Compliance
Helping our customers
complete their compliance
screenings and due diligence.
We continuously look for opportunities to improve the dynamic technology landscape
To give you a highly secure, scalable system that delivers a great experience.
Customer data security is an essential part of our product, processes, and team culture. Our facilities, processes, and systems are reliable, robust, and tested by reputed quality control, data security organizations, internal and external auditors.
Tekion adheres to the Gramm Leech Bliley Act (GLBA), the California Privacy Rights Act (CPRA), General Data Protection Act (GDPR), and other privacy and security laws.
GLBA
Complying with the GLBA puts financial institutions at lower risk of penalties or reputational damage caused by unauthorized sharing or loss of private customer data.
Read more
Data Processing Addendum
This addendum addresses our data obligations to you, including under CPRA, GDPR, and GLBA.
Read more
Certifications, Attestations, Standards, and Regulations
SOC1
Type II report covering internal controls over financial reporting systems
SOC2
Type II report covering Security, Availability and Confidentiality
ISO/IEC 27001
Standard for Information Security Management through best practices and comprehensive security controls.
ISO/IEC 27701
Global privacy standard that focuses on the collection and processing of personally identifiable information (PII).
Frequently Asked Questions
Why are ISO/IEC 27001 and ISO/IEC 27701:2019 certifications important for Technology companies?
Compliance with ISO/IEC 27001 & ISO/IEC 27701:2019, certified by an accredited auditor, demonstrates that Tekion uses internationally recognized processes and best practices to manage the infrastructure and organization that support and deliver its services. The certificate validates that Tekion has implemented the guidelines and general principles for implementing, maintaining, and improving the management of information security and privacy.
How can I get the Tekion ISO/IEC 27001 and ISO 27701 audit documentation?
Please send us an email to compliance@tekion.com or request our certificates through our Trust Portal.
Who is the third-party independent assessor?
British Standards Institution (BSI), an ISO certification body accredited by ANSI National Accreditation Board (ANAB) and a member of the International Accreditation Forum (IAF). Certificates issued by BSI are recognized as valid certificates in all countries with an IAF membership. You may validate the certificates on BSI portal by clicking on the link
How does Tekion’s ISO certifications help their its customers?
The ISO 27001 and ISO 27701 certifications are a way to validate Tekion’s Security and Privacy compliance posture and ensure that high quality and trustworthy Information Security and data privacy practices are in place.
Does Tekion monitor and audit the ISO ISMS & PIMS frameworks frequently?
Yes. Tekion conducts the internal and external audits on an annual basis scoping ISO/IEC 27001:2022 and ISO/IEC 27701:2019 frameworks. The continued monitoring process makes it easier to detect potential weak spots and stop breaches before they affect the business.
Does Tekion adhere to information security standards and policies?
Yes. Tekion has achieved AICPA SOC 1 and SOC 2 – Type II attestations. Additionally, we have formal policies and procedures addressing how we develop, implement, maintain, and improve our robust information security program. These policies govern, among other thing’s, how our employees and contractors access, store, and secure customer data. The policies follow a similar format, have dedicated owners, and committed review periods, and cover a variety of topics ranging from securing our employees’ assets to responding to security incidents.
Does Tekion perform risk assessments?
Yes. At Tekion we have developed a Risk Management Framework as part of the Information Security Management System (ISMS) in accordance with ISO/IEC 27001:2013 standard and SOC I & II attestation. The information security team assesses security risks annually and on an ongoing basis when major changes occur or when industry changes occur.
Do you limit access to data and your systems?
Yes. Access to customer data and Tekion systems are limited on a need-to-know basis. Our information systems and data are classified and segregated to support role-based access requirements. Additionally, we utilize strong identification and authentication and logging systems to centrally control, monitor, and review all critical access.
Is customer data on Tekion’s products encrypted?
Yes. We use high standards of encryption to secure our customer data at rest and in transit. And as an entirely cloud-based platform, our customers’ data is further secured by the state-of-the-art measures used by our cloud providers, Amazon Web Service and Microsoft Azure.
Do you have a formal disaster recovery and business continuity plan?
Yes, Tekion has a detailed disaster recovery and business continuity plan to ensure that we recover operations quickly and efficiently in case of a disaster. This includes deploying our platform across multiple data centers with replication and implementing strict recovery deadlines to ensure our systems are running again as soon as possible.
Do you monitor third-party vendors to ensure they comply with your security standards?
Yes, we have a supplier relationships procedure that ensures that third-party service providers implement required controls under security frameworks like ISO 27001, SOC 1, SOC 2, and PCI DSS.
Are all Tekion employees and contractors required to sign a non-disclosure agreement?
Yes, all new Tekion hires and contractors sign confidentiality agreements preventing misuse and unauthorized disclosure of customer data. Our employees and contractors have the same confidentiality obligations as we do to our customers.
Does Tekion have a formal incident response plan?
Yes, our incident response plan sets forth internal guidelines for detecting incidents, escalating to security personnel, communication, investigation, mitigation, and root cause analysis. You can find the details in our Data Processing Addendum.
Does Tekion screen its employees?
Yes, we work with third-party agencies to screen all of our employees prior to joining Tekion. Where permitted by law, we conduct credit and criminal checks as well.
Does Tekion use a Software Development LifeCycle (SDLC) process to develop its customer products?
Yes. We have implemented a systems development life cycle (SDLC) procedure to develop our products and services. Our code reviews and analysis are reviewed by automated technology and manual source code overview to identify any security loopholes prior to the production and release. We also conduct regular vulnerability and penetration testing, and correct any identified observations. Once a product has passed our security and quality checks, the new version of the product will be released to our customers.
What is Tekion Pay?
Tekion Pay is a comprehensive payment platform that centralizes payments from all channels. It minimizes manual data entry, reducing errors and automating reporting for a seamless payment process. By eliminating the need for a third-party processor, it enhances accuracy and streamlines payment collection.
Does Tekion see users’ card information?
No. Tekion cannot view or access your customer’s card information (e.g., credit or debit card number, card expiration date, or cvv). When a customer pays using Tekion Pay, Tekion receives a hashed (i.e., encrypted number) from the payment terminal instead of the actual card number and details. Tekion passes the hashed information via secure APIs to Stripe™. The hashed information is deleted from Tekion’s systems after it is passed to Stripe.
A hashed number is a scrambled representation of the card number and details – for example, a 16-digit credit card number may appear to Tekion as 1101 1111 1100 0000 instead of the actual card number. Only Stripe has the key to decrypt this hashed information, which it then uses to processes the transaction through the card issuer (e.g., Visa, MasterCard, or American Express). This is a highly secure method used by banks and other financial institutions to send and receive payment card numbers and other sensitive information.
Does Tekion need PCI DSS compliance?
Tekion does not require PCI DSS compliance as card payments through Tekion Pay are processed by Stripe, which powers Tekion Pay. Stripe, as the payment processor, is PCI DSS-certified and maintains the necessary security protocols and compliance certifications to process credit and debit card transactions.
Tekion does not directly access any of your customer’s card details. You can find more information about Stripe’s compliance functions at https://stripe.com/connect/features#compliance-and-security.
How is Tekion Pay secured?
Tekion Pay is integrated into ARC, which is secured using the industry’s best security measures. Additionally, we leverage Stripe’s state-of-the-art security measures, on top of what we already provide because Stripe handles all of the payment processing. Stripe adopts rigorous standards to safeguard customer data. Stripe keeps customers’ sensitive data safe by encrypting it both in transit and at rest. Stripe’s infrastructure for primary account numbers (PANs), like credit card numbers, runs in a separate hosting infrastructure, which does not share any credentials with the rest of Stripe’s services. Decryption keys are stored separately as well. Finally, Stripe’s card terminal is certified to the PCI Payment Application Data Security Standard, prohibiting payment applications developed for third parties from storing prohibited secure data. For more information, you can visit Stripe’s security page https://stripe.com/docs/security.
How do dealers access tax documents associated with their Tekion Pay account?
Yes, any applicable reports can be prepared and accessed within Tekion’s system. If necessary, Stripe may also provide any additional year-end tax reporting. Please reach out to your partner success manager for further assistance.
What payment methods are accepted in Tekion Pay?
We accept credit/debit card, Apple Pay, Google Pay, and ACH payments.
Can I set transaction limits by payment method?
Yes, you can set transaction limits based on the payment method.
Can I accept payments online?
Yes, you can accept payments online via our Consumer Portal, Concierge, and via email and text payment links. We are continuously adding new ways to incorporate digital payments into your business.
When do I get my money in the bank?
Currently, your payouts are made two days after the transaction, if you have set up automatic payouts (all customers will be moved towards automatic payouts in the coming periods, if not already). There might be a delay if you are using manual payouts (depending on your bank processing times).
Can I collect a surcharge for credit card payments?
Yes, you may add credit card surcharges to offset the per transaction fees that card issues may charge you. The surcharge is a flat rate that Tekion sets for credit card transactions and is automatically added to your customer's invoice.