Compliance & Standards

FireGauge maintains SOC 2 Type II certification, demonstrating our commitment to the highest standards for security, availability, processing integrity, confidentiality, and privacy of customer data.

Trust Service Criteria:

• Security: Protection against unauthorized access (logical and physical)
• Availability: System availability for operation and use as committed
• Processing Integrity: Complete, valid, accurate, timely, and authorized processing
• Confidentiality: Protection of information designated as confidential
• Privacy: Collection, use, retention, disclosure, and disposal of personal information

Audit Scope:

• Annual independent third-party audits by qualified CPA firms
• Comprehensive testing over a 12-month period (Type II)
• Review of security policies, procedures, and controls
• Testing of control effectiveness and operational compliance

SOC 2 reports available to customers and prospects under NDA. Contact compliance@firegauge.com to request.

FireGauge is ISO 27001 certified, demonstrating our implementation of a comprehensive Information Security Management System (ISMS) that follows international best practices.

Key ISO 27001 Controls:

• Information Security Policies: Comprehensive security policy framework
• Organization of Information Security: Defined roles and responsibilities
• Human Resource Security: Screening, training, and termination procedures
• Asset Management: Identification and classification of information assets
• Access Control: User access management and privilege controls
• Cryptography: Encryption policies and key management
• Physical and Environmental Security: Secure facility controls
• Operations Security: Change management, capacity management, malware protection
• Communications Security: Network security and information transfer
• System Development and Maintenance: Security in development lifecycle
• Supplier Relationships: Third-party security management
• Incident Management: Security incident response procedures
• Business Continuity: Continuity planning and redundancy
• Compliance: Legal and regulatory compliance reviews

Continuous Improvement:

• Regular internal audits and management reviews
• Annual external certification audits
• Ongoing risk assessments and treatment plans
• Corrective and preventive action processes

For EMS agencies handling Protected Health Information (PHI), FireGauge provides HIPAA-compliant data handling and is available as a Business Associate under HIPAA regulations.

HIPAA Security Rule Compliance:

• Administrative Safeguards:
  • Security management process with risk analysis and management
  • Workforce security including authorization and supervision
  • Information access management with role-based controls
  • Security awareness and training programs
  • Security incident procedures and response plans
  • Contingency planning with backups and disaster recovery
• Physical Safeguards:
  • Facility access controls and physical security
  • Workstation security policies and procedures
  • Device and media controls for data disposal
• Technical Safeguards:
  • Access controls with unique user identification and authentication
  • Audit controls for logging and monitoring
  • Integrity controls to prevent improper PHI alteration
  • Transmission security with encryption

HIPAA Privacy Rule Compliance:

• Minimum necessary access to PHI
• Individual rights support (access, amendment, accounting of disclosures)
• Privacy policies and procedures
• Workforce training on PHI handling
• Business Associate Agreements (BAA) available

HIPAA Breach Notification:

• Breach assessment and notification procedures
• Incident response coordination with covered entities
• Documentation and reporting as required

FireGauge supports compliance with FBI CJIS Security Policy requirements for agencies accessing Criminal Justice Information (CJI) through integrated CAD and RMS systems.

CJIS Security Requirements:

• Security Awareness Training: Annual training for personnel with CJI access
• Incident Response: Documented procedures for security incident handling
• Auditing and Accountability: Comprehensive logging of CJI access and activities
• Access Control: Role-based access with minimum necessary permissions
• Identification and Authentication: Advanced authentication (multi-factor) for CJI access
• Configuration Management: Secure baseline configurations and change control
• Media Protection: Secure storage and disposal of media containing CJI
• Physical Protection: Physical security controls for facilities and equipment
• System and Communications Protection: Encryption for CJI in transit and at rest
• System and Information Integrity: Malware protection and vulnerability management

Personnel Security:

• Background investigations for personnel with CJI access
• FBI fingerprint-based background checks where required
• Regular recertification and access reviews

CJIS Agreements:

• CJIS Security Addendum available for applicable agencies
• Coordination with state CJIS Systems Agencies (CSA)
• Compliance with state-specific CJIS requirements

FireGauge aligns with the NIST Cybersecurity Framework and incorporates NIST Special Publications for security and privacy controls.

NIST Cybersecurity Framework Functions:

• Identify: Asset management, business environment, governance, risk assessment, and risk management strategy
• Protect: Access control, data security, protective technology, security awareness training, and secure configurations
• Detect: Continuous monitoring, anomaly detection, and security event logging
• Respond: Incident response planning, communications, analysis, mitigation, and improvement
• Recover: Recovery planning, improvements, and communications

Key NIST Publications:

• NIST SP 800-53: Security and Privacy Controls for Information Systems
• NIST SP 800-171: Protecting Controlled Unclassified Information (CUI)
• NIST SP 800-63: Digital Identity Guidelines (authentication and identity proofing)
• NIST SP 800-61: Computer Security Incident Handling Guide
• NIST Privacy Framework: Privacy risk management and controls

While FireGauge primarily serves U.S.-based emergency services agencies, we maintain GDPR-compliant practices to protect personal data rights and enable international cooperation.

GDPR Principles:

• Lawfulness, Fairness, and Transparency: Clear privacy notices and lawful processing bases
• Purpose Limitation: Data collected for specified, legitimate purposes only
• Data Minimization: Collection limited to necessary data
• Accuracy: Procedures to maintain accurate and current data
• Storage Limitation: Defined retention periods and deletion procedures
• Integrity and Confidentiality: Security measures to protect personal data
• Accountability: Demonstrated compliance and documentation

Individual Rights Support:

• Right to Access: Ability to request copies of personal data
• Right to Rectification: Correction of inaccurate data
• Right to Erasure: Deletion of data where legally permissible
• Right to Restrict Processing: Limitation of processing in certain circumstances
• Right to Data Portability: Provision of data in structured format
• Right to Object: Objection to certain types of processing

Data Protection Measures:

• Data Protection Impact Assessments (DPIA) for high-risk processing
• Privacy by Design and by Default in product development
• Data Processing Agreements (DPA) for sub-processors
• Breach notification procedures (72 hours to supervisory authority)
• Designated Data Protection Officer (DPO) available for contact

State Privacy Laws:

• California (CCPA/CPRA): Consumer privacy rights including access, deletion, and opt-out
• Virginia (VCDPA): Consumer data protection rights
• Colorado (CPA): Data privacy and consumer rights
• Other State Laws: Compliance with emerging state privacy regulations

Public Records Laws:

• Support for agency compliance with state public records requests
• Data export capabilities for records production
• Retention policies aligned with state and local requirements

Emergency Services Regulations:

• NEMSIS (National EMS Information System) compliance for EMS data
• NFIRS (National Fire Incident Reporting System) support
• State-specific EMS and fire reporting requirements

Internal Compliance Program:

• Designated Compliance Officer and compliance team
• Regular compliance assessments and gap analysis
• Documented policies and procedures
• Compliance training for all personnel
• Third-party compliance audits and assessments
• Corrective action tracking and remediation

Compliance Monitoring:

• Continuous monitoring of regulatory changes
• Regular risk assessments and control testing
• Internal audit programs
• Compliance metrics and reporting to leadership

Documentation and Evidence:

• Comprehensive documentation of controls and procedures
• Audit evidence collection and retention
• Compliance artifacts available for customer review
• Regular updates to compliance documentation

Vendor Compliance:

• Third-party vendor compliance assessments
• Review of vendor certifications and audit reports
• Contractual compliance requirements for vendors
• Regular vendor compliance monitoring

Compliance Documentation:

• SOC 2 Type II reports available under NDA
• ISO 27001 certificates and scope documentation
• Security and compliance white papers
• Data flow diagrams and architecture documentation
• Business Associate Agreements (BAA) for HIPAA
• Data Processing Agreements (DPA) for GDPR
• CJIS Security Addendums where applicable

Audit Support:

• Assistance with customer audit requests
• Completion of security questionnaires
• Evidence provision for customer compliance audits
• Technical documentation for regulatory submissions

Compliance Features:

• Comprehensive audit logging and reporting
• Data retention and deletion capabilities
• Role-based access controls aligned with compliance requirements
• Data export for regulatory reporting or legal obligations
• Incident notification procedures

Training and Guidance:

• Security and compliance best practices documentation
• Administrator training on compliance-related features
• Guidance on configuring FireGauge for your compliance needs