ISAE 3402 - Documented control of operations and data processing
As part of twoday, Addo Sign is covered by an ISAE 3402 statement prepared by an independent auditor. This gives you as a customer the assurance that our operational and data processing processes are well documented, monitored and controlled according to internationally recognised standards.
What is ISAE 3402?
ISAE 3402 (International Standard on Assurance Engagements 3402) is an international auditing standard used to assess and document internal controls at service organizations – e.g., IT providers, data processors, and operational partners. The standard enables organizations to demonstrate that they have sufficient controls in place to protect their customers' data and ensure stable operations.
An ISAE 3402 report is especially relevant when a company handles critical data or operational tasks on behalf of others – and needs to document that these tasks are performed responsibly and securely.
Purpose of ISAE 3402
The purpose of ISAE 3402 is to provide customers and partners with a high degree of assurance that internal controls, risk management, and processes are under control. The standard requires that controls not only exist but also operate effectively over a period of time. Therefore, the report documents both the design and effective operation of the controls.
ISAE 3402 is often used as documentation in connection with outsourcing, compliance, and audits – and serves as a quality seal for IT and service companies.
What is assessed in the report?
The audit is conducted by an independent auditor who assesses several key areas such as data processing, system availability, change management, access control, incident management, and overall security organization. The auditor evaluates both how the controls are designed and how they have functioned in practice over time.
Two types of reports can be issued:
Type I: Assesses whether the controls are properly designed at a given point in time.
Type II: Assesses both the design and effective operation over an extended period.
What does this mean for Addo Sign’s customers?
Since Addo Sign is part of twoday, it is twoday that has received the ISAE 3402 report. The report covers key functions and systems that Addo Sign is integrated with – including operations, hosting, data security, and user management. This means Addo Sign’s customers can trust that data is handled securely and in accordance with documented control procedures.
ISAE 3402 is thus an important supplement to our compliance with GDPR and other security measures.
Part of our control environment
ISAE 3402 is a key part of twoday’s and Addo Sign’s overall control and compliance setup. The independent audit helps document that we work in a structured and responsible manner with operational control and information security – benefiting customers, partners, and regulatory authorities alike.