

Light maintains ISAE 3402 compliance:

• International Recognition: Accepted globally as the standard for service organization assurance
• Independent Assurance: Reports issued by independent auditors
• Control Objectives: Covers controls relevant to customers' financial reporting
• Global Customers: Provides assurance to Light's international customer base

Tip: ISAE 3402 reports are the internationally recognized equivalent of US SOC reports and are suitable for customers operating outside the United States.

#Data Processing Agreements (DPA)

#What is a DPA?

A Data Processing Agreement is a contract between Light and customers specifying how personal data will be processed, protecting both parties legally.

#Light's DPA

Light provides:

• Standard DPA: Available for all customers at no additional charge
• Customization: DPAs can be customized for specific requirements
• GDPR Compliant: Full compliance with GDPR Article 28 requirements
• Signature: Executed within 5 business days of request
• Online Access: DPA templates available in Light's legal portal

#Key DPA Terms

• Processing Scope: Specifies exactly what data is being processed
• Purpose: Defines legitimate purposes for processing
• Duration: Specifies how long data is retained
• Sub-processors: Lists vendors that may access data
• Data Subject Rights: Mechanisms for exercising consumer rights
• Liability: Allocation of liability and indemnification

#Penetration Testing and Security Audits

Light maintains security through:

• Annual Penetration Testing: Third-party experts attempt to compromise systems
• Vulnerability Scanning: Regular scans for known vulnerabilities
• Code Reviews: Security-focused code review process
• Bug Bounty Program: Security researchers can report vulnerabilities responsibly

#Compliance Audit Process

Light undergoes regular audits:

1. Planning: Auditors and Light plan the scope and timeline
2. Testing: Auditors examine systems, processes, and documentation
3. Interviews: Auditors interview Light personnel
4. Remediation: Any findings are addressed
5. Reporting: Auditors issue official reports and certifications

#Requesting Compliance Documentation

To request compliance documentation:

1. Contact your Light account manager
2. Specify which certification (SOC 1, SOC 2, GDPR, PCI, etc.)
3. Indicate if you need the full report or summary
4. Document your organization's need for the information
5. Light delivers documentation under NDA if required

Typical response time is 5 business days.

#Staying Current

Light maintains compliance through:

• Continuous Monitoring: Year-round monitoring of compliance status
• Regular Training: All personnel receive compliance and security training
• Policy Updates: Compliance policies are updated as regulations change
• Vendor Management: Sub-processors are audited for compliance

#Related Articles

• Light's security architecture
• Data encryption and storage
• Access controls and SSO
• Data retention and deletion