Compliance
FedRAMP
Publicly Available Information The Federal Risk and Authorization Management Program (FedRAMP) provides a standardized approach to security authorizations for Cloud Service Offerings. Established in 2011, FedRAMP is a government-wide program that provides a cost-effective, risk-based approach for the adoption and use of cloud services by the federal government. FedRAMP empowers agencies to use modern cloud technologies, with an emphasis on security and protection of federal information by providing a standardized approach to security and risk assessment for cloud technologies and federal agencies. FedRAMP standardizes security requirements for the authorization and ongoing cybersecurity of cloud services in accordance with FISMA , OMB Circular A-130 [PDF – 536KB] … https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/circulars/A130/a130revised.pdf, and FedRAMP policy. Boomi-specific Information Boomi’s sponsoring agency, the United States Agency for International Development, and the FedRAMP Program Management Office (PMO) has determined Boomi has met the requirements for the controls in the FedRAMP Moderate baseline. FedRAMP Authorization indicated that Boomi has passed the rigorous security and risk management review process required to offer the Boomi platform to federal agencies, a mandate for any cloud service provider that serves the federal government. Boomi’s FedRAMP authorized services are a portion of Boomi’s offerings. Not every product or service is FedRAMP. Also, there are configuration steps required to implement the FedRAMP controls when you want that more controlled environment; for information on how to purchase and configure our FedRAMP offering please reach out to your Boomi Account Manager and request more information about our FedRAMP services. Boomi is officially listed on the FedRAMP Marketplace – the central, online portal of approved cloud service offerings available for federal government use. “Meeting the stringent security and reliability standards for FedRAMP Authorization at the Moderate impact level, is a critical step for Boomi’s public sector strategy.” -Chris Port, Chief Operating Officer, Boomi 2019 Boomi announces its FedRAMP Moderate Authorization achievement, Aug 2019 Those interested in the FedRAMP-certified Boomi AtomSphere Platform please visit: Boomi Public Sector Website FedRAMP Marketplace federal.sales@boomi.comStateRAMP
Publicly Available Information Founded at the beginning of 2020, StateRAMP was born from the clear need for a standardized approach to the cybersecurity standards required from service providers offering solutions to state and local governments. StateRAMP is a membership organization comprised of service providers offering IaaS, PaaS, and/or SaaS solutions, third party assessment organizations, and government officials. Boomi-specific Information Boomi is currently pursuing StateRAMP Authorization via FedRAMP reciprocity. We are currently StateRAMP “in-Process” and are working closely with the StateRAMP PMO for next steps and timing. In the meantime, Boomi continues to be FedRAMP Authorized and meet the relevant and related NIST 800-53 Controls. StateRAMP website For more information on The State, Local, and Education sector at Boomi, please go hereVPAT (Voluntary Product Assessment Template)
Publicly Available Information The Voluntary Product Accessibility Template is a document that explains how information and communication technology (ICT) products such as software, hardware, electronic content, and support documentation meet (conform to) the Revised 508 Standards for IT accessibility. Boomi-specific Information At Boomi, our mission is to empower organizations to instantly connect everyone to everything that they want. This mission requires us to work to ensure that everyone, regardless of their needs, is fully able to use and connect with our products. Boomi is committed to ensuring that accessibility remains a key focus throughout our development cycle. We work to understand and implement both emergent regulatory and legal requirements as well as industry standards and customer requested features. Our teams are trained on accessibility best practices so that we can improve accessibility throughout our platform. We are constantly working to ensure our new features and products meet the needs of individuals, organizations, and governments internationally. We are always looking for feedback and suggestions on how we can improve. Please let our accessibility teams know either through your assigned Success specialist, through the Boomi Community, or through e-mailing accessibility@boomi.com. Documents Flow MDH Integration API Developer Portal API Management B2B/EDI DCPCAIQ available only upon request
Publicly Available Information The Cloud Security Alliance (CSA) is “the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment.” The Consensus Assessments Initiative Questionnaire (CAIQ) provides a set of questions a cloud consumer and cloud auditor may wish to ask of a cloud service provider to ascertain their compliance to cloud security best practices. Boomi-specific Information Boomi has responded to this questionnaire to provide our customers and prospects with the information necessary to evaluate Boomi’s cloud security controls. Documents Boomi Response to the Questionnaire is available upon request.HECVAT available only upon request
Publicly Available Information The higher education information security community, EDUCAUSE, Internet2, and the Research & Education Networks Information Sharing & Analysis Center (REN-ISAC) created the Higher Education Cloud Vendor Assessment Toolkit (HECVAT), a self-assessment that attempts to standardize higher education information security and data protection requirements around cloud service providers. The assessment helps higher education institutions ensure that cloud services are appropriately assessed for security and privacy needs, and allows a consistent, easily-adopted methodology for those who want to use cloud services. Boomi-specific Information Boomi has completed a HECVAT 2.1 self-assessment. These assessments detail our compliance with industry standards and the security protocols built into our infrastructure. Documents Available upon requestFIPS (FED)
Publicly Available Information FIPS are standards and guidelines for federal computer systems that are developed by National Institute of Standards and Technology (NIST) in accordance with the Federal Information Security Management Act (FISMA) and approved by the Secretary of Commerce. These standards and guidelines are developed when there are no acceptable industry standards or solutions for a particular government requirement. Boomi-specific Information As part of our FedRAMP Authorized offerings we have implemented FIPS 140-2 encryption for our data at rest and in transit. For more detailed information please review our FedRAMP information or contact us.HIPAA/HITECH
Publicly Available Information The Health Insurance Portability and Accountability (HIPAA) Act is a regulation is composed of a series of national standards outlining the privacy and security of protected health information. HIPAA requires the private and confidential handling of protected health information. The subsequent Health Information Technology for Economic and Clinical Health (HITECH) Act defines policies, procedures, and processes that are required to protect electronic protected health information (ePHI). Boomi-specific Information As regulatory oversight related to HIPAA continues to increase, ensuring compliance is more important now than ever. The Boomi AtomSphere Platform has gone through an intensive third-party assessment to receive HIPAA compliance certification, demonstrating our compliance with the safeguards outlined in HIPAA. This assessment includes administrative, physical, technical, and organizational safeguards, as well as breach notifications. Boomi also goes through audits and yearly monitoring to ensure our platform remains in compliance. Documents Boomi Audit: Type 1 Attestation (AT-C 105 and AT-C 205) HIPAA/HITECH)PCI DSS
Publicly Available Information The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards formed in 2004 by Visa, MasterCard, Discover Financial Services, JCB International and American Express. Governed by the Payment Card Industry Security Standards Council (PCI SSC), the compliance scheme aims to secure credit and debit card transactions against data theft and fraud. Boomi-specific Information PCI certification is considered the best way to safeguard sensitive data and information, and Boomi puts this at the forefront as we build a trusted relationship with our customers and partners. The Boomi AtomSphere Platform has received attestation of compliance for service providers for PCI-DSS. Documents Boomi Attestation of Compliance for PCI DSSSOC 1 & SOC 2 Compliance
Publicly Available Information System and Organization (SOC) reports utilize independent, third-party auditors to examine various aspects of a company, such as: security, availability, processing integrity, confidentiality, privacy, controls related to financial reporting, and controls related to cybersecurity. SOC 1 reports focuses on outsourced services performed by service organizations which are relevant to a company’s (user entity) financial reporting. A SOC 2 report is an attestation report issued by an independent Certified Public Accounting (CPA) firm. Its focus addresses operational risks of outsourcing to third-parties outside financial reporting. These reports are based on the Trust Services Criteria which include up to five categories: security, availability, processing integrity, confidentiality, and/or privacy. Boomi-specific Information System and Organization Controls (SOC) reports enable customers to feel confident that Boomi is operating in an ethical and compliant manner. No one likes to hear the word audit, but SOC reports establish credibility and trustworthiness for our customers and partners. Boomi AtomSphere services Boomi Integration, Boomi Master Data Hub, Boomi B2B/EDI Management, and Boomi API Management are SOC1 & SOC2 Compliant. Boomi undergoes SOC 1 and SOC 2 examinations annually, and consistently achieves and maintains our compliance. These examinations focus on the Boomi AtomSphere Platform and the suitability of the design and operating effectiveness of controls relevant to security and confidentially. Documents SOC 1 Compliance Report SOC 2 Compliance ReportISO27001 for Flow
Publicly Available InformationTo be certified by the ISO means that Boomi Flow has been audited by an independent third party, and demonstrated the business conforms to the requirements of the latest quality process standards set by the International Standards Organization. This certification signifies that your processes work efficiently and effectively, and are consistent with the international best practices (aka The Standard).
Boomi-Specific InformationBoomi’s ISO/IEC 27001:2013 certification demonstrates to customers that our Flow platform is structured, stable, and ready for growth. Adhering to ISO standards brings our customers increased efficiencies and reduced costs.
Boomi Flow ISO CertificationIRAP
The Information Security Registered Assessors Program (IRAP) provides a fully validated and assessed security framework for Australian Government Customers. The IRAP program’s responsibility model is designed to ensure compliance with the Australian Government Information Security Manual (ISM). As part of the IRAP process, assessors have audited and reviewed Boomi’s compliance with these controls. The IRAP goal is to maximize the security of Australian federal, state, and local government data by focusing on the information and communications technology infrastructure that stores, processes, and communicates it. Boomi is compliant with IRAP standards for our AtomSphere products (including Integration, API Management, EDI/B2B, and Master Data Hub). Boomi-Specific Information“Accelerating the coordination of Australia’s public sector puts an emphasis on prioritizing data-driven decision-making and defining data as a shared national asset. Having the necessary standards for data protection and cybersecurity in place, across agencies and jurisdictions, is important in today’s cloud world, and completing our IRAP assessment is a validation that our technology is available to Australia’s public sector and can safely operate at a protected level within their cloud environments.”
-Nathan Gower, Director, Australia and New Zealand Boomi, November 2022.
Australia’s IRAP Assessment Recognizes Boomi To Provide Comprehensive Security Controls For more information please contact Tech.Compliance@boomi.com.