Proving to auditors that you comply with industry requirements can be a headache. We make it easy. Learn how Deft supports your compliance requirements for GDPR, PCI DSS, HIPAA, and more.

SOC 2 Report

Deft’s annual SOC 2 audit serves as the foundation for helping customers satisfy vendor management needs and meet their own compliance requirements, including HIPAA.

The report contains an Auditor’s Opinion on the suitability of the design of Deft’s controls evaluated over a 12-month period to determine if they are functioning as described.

To request a copy of Deft’s audit report, email


Deft complies with GDPR through the information-collection disclosures in our Privacy Policy.

We utilize servers located in the United States as well as the European Economic Area (EEA) and Asia to collect, store, and process the data we collect, all of which are based within areas where the EU has determined adequate data protection laws are in place to protect your data.

We reserve the right to keep network logging data for a period of time adequate to ensure network security and safety for the systems we use and host customer data on in any country. Pursuant to regulatory, legal, and security requirements in Chapter 2 of the General Data Protection Regulation, this timeline is determined based on the type of data, the security implications of storing the data, the legal requirements Deft must meet with the data, and the privacy of the individual referenced in the data.

We take the security of our data very seriously and have a responsibility to the individuals we hold data on behalf of on our systems and servers. Please refer to our Privacy Policy for more specifics on the security measures we put in place to protect your data on our systems or the following headings below to review what kind of data we keep and the process to request, review, change, or remove data we hold.


Services that are in scope for PCI DSS compliance include colocation, custom private clouds, and custom public clouds.


Deft’s annual AT-101 SOC 2 Type II audit serves as the foundation for helping our healthcare customers meet their HIPAA compliance requirements.

We also regularly enter into Business Associate Agreements (BAAs) to support our healthcare customers.

You can use our handy checklist to help prepare your organization for HIPAA compliance.

Biometric Information Privacy Policy

Deft may collect, capture, or otherwise obtain Biometric Data and may provide such Biometric Data to its vendors and the licensor of Deft’s Systems. This policy covers the requirements for collecting, storing and erasing Biometric Data on Deft Systems.


Biometric Data – includes “Biometric Identifier” and “Biometric Information” as defined in the Illinois Biometric Information Privacy Act, 740 ILCS § 14/1, et seq. – See below.

Biometric Identifier – means a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry. Biometric identifiers do not include writing samples, written signatures, photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color. Biometric identifiers do not include information captured from a patient in a health care setting or information collected, used, or stored for health care treatment, payment, or operations under the federal Health Insurance Portability and Accountability Act (HIPAA) of 1996.

Biometric Information – means any information, regardless of how it is captured, converted, stored, or shared, based on an individual’s Biometric Identifier used to identify an individual. Biometric Information does not include information derived from items or procedures excluded under the definition of Biometric Identifiers.

Systems – means, for the purpose of this Policy, computer systems, applications and software used to collect, store and process Biometric Data. Examples may include door access systems, time & attendance systems and systems used to provide authorization.

Purpose for Collection of Biometric Data

Deft, its vendors, and/or the licensor of Systems Deft utilizes collects, stores, and uses Biometric Data for employee identification, fraud prevention, pre-employment hiring purposes, and access control to various facilities and Systems.

Note: The data center manages and maintains their own access control system independent of Deft and will require a separate consent to collect biometric data.


Before collecting Biometric Data, Deft, must first:

  • Inform the individual that Deft is collecting, capturing, or otherwise obtaining their Biometric Data, and that Deft is providing such Biometric Data to its vendors and the licensor of Deft’s Systems;
  • Inform the individual in writing of the specific purpose and length of time for which their Biometric Data is being collected, stored, and used; and
  • Deft, its vendors, and/or the licensor of Deft’s systems will not sell, lease, trade, or other-wise profit from Biometric Data; provided, however, that Deft’s vendors and the licensor of Deft’s systems may be paid for products or services used by Deft that use such Biometric Data.


Deft will not disclose or disseminate any Biometric Data to anyone other than its vendors and the licensor of Deft’s systems using Biometric Data without/unless:

  • First obtaining written consent to such disclosure or dissemination;
  • The disclosed data completes a financial transaction requested or authorized by the individual whose Biometric Data is being collected;
  • Disclosure is required by state or federal law or municipal ordinance; or
  • Disclosure is required pursuant to a valid warrant or subpoena issued by a court of competent jurisdiction.

Retention Schedule

Deft shall retain Biometric Data only until, and shall request that its vendors and the licensor of Deft’s Systems permanently destroy such data when, the first of the following occurs:

  • The initial purpose for collecting or obtaining such Biometric Data has been satisfied, such as the termination of the individual’s relationship with Deft;
  • The individual requests the removal of Biometric Data; or
  • Within three (3) years of the individual’s last interaction with Deft.

Data Storage

Deft shall use a reasonable standard of care to store, transmit and protect from disclosure any Biometric Data collected. Such storage, transmission, and protection from disclosure shall be performed in a manner that is the same as or more protective than the manner in which Deft stores, transmits and protects from disclosure other confidential and sensitive information, including personal information that can be used to uniquely identify an individual or an individual’s account.

Still need help? Send us a note!

Questions, comments or complaints regarding Deft’s compliance can be mailed or emailed to:

Deft Legal Department
2200 Busse Rd.
Elk Grove Village, IL 60007 USA

Deft logo

2200 Busse Rd.
Elk Grove Village, IL 60007
+1 (312) 829-1111