Answer Library

Business Associate Agreement

A required contract when a vendor handles patient health data on your behalf.

Business Continuity Plan / Disaster Recovery

Plans that keep the business running and restore systems after a major failure.

Common Weakness Enumeration / Common Vulnerabilities and Exposures / Common Vulnerability Scoring System

Standard systems for naming and scoring the severity of known security vulnerabilities.

Data Loss Prevention

Controls that prevent sensitive data from being sent or copied outside the organization.

Data Processing Addendum

A contract defining exactly how a vendor may use your customers' personal data.

Data Protection Impact Assessment

A formal risk assessment required before starting any high-risk data processing activity.

Data Protection Officer

A designated officer responsible for ensuring an organization handles personal data legally.

Endpoint Detection & Response / Mobile Device Management

Tools that monitor and control employee devices to detect and stop threats.

Identity Provider

A service like Okta that manages who you are and what you can access.

Incident Response

The plan for detecting, containing, and recovering from a security incident.

An international certification for companies with a formal, audited information security program.

Key Management Service

A secure service that manages the encryption keys protecting stored data.

Multi-Factor Authentication

Logging in requires two proofs of identity, not just a password.

Protected Health Information

Medical or health information tied to a specific person, protected by law.

Personally Identifiable Information

Any data that can identify a specific person, like a name or email.

Principle of Least Privilege

Users are given only the minimum access they need to do their job.

Role-Based Access Control

Access to systems is determined by a user's role, not individual permissions.

Record of Processing Activities

A required log of every way an organization collects and uses personal data.

Read-Only Role / Break-glass Access

Emergency production access, granted rarely and only with strict logging and oversight.

Recovery Time Objective / Recovery Point Objective

How fast systems recover, and how much data can be lost, in an outage.

Security Assertion Markup Language / OpenID Connect

Protocols that let your company's login system connect securely with third-party apps.

Standard Contractual Clauses

EU-approved legal clauses that allow personal data to be sent outside Europe legally.

Security Information and Event Management

A central system that collects logs and alerts when something suspicious happens.

Service Level Agreement / Objective / Indicator

The agreed targets and measurements that define how reliable a service must be.

Service Organization Control 2

An independent audit confirming a company's security controls actually work as claimed.

Single Sign-On

One login grants access to multiple apps without re-entering credentials each time.

Transport Layer Security

The encryption standard that scrambles data while it travels across a network.

How often data is copied and how long those copies are kept.

The review and approval process governing all changes to production systems.

The Controller decides why data is used; the Processor handles it on their behalf.

Where your data is physically stored and where it may travel or be replicated.

Legal rights letting individuals view, correct, or delete their personal data.

How and when customer data is permanently removed after an account is closed.

Secure Software Development Lifecycle

Building security checks into every stage of the software development lifecycle.

Third-party vendors a company uses to process customer data on its behalf.

The ongoing process of finding, tracking, and patching security weaknesses in systems.

A periodic check ensuring only the right people still have access to systems.

Anonymization permanently removes identity; pseudonymization hides it but can be reversed.

An immutable record of every security-relevant action taken in a system.

When deleted data finally disappears after aging out of all backup copies.

Center for Internet Security Benchmarks

Widely trusted security configuration guides for servers, cloud systems, and operating systems.

Collecting only the data strictly necessary for a specific, defined purpose.

Data Loss Prevention

Technical controls that prevent sensitive data from leaking outside the organization.

Governance, Risk, and Compliance

The combined strategy for managing security, risk, and compliance across an organization.

Penetration Test

An authorized simulated attack on your systems to find real security weaknesses.

Policy says what must happen; procedure explains exactly how to carry it out.

Secrets Management

Storing API keys and passwords securely, completely separate from source code.

Standard Operating Procedure

A documented step-by-step process ensuring routine tasks are done consistently every time.

Enterprise procurement platforms often used to collect and review vendor security information.

Platforms that automate collecting evidence for security compliance audits.

Tools that detect passwords or API keys accidentally committed to a code repository.

A software suite for managing privacy compliance, vendor risk, and data assessments.

Automated tools that scan code and dependencies for known security vulnerabilities.

A platform where vendors host security documentation and respond to buyer questionnaires.