Security and Compliance

PMG has been certified by third-party auditors as being SOC 2 Type II compliant. This certification provides objective evidence that our systems and controls meet acceptable standards for both their design and their operating effectiveness.

SOC 2 (System and Organizational Controls) audits examine how well an organization meets the trust services criteria for security, availability, processing integrity, confidentiality, and privacy. PMG’s SOC 2 Type II compliance report offers our customers an additional level of confidence about the security of our software.

PMG is committed to protecting consumer credit card data in compliance with the Payment Card Industry Data Security Standard (PCI DSS). Our alignment with this standard is reflected in the people, technologies and processes we employ.

We conduct regular vulnerability scans and penetration tests in accordance with the PCI DSS requirements for our business model. We attest to our PCI compliance annually, and our most recent self-attestation was completed June 1, 2022.

PMG serves as a “business associate” to entities covered under HIPAA (The Health Insurance Portability and Accountability Act). By entering into such contracts with our customers, we affirm our commitment to safeguarding protected health information (PHI) and preventing unauthorized use or disclosure of individually identifiable health information.

PMG is compliant with the Security Rule contained within HIPAA regulations and meets the guidelines set forth for electronic protected health information (e-PHI).

PMG Security Protocols for Encryption and Data Isolation

Data is secured in transit and at rest using strong encryption.

  • Standards protocol:
    • Data at rest – AES 256-bit encryption
    • Data in transit – SSL/TLS1.2
  • Physical protections managed through Amazon Web Services (AWS)
  • Infrastructure encryption through AWS Key Management Service (KMS)
    • Security modules validated under FIPS 140-2

Data at rest:

  • Encryption standards include:
    • Disk volumes
    • Database data and logs
    • Data backups
  • Disks and databases are dedicated to customer
  • Enhanced security:
    • PMG application has an optional enhanced encryption layer for sensitive data elements such as personally identifiable information (PII) and protected health information (PHI)

Data in transit:

  • Transport Layer Security (TLS) 1.2 over HTTPS for user to server communications
  • Application to database communication over TLS 1.2
  • PMG administration over IPsec VPN with multi-factor authentication

Data purging and archiving:

  • Configurable workflows to support purging selected data can be executed:
    • On a scheduled basis (e.g. after 2 years) or in alignment with corporate BAU
    • On demand to support privacy regulations such as EU’s General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA)

Click here to download PDF.