ISAE 3402 Type 2 certification

Spacewell has achieved the ISAE 3402 Type 2 certification, an independent audit verifying the effectiveness of its security controls over time. This certification ensures robust data security, compliance with regulations like GDPR and SOC 2, and transparency. It covers areas such as access controls, data security, system change management, network security, business continuity, incident management, monitoring, training, compliance, and physical security, providing clients with confidence, reduced risk, and trust.

 

At Spacewell, security & transparency are the norm. We understand the critical role trust plays when entrusting Spacewell with your data. We're proud to have achieved the rigorous ISAE 3402 Type 2 certification. This internationally recognized standard goes beyond simply stating security best practices – it ensures they're independently verified and demonstrably effective.


What is ISAE 3402 Type 2?

ISAE 3402 Type 2 is an independent audit standard verifying the effectiveness of a service organization's controls over a period (usually one year). Unlike more straightforward reports, it assesses how well controls work, not just their existence. This gives our clients more robust assurance about data security and compliance, helping them mitigate risks and simplify regulatory burdens. By choosing a provider with this certification, you gain transparency, trust, and a competitive edge in today's security-conscious market. 


What does this mean for you as a client?

Unwavering Security

Your data is our top priority. By achieving ISAE 3402 Type 2 certification, we've undergone an independent audit verifying the effectiveness of our security controls. This goes beyond self-reported measures, offering an objective evaluation for complete peace of mind.

Reduced Risk and Confidence in Compliance

Mitigate the inherent risks associated with SaaS solutions by partnering with a certified provider. Our compliance with relevant regulations like GDPR and SOC 2 eases your compliance burden and demonstrates our commitment to data privacy.

Transparency You Can Trust

The ISAE 3402 Type 2 audit provides a clear picture of our security posture, fostering trust and allowing you to make informed decisions about your data and building operations.

In essence, an ISAE 3402 Type 2 certification acts as an independent verification of Spacewell’s security practices, offering you greater confidence, transparency, and risk mitigation, ultimately making your decision to trust Spacewell with your data more informed and secure.


Why choose an ISAE 3402 Type 2 partner?

Attract Security-Aware Partners

Stand out by demonstrating your commitment to data security, a crucial differentiator in today's increasingly connected buildings.

Streamlined Collaboration

Reduce the time and resources spent evaluating vendor security with the assurance of an independent audit.

Future-Proof Your Operations

Partner with a provider prioritizing secure and compliant practices, ensuring your buildings are well-positioned for evolving regulations and security threats.


What types of tests are conducted?

 An ISAE 3402 Type 2 audit typically focuses on assessing the design, implementation, and operating effectiveness of controls across several key areas:

Security Domain

Specific Controls and Practices

Access Controls

  • User access provisioning and review processes

  • Password policies and enforcement mechanisms

  • Multi-factor authentication implementation

  • Physical access controls to data centers and servers

Data Security

  • Data encryption at rest and in transit

  • Data classification and protection based on sensitivity

  • Data backup and recovery procedures

  • Incident response plans and testing

System Change Management

  • Change approval processes and documentation

  • Segregation of duties for critical changes

  • Testing and validation of changes before deployment

  • Monitoring for unauthorized system changes

Network Security

  • Firewalls and intrusion detection/prevention systems

  • Secure network segmentation and access controls

  • Vulnerability management and patching processes

  • Regular penetration testing and security assessments

Business Continuity and Disaster Recovery

  • Business continuity plans and procedures

  • Disaster recovery site testing and failover drills

  • Data backup and recovery procedures tested regularly

  • Incident response plans integrated with disaster recovery

Incident Management

  • Defined processes for identifying, reporting, and responding to incidents

  • Incident logging and investigation procedures

  • Regular testing and improvement of incident response plans

  • Communication protocols for internal and external stakeholders

Monitoring and Logging

  • Monitoring critical systems and activities for suspicious behavior

  • Logging user activity and system events for audit purposes

  • Log retention and review procedures

  • Incident detection and escalation mechanisms

Training and Awareness

  • Regular security awareness training for employees

  • Role-based training on specific security policies and procedures

  • Phishing simulations and other security awareness exercises

Compliance with Regulations

  • Assessment of relevant regulations and data privacy laws

  • Implementation of controls to meet compliance requirements

  • Regular audits and reviews of compliance adherence

Physical Security

  • Physical access controls to data centers and servers

  • Environmental controls like temperature and humidity monitoring

  • Security cameras and other surveillance systems

  • Regular security inspections and vulnerability assessments