ISAE 3402 and Our Constant Focus on Data Security

At GatewayAPI, we take data protection, operational reliability and compliance seriously, and we are committed to providing our customers with full transparency and assurance regarding how we manage and protect their data. 

Every year, we undergo an independent ISAE 3000 audit, which focuses on areas such as GDPR compliance, information security and data privacy. This results in an assurance report that confirms we have strong internal controls in place and that we adhere to relevant regulations when processing personal data.

In addition to our ISAE 3000 assurance, we are pleased to announce that we have now also obtained an ISAE 3402 Type II assurance report, which further strengthens our transparency and allows us to meet specific customer requirements. 

We have even chosen to publish the ISAE 3402 statement on our website, allowing everyone to go through it and learn more about our safeguards in details.

What is ISAE 3402?

ISAE 3402 (International Standard on Assurance Engagements 3402) is a widely recognized standard used to assess the internal control systems of service providers. The purpose of ISAE 3402 is to offer assurance that an organization has reliable, effective and well-documented controls, particularly around IT systems, data handling and core operational processes that support its service delivery.

There are two types of ISAE 3402 reports:

• A Type I report provides a snapshot in time. It confirms that controls have been designed and implemented as of a specific date.
• A Type II report, which we obtained, goes further by evaluating the operating effectiveness of those controls over a defined review period. In other words, it’s not just about having the right controls in place – it’s about demonstrating that they are consistently followed in practice.

Scope tailored to each business

An important aspect of ISAE 3402 is that the scope of the report is not fixed, but rather defined based on the services provided and the customer needs. Typically, the scope includes control areas drawn from frameworks such as ISO/IEC 27002, which focuses on information security management best practices.

Because each service provider is different, the scope of an ISAE 3402 report is unique to the company and the services covered. In our case, the report includes the following key control areas essential to how we deliver and manage our services to customers:

• Monitoring
• Penetration testing
• Review and change management of supplier services
• Information security for use of cloud services
• Information security incident management planning and preparation.

Why an ISAE 3402 report?

This audit was pursued to support the compliance needs of current and future customers, who include ISAE 3402 in their vendor assessment frameworks. By undergoing this audit, we provide a standardized, independent evaluation of our internal controls.

The scope of the report is aligned with the services we provide, ensuring it supports the specific compliance requirements of our customers. ISAE 3402 Type II confirms that our internal controls are not only in place but are consistently applied and effective over time.

Do you want to know more?

We are available to any data subject and any customer or customer’s customer who wishes to discuss our compliance with us. We are transparent in our efforts and want to provide complete peace of mind by using us as a supplier.

If you have specific questions or follow-ups in relation to the above, we are here to help. You can write to us with GDPR-related questions at gdpr@onlinecity.com.

Global SMS gateway

GatewayAPI has some of the lowest prices in most of the world combined with an intuitive user interface, world-class support and a solid uptime of over 99.99% on average. If you don’t have an account yet, you can create a free account in under two minutes here: Go to GatewayAPI or write to sales@gatewayapi.com.