Compliance

Blue Hill meets all regulatory requirements to support our government and commercial clients. We provide all services from On-Shore USA. We also assist and support our clients during their required audits.

Blue Hill is SOC 2 Type 2 (SSAE 18) Compliant

SOC 2 Type 2 examination reports on Controls at a Service Organization in accordance with Statement on Standards for Attestation Engagements (SSAE) No. 18. The examination results validate that the policies and procedures Blue Hill has in place comply with important SOC 2 Type 2 (SSAE 18) standards regarding security, availability, processing integrity, confidentiality or privacy, relevant to a client’s confidential and critical data. SOC 2 also aligns with international standards and includes a written assertion from management on the design and operating effectiveness of the data center controls.


Blue Hill is SOC 1 Type 2 (SSAE 18) Compliant

SOC 1 Type 2 examination reports on Controls at a Service Organization in accordance with Statement on Standards for Attestation Engagements (SSAE) No. 18, and validates that the policies and procedures Blue Hill has in place comply with important SOC 1 (SSAE 18) standards regarding business process and information technology relevant to user entities’ internal control over financial reporting. SOC 1 Type 2 also aligns with international standards and includes a written assertion from management on the design and operating effectiveness of the data center controls.


Blue Hill is PCI-DSS Compliant – Network Services

Blue Hill is enrolled in Trustwave’s Trusted Commerce™ program to validate compliance with the Payment Card Industry Data Security Standard (PCI DSS) mandated by all the major credit card associations including American Express, Diners Club, Discover, JCB, MasterCard Worldwide, Visa, Inc. and Visa Europe. Blue Hill provides our PCI-DSS AOC and completes quarterly vulnerability scans to demonstrate compliance.


IT, colocation

Blue Hill is PCI-DSS Compliant – Colocation Services

By successfully completing the annual PCI Data Security Standard (DSS) Version 3.2.1 examination, Blue Hill has demonstrated full compliance with PCI DSS requirements and security assessment procedures for the controls it has put in place at its hosted data center facility in Pearl River, NY. Blue Hill receives a Report on Compliance (ROC), which is validated with an annual on-site assessment for Attestation of Compliance (AOC) as a declaration that the results of all sections of the ROC are complete and result in an overall COMPLIANT rating.


Data Privacy Framework (DPF)

This Data Privacy Framework Program administered by the International Trade Administration (ITA) within the U.S. Department of Commerce, covers and describes how personal information entered onto the Blue Hill Data Services website is collected, used, and disclosed and describes your choices regarding use, access, and correction of this personal information.

Blue Hill participates in and has certified its compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF and publicly commits to comply with the Data Privacy Framework Principles. Blue Hill is committed to subjecting all personal data received from European Union (EU), United Kingdom, and Switzerland, respectively, in reliance on the DPF’s applicable Principles.


Trusted Website Privacy Certification

Blue Hill’s privacy policy and practices are in compliance with TRUSTe’s program requirements including transparency, accountability and choice regarding the collection and use of personal information through our website.

Trusted Cloud Privacy Certification

Blue Hill maintains privacy and security practices for our Cloud Hosted platform clients demonstrating that data entrusted to Blue Hill by our business clients for processing, management, and storage is protected and secured, complying with the TRUSTe Cloud Privacy Certification Program requirements.


IT, HIPAA Compliance

Blue Hill Personnel are HIPAA HITECH Privacy & Security Certified

Blue Hill employees attend and complete mandatory HIPAA and HITECH compliance training programs to maintain privacy and security practices for Protected Health Information (PHI) based on the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act.


Blue Hill has enrolled in StateRAMP Progressing Security Snapshot Program and are working with the StateRAMP PMO Team to become “StateRAMP Ready.” By enrolling in the StateRAMP Progressing Security Snapshot Program we are given an indefinite provisional status with state, county, and local government agencies and higher education institutions that are participating in StateRAMP, such as:

Alabama, Arizona, California, Florida, Massachusetts, North Carolina, Nevada, Texas, and Vermont to name a few.

See full list of participants working with StateRAMP for a common standard for cybersecurity. https://stateramp.org/participating-governments/


IT Compliance

Blue Hill is in Compliance with the Criminal Justice Information Services (CJIS) Security Policy

All Blue Hill solutions and services are customized per Client-specific CJIS Compliance requirements. Blue Hill is in Compliance with the Criminal Justice Information Services (CJIS) Security Policy.


Blue Hill is in Compliance with the IRS Publication 1075 Tax Information Security Guidelines for Federal, State, and Local Agencies through a self-attestation.

Blue Hill is in Compliance with the IRS Publication 1075 Tax Information Security Guidelines for Federal, State, and Local Agencies through formal documented physical and logical security policies and data center site audits, as required. All Blue Hill solutions and services are customized per Agency-specific IRS Publication 1075 Compliance requirements.


IT Compliance

Blue Hill is in Compliance with International Organization for Standardization – ISO27001 Standards and Controls.

Blue Hill has adopted a Best-In-Class management process to ensure that the information security controls continue to meet our clients’ information security requirements on an ongoing basis. All Blue Hill solutions are customized to meet the specific regulatory requirements of each client.


IT Compliance IT Compliance

Blue Hill is in Compliance with the MARS-E volume II. Minimum Acceptable Risk Standards for Exchanges in accordance with Centers for Medicare & Medicaid Services (CMS) through a self-attestation.

Blue Hill maintains vigilance over the protection and integrity of Clients’ critical and Confidential Data; i.e., PHI, PII, and FTI through logical and physical security measures to meet and maintain compliance with regulatory and/or industry security standards as well as mandates of the Affordable Care Act of 2010.


IT Compliance IT Compliance

Blue Hill is GLBA and FFIEC Compliant

By successfully completing annual SOC1 Type 2 and SOC2 Type 2 examinations, Blue Hill provides the additional assurance of its security and privacy controls to our Financial Institution Clients and their clients, who run their processing environments at Blue Hill. Blue Hill safeguards private information of individuals, the collection and disclosure of private financial information, and appropriate security for the protection of such information.

Blue Hill supports the FFIEC’s uniform principles, standards, and report forms for the federal examination of financial institutions. Blue Hill follows the data and network security requirements of each Client including multifactor authentication to protect against security breaches.


IT Compliance

As part of Blue Hill’s continuing strategy to further enhance our security standards and consistently add to our multi-layer security posture, Blue Hill is pleased to announce their strategic partnership with Cybersafe Solutions. This partnership will aid in the support of Blue Hill’s corporate and customer security efforts. Cybersafe helps companies avoid expensive and disruptive cyber compromises by complementing our current defensive programs with best-in-class cyberthreat detection, live containment, and immediate response capabilities. Cybersafe supplements our multiple prevention processes by providing an additional layer of security, including 24×7 monitoring, to proactively detect any potential risks or vulnerabilities to our corporate infrastructure.  This added security layer will also add to our ongoing strategy for meeting and exceeding all certification and compliance requirements.