We are dedicated to providing a high level of security to our customers
At Catalytic, we combine a thorough security framework, internal and external audits, and appropriately trained employees to ensure that your data is protected. Please see below for an overview of the security controls, procedures and support we have in place.
Catalytic maintains SOC 2 Type 2 and HIPAA attestation examinations, performed annually by an independent CPA firm
We undergo quarterly third party penetration testing to help ensure the security of our platform
We have a dedicated compliance team that implements and monitors security-related controls
The Catalytic security framework consists of policies, procedures and controls that align to SOC 2, HIPAA, and GDPR requirements
We utilize a third-party, cloud-based data center, which maintains network architecture and data layer controls that meet the requirements of the most security-sensitive organizations. The data center has several security-related certifications, including ISO 27001, SOC 2, FedRAMP, HIPAA, NIST, and several others
Our employees attend security awareness training, and are required to adhere to our code of conduct
Annual risk assessments are performed to ensure we are addressing current as well as emerging risks
We follow change management procedures for all changes to the organization and the Catalytic platform
Our data centers also have controls in place to protect from man-made and natural security risks. Controls are in place at the perimeter, infrastructure, and environmental layers to ensure strong physical protection, and are audited per the security certifications listed above
Our offices are secured with keycards, automatic locks, alarms and security cameras
We have a dedicated QA department that tests all new features before release
Our testing and staging environments are separate from the production environment, and no actual customer data is ever used for testing
We have automated vulnerability scans that run at regular intervals
We engage a third party auditor to perform quarterly penetration testing
We have automated monitoring, logging, and system alerts
We control logical system access, and review regularly
Customer data is encrypted in transit and at rest, and within the database
We perform regular backups of customer data
We have documented incident response and disaster recovery procedures and dedicated response teams
Our customers have the option to use single sign-on (SSO) for their teams
Access and privileges in Catalytic are governed by role, as we provide different levels of user permissions, including "admin," based on the type of access required
Customers can mark sensitive data as "confidential" to ensure that only approved members of their teams can see certain information or processes
We have several policies and controls that address GDPR requirements. The controls include areas such as options for opt-in/opt out of communications, procedures surrounding data retention, data breach procedures, DPIA (Data Protection Impact Assessment) procedures, procedures related to subcontractors, as well as ensuring the proper treatment of individual’s rights and subject access requests. This new regulation will help enhance the security surrounding the personal data of all Catalytic customers.
See more on GDPR and contact us for any GDPR-related inquiries below.
If you are a Catalytic user and provide us with your personal information, you have several rights with respect to that information. Upon request, Catalytic will provide customers and users with information about the type of data processed, including personal information. An individual who wishes to access, review, correct, amend, request, or delete data should contact Catalytic and we will ensure the request is fulfilled. As we are a data processor, we may need to communicate with the data controller to fulfill requests. Data controllers who wish to exercise their right of data portability may also do so here. We will respond to requests within 30 days.
You may submit requests here: Submit a Subject Access Request (SAR)
You may unsubscribe from Catalytic communications by clicking on the "unsubscribe" link located on the bottom of our emails, or by clicking here: Opt-out of our communications
Note that opting out of communications may prevent you from learning about new Catalytic features, and that customer and users cannot opt out of receiving service or transactional emails related to their Catalytic account.
You may subscribe to Catalytic communications by clicking here: Sign up (opt-in) to receive our communications
We will retain the personal data we process on behalf of our customers for as long as needed to provide services to our customer. Catalytic will retain the personal information as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements.
We use third parties to provide some functionality and integrations within the Catalytic platform. You have the choice to choose which of these features and integrations to use.
If you have any security related questions, concerns, or comments, please contact us using one of the links below.
For any other questions, contact us at firstname.lastname@example.org.