Security & Compliance
  • 5 Minutes to read

    Security & Compliance

      Article Summary

      The protection and security of our client’s remote workforces and business data is fundamental to everything we do at NordLayer. As part of Nord Security, it’s in our DNA to ensure compliance and data security best practices are in place at all times.

      We also understand that businesses in many industries need to meet compliance standards to ensure they are protecting and managing sensitive data in a way that is deemed secure by globally recognized institutions.

      Our information security management systems are certified according to ISO 27001, validated by SOC 2 Type I audit, meet the objectives outlined in the HIPAA Security Rules, and support powerful AES-256 military-grade encryption, which ensures business data can’t fall into the wrong hands.

      Additional to preventing data loss, NordLayer also guards against unauthorized access to your company network and allows you to set granular access permissions and policy enforcement. Through network control features such as IP allowlisting, businesses can ensure that sensitive data in the cloud is secure and cannot be accessed or shared with unauthorized users.

      Multiple layers of security can also be implemented, such as 2FA and SSO, in order to ensure network access and company data is only available to those who are recognized and validated.

      More on ISO 27001

      We’re proud that NordLayers’ information security management systems are certified according to ISO 27001.

      The entire certification achieved is ISO/IEC 27001:2013 — relating to the information security management system (ISMS) for Nord Security.

      • This is a set of policies and procedures for systematically managing an organization’s sensitive data.
      • The goal of an ISMS is to minimize risk and ensure business continuity by proactively limiting the impact of a security breach.
      • An ISMS typically addresses employee behavior, processes, data, and technology. It can be targeted towards a particular type of data, such as customer data, or it can be implemented in a comprehensive way that becomes part of the company’s culture.
      • The goal of ISO 27001 is to provide a framework of standards for how a modern organization should manage its information and data.
      • Risk management is a key part of ISO 27001, ensuring that a company understands where its strengths and weaknesses lie. ISO maturity is a sign of a secure, reliable organization that can be trusted with data.

      How does an ISO/IEC 27001 certification benefit our clients?

      An ISO/IEC 27001 certification serves as a safety barometer for an organization’s information security landscape and with this in place, NordLayer clients and prospective clients alike can have peace of mind that fundamental procedures and controls are in place to protect their data via a formal information security management system.

      • Ensuring data can only be adjusted by trusted and authorized users.
      • Assessing the risks and proactively mitigating potential data breaches.
      • Align management processes with business risk strategies and client needs.

      ISO 27001 & NordLayer

      The certificate was issued by TÜV Thüringen and applies to NordLayer, NordWL, and NordPass Business.

      ISO/IEC 27001:2013 is the leading international standard on information security. The standard is based upon three pillars:

      • Confidentiality
      • Integrity
      • Availability


      Certificate Validation

      You can check the validity of an organization’s certification issued by TÜV Thüringen on their website.

      More on SOC 2 Type 1

      A successful SOC 2 Type 1 technical audit was one of the milestones for NordLayer, validating we are going in the right direction with our product development.

      The SOC 2 Type 1 report reflects the current standpoint of NordLayer design and system control suitability. The audit assesses the sufficiency of Technical, Administrative, and Logical documentation of information security policies and procedures.

      How is SOC 2 Type 1 audit beneficial to our clients?

      The SOC 2 Type 1 is one of the stages attesting complete SOC 2 compliance for the service organization’s systems. SOC 2 Type 1 is essential for examining the internal systems to identify and indicate the audited service’s potential risks.

      An on-site audit is performed to evaluate the trust of technological service organization compliance practices for storing, processing, and utilizing cloud-stored customer information.

      High-level maintenance of information security signals the provider’s responsibility and demonstrates an approach to “tell & show” transparency of their offered services.

      SOC 2 Type 1 & NordLayer

      The SOC 2 Type 1 audit was performed for Nord Security and applied to all group products: NordLayer, NordPass, NordLocker, and NordWL.

      The SOC 2 Type 1 report is a piece of assurance that sensitive data is handled safely and according to industry standards by the service provider. Organizations that require confirmation of secure service performance for managing sensitive customer data can rely on SOC 2 Type 1 authentication.

      Official report results confirm to our customers that NordLayer handles the privacy, confidentiality, and security of your business information assets within international requirements. It is also a valuable attestation of guarantee in third-party transactions and partnerships before contractual agreements.

      NordLayer will be rigorously audited to follow the necessary procedures and policies to meet the highest information security management standards.

      The benchmark certification obliges Nord Security to continue running the recommended risk assessments and internal audits at least once a year – while continuously training existing employees and new hires on information security policies and best practices.

      HIPAA and NordLayer

      The Health Insurance Portability and Accountability Act, or HIPAA, is a federal statute enforced by the United States legislature. Its primary function is to uphold the integrity of health data. Each covered entity that stores, processes, or transmits Protected Health Information (PHI) must be HIPAA-compliant.

      PHI can take many forms, and its digital counterpart is electronically Protected Health Information (ePHI). Since most healthcare organizations now store patient data online, ePHI has become the primary method for archiving patient data.

      Here are HIPAA requirements for covered entities:

      • The security concepts of access controls (centrally-controlled unique credentials for each user and procedures to manage the release or disclosure of ePHI).
      • Integrity controls (policies and procedures to ensure that ePHI is properly altered or destroyed).
      • Audit controls (hardware, software, and/or procedural mechanisms to record and examine access and other ePHI-adjacent activity).
      • Network security (encryption, firewalling, etc.).

      NordLayer is proud to be able to say that independent assessors reviewed the policies, standards, and procedures that applies to NordLayer and concluded that they meet the security objectives outlined in the HIPAA Security Rules. This means that NordLayer is HIPAA-compliant and has the appropriate measures for securing access to PHI.

      Note: Note: If you would like to view our other certificates and security reports, please reach out to our 24/7 Customer Support Team.

      Was this article helpful?

      What's Next