The ConnectWise Trust Center: Security, data privacy, and regulation compliance
When was the last time you visited the ConnectWise Trust Center? Perhaps this is the first time you’ve ever heard of it. Allow us to tell you more.
What is the ConnectWise Trust Center?
It’s no secret and no surprise that we continue to face cyber threats and that bad actors are becoming increasingly sophisticated. We are dedicated to providing a secure and reliable experience for our partners and wish to be transparent about what we’re doing to keep the ConnectWise platform - and you - safe.
We’ve created the ConnectWise Trust Center as a hub to keep you informed on our security, privacy, and compliance measures and as a place to communicate timely information on advisories and vulnerabilities that are important to our community (whether they directly affect ConnectWise products or not).
Because situations rapidly change and evolve in this industry, this website will constantly be updated and refreshed.
What you’ll find in the Trust Center
First and foremost, we provide a place for you to report security incidents and security vulnerabilities.
- Security incident = refers to a situation where a partner has been compromised and is looking for assistance around being actively exploited
- Security vulnerability = refers to any flaws or issues in our software; please let us know if you encounter anything you suspect leaves you vulnerable
Please use these when needed, as you will get a faster response and it allows us to track and understand what’s happening in our community.
Beyond that, we’ve divided our Trust Center into several sections to make it easier to find what you’re looking for:
Visit the security section to get a general background about the components that inform our information security program and function. We actively focus on both the security of our products and the overall security practices of our own environments, and we document these measures in our Information Security policy.
In our security section, read more about our organizational security, information asset management, personnel conduct, physical and environmental security, and our operational security which includes endpoint protection, patch management, incident management, and business continuity and disaster recovery.
As mentioned before, we aim to be transparent with our community, especially when it comes to our data collection and usage practices.
Visit our privacy section to read about our data protection priorities and how we comply with privacy acts such as GDPR and the California Consumer Privacy Act (CCPA). You’ll also find answers to our frequently asked questions around data and privacy.
We are routinely audited by independent third-party organizations and government agencies to ensure that we are compliant with global and regional standards, and we report on our compliance measures in this section.
We are excited to make available SOC 3 reports, which are available and downloadable in our compliance section. These are versions of our SOC 2 reports where sensitive information has been removed and no NDAs are required to view or distribute the reports. As more of these reports become available, we will update this section for easy access.
Our compliance section also includes information around HIPAA compliance, the Privacy Shield Framework, and GDPR.
Again, in the interest of transparency and protecting our community, we’ve developed a security bulletins section where you can access our publicly disclosed security vulnerabilities found within our ConnectWise offerings. These bulletins are meant to provide guidance in assessing the impact of any potential vulnerabilities in the context of your client’s environments.
We have created an RSS feed for these security bulletins so you can get updates as easily as possible. Within this section, you’ll find more information about RSS feeds, including how to set them up.
If you have visited our bulletins in the past, you’ll notice that we’ve made it easier to search and filter for the exact information you’re looking for.
Like most of our Trust Center, this section will be updated on a continual basis.
We believe that our community is at its best when we are all looking out for one another, so when necessary, our Advisories section will provide communications on broader security related topics that may not necessarily be linked to a ConnectWise product or vulnerability.
These advisories are posted once we’ve had time to analyze and are updated whenever there are changes or if there is new information to announce.
The ConnectWise Security Responsibility Matrix
We want to call special attention to our ConnectWise Security Responsibility Matrix. Based on questions we’ve had coming into our information security group from partners, colleagues, and the community, we’re providing this matrix as a guide for managed service providers (MSPs) around who owns the responsibility when an incident occurs.
This matrix recommends roles and responsibilities across customer, partner, ConnectWise, and cloud/colocation providers. It breaks down the functions and tasks that we and our partners think about, and who would have the responsibility in an ideal world. For example, who is responsible for backup and restoration? Who is responsible for penetration testing? Who owns security incident management?
It’s important to note that this is not an exhaustive list and will continue to be updated. It is also something that is not unique to ConnectWise. It’s a standard component of any service provider’s repertoire. It is also not meant to be used in a legal context. You should always consult your own legal counsel around matters like this.
We recommend you bookmark the ConnectWise Trust Center and visit it often to find information related to security, privacy, compliance, and more.