Security Compliance

Cronofy complies with relevant legal, industry, and regulatory requirements as well as industry best practices. Geographically discrete production instances allow our customers to use our services and stay compliant with regional regulations.

Cronofy’s service is hosted at Amazon Web Services (AWS) data centres, which are highly scalable, secure, and reliable. AWS complies with leading security policies and frameworks, including SSAE 16, SOC framework, ISO 27001 and PCI DSS.

Cronofy retains the minimum amount of information required to deliver services to our customers and end-users. More information on data retention and data retention periods can be found in our Data Management policy: https://docs.cronofy.com/policies/data-management/.

Cronofy’s ISMS (Information security management system) has been independently audited and meets the standards set out by the International Standards Organization for the ISO 27001, 27701 & 27018 standards. A copy of all of Cronofy’s ISO certificates are available publicly and reports are available on request after signing a mutual NDA.

The security, availability, processing integrity, confidentiality and/or privacy controls of Cronofy were audited, based on their compliance with the AICPA’s SOC2 Standard. Cronofy’s controls were found to be designed effectively and are suitably operated. A copy of the Cronofy SOC2 Type 2 report is available on request.

Cronofy is compliant with the EU General Data Protection Regulation (GDPR) and can provide a Data Processing Agreement (DPA) on request.

Cronofy is HIPAA-ready and can supply a Business Associate Agreement (BAA) on request.

Cronofy complies with the California Consumer Privacy Act (CCPA).