Compliance and Due Diligence Documents
A major advantage of the NetDocuments Service is Compliance as a Service (CAAS). We conduct a range of independent audits and maintain certifications of compliance with major applicable security control standards. The benefits of these certifications pass down to firms and companies using the NetDocuments Service.
Repository administrators have on-demand access to our full set of compliance and due diligence response documents through the Security Center in the Repository Administration Console.
The documents available through the Security Center include the following, as well as many others:
- Type II SOC 2 Audit Report for the controls relevant to Security, Availability, and Privacy (for the audit period of July 1 through June 30 of each year)
- ISO 27001/27017/27018/27701 certificate
- HIPAA Attestation
- Completed Consensus Assessment Initiative Questionnaire (CAIQ)
- Completed SIG Lite Questionnaire (with annotated SIG Core available in second quarter 2021)
- NetDocuments Security Availability and Privacy Due Diligence Response
These documents are updated regularly and provide a comprehensive overview of the technical and operational measures we have in place to ensure the security, privacy, integrity, and availability of the documents our customers entrust to the NetDocuments Service.
Vendor Security Assessments
To help us in responding to the assessment needs of all our customers in a timely and cost-effective way, we ask you to review the documents available through the Security Center and, if that information meets your needs, to accept those materials in place of your own assessment questionnaire. The NetDocuments compliance team is available to respond to any follow-up questions you may have.
If you would still like us to complete your questionnaire, please note the following:
- Requests must be sent to firstname.lastname@example.org, using the methods outlined below
- Time for audit support and questionnaire completion will be charged to the customer according to rates listed on the Security Audit Fee Schedule, which is available to customer administrators through the Security Center.
- We are not able to complete every security assessment we receive. Assessments accepted for completion are completed and returned on a first-in, first-out basis
- Questionnaires accepted for completion may take 30-60 days to return. We appreciate your patience
Because of the increasing problem of phishing and other malicious email messages, email messages containing vendor assessment questionnaires as attachments or links will be rejected unless they are sent from an email address associated with a repository administrator account, and attachments should be sent via NetDocuments secure document delivery link. We ask that repository administrators coordinate with their corporate IT and security departments to make sure your requests are received and processed in a timely manner.
Third Party Vendor Assessment Platforms
NetDocuments guards information about our platform closely in order to protect the security and integrity of your documents. The security of our platform is of paramount importance to us because it allows us to keep your data safe. Many customers have asked us to complete vendor security assessments using third-party platforms. We cannot provide assessment information on third-party assessment platforms because we do not have the ability to fully assess the third party’s security measures, or those of any subcontractors or service providers upon which those platforms rely. Also, as a third party to your agreement with the platform vendor, we do not have adequate contractual protections in place to protect our confidential information from unauthorized disclosure, and managing our confidential information through many different platforms becomes extremely difficult. Accordingly, our company policy is that our compliance, security, and due diligence response materials will only be made available to customers through the NetDocuments Service. We have two highly secure ways we share security information with customers: 1) customer repository administrators can review all current compliance certifications and due diligence response materials at any time by through the Security Center or 2) you can submit a questionnaire to our Compliance Department using a NetDocuments Secure Document Delivery Link. We appreciate your understanding and cooperation.
Independent Penetration Testing
NetDocuments engages independent providers to conduct penetration tests against the Service twice each year. Summary and remediation reports are available to customer repository administrators through the Security Center.
Customers may conduct their own penetration tests on the following conditions:
- All tests must be coordinated in advance with the NetDocuments Compliance Department, which can be reached by emailing email@example.com. NetDocuments reserves the right to limit the scope of any independent penetration and/or vulnerability test.
- All tests must be conducted outside of regular business hours in the service area in which the test is to be conducted.
- Failure to coordinate tests in advance is illegal hacking and will result in a security response that will result in the suspension of access to your repository.
- Customer penetration test results must be shared with NetDocuments and will be considered NetDocuments’ confidential information.
Compliance Department Contact Information
Please, direct compliance inquiries to firstname.lastname@example.org, and a member of the NetDocuments compliance team will respond.