Get Started
Close

Sequoia Trust Center

Coming through for clients

At Sequoia, mutual trust is the foundation on which we build all our relationships. For over 21 years, Sequoia has provided the guidance clients need to care for their people and their business. When it comes to matters of data, technology, and security, our approach is based on investing in enterprise-class security features, an experienced and committed team, and continuous improvement. 

Components

We extend trust through our service infrastructure and platform, with particular focus on security, compliance, and availability.

Illustrastion of secure technology platform

Security

We take security seriously and will continue to invest heavily in this area
More

Image of a compliance checklist

Assessment

We undergo annual third-party assessment of our control framework
More

Illustrastion of secure technology platform

Status

See the current availability and performance status of Sequoia systems
Check status

Illustrastion of secure technology platform

Best Practices

See our recommendations and reminders for secure system access
View

Security

Sequoia has invested heavily in security infrastructure and staffing over its 21-year history.  Components of our security program are outlined below:

Governance

Sequoia has appointed a Chief Information Security Officer (CISO) to lead the Security & IT function and develop policies and procedures to monitor and manage risks. Our cybersecurity program is supported by operations, product, engineering, and legal.

Security Policy

Sequoia’s Acceptable Use Policy (AUP) applies to Sequoia team members regarding the use and/or access of company information systems and data. The AUP includes guidance on information security and practices and emphasizes the scope of individual responsibilities in adhering to company policies, applicable laws, and regulations.

Cyber Security Risk Management

Sequoia undergoes internal and external third-party risk assessments to identify areas where we can improve our security controls and processes and strengthen our security posture.

Application Security
Sequoia’s approach is to minimize its IT infrastructure footprint to the extent possible in favor of leveraging enterprise-level third-party service providers to host our applications and provide our services. Where possible, core applications are integrated using SSO and are protected using a defense-in-depth approach, ranging from strong passwords to Multi-Factor Authentication (MFA) and Role-Based Access Controls (RBAC). MFA makes it much more difficult for attackers to access protected systems and applications. Sequoia’s applications undergo third-party penetration tests and enforce session timeouts after a period of inactivity.
Data Encryption

Sequoia uses strong encryption algorithms such as AES-256 for data at rest and TLS 1.2/1.3 for HTTPS connections so that data is encrypted both in transit and at rest (when stored).

Patch & Vulnerability Management
Security is part of the Software Development Lifecycle (SDLC) at Sequoia. Systems are patched regularly and critical patches are applied on an expedited basis. Threats and vulnerabilities are identified via various methods and technologies, third-party penetration tests, static and dynamic scans, and security assessments.
Endpoint Security & Monitoring

Sequoia’s endpoints are secured using advanced solutions to detect and respond quickly to malicious attacks. We also leverage web filtering solutions to prevent malicious internet traffic. Systems are monitored 24/7 by a variety of technologies and our SIEM is monitored 24/7/365 by a leading MSSP.

Security Awareness

Sequoia team members are trained frequently on security best practices, how to avoid phishing attacks, and how to properly handle and protect sensitive data.

Privacy

Sequoia’s Privacy policy can be found here.

Road Map

Our security team continues to drive forward with additional investments, including implementing additional machine learning and AI capabilities to existing detection tools, staffing an internal incident response and detection team, amplifying our existing third-party testing program to increase testing frequency, and implementing a bug bounty program.  As part of our ongoing strategy of continuous enhancement, please continue to check this Trust Center to learn about additional security assets that we will make available to clients.

Assessments

Sequoia undergoes annual SOC 2 Type II + HITRUST, ISO 27001, ISO 27017, and ISO 27018 assessments, which demonstrates our continued focus on establishing and complying with our control framework around protecting systems and data. The assessment reports are available for review under NDA.

AICPA SOC Badge
Johanson-IAS-ISO-Logos-Transparent (Sep23)

Latest Blog Posts

Best Practice Recommendations 

Sequoia clients can use these helpful reminders to ensure secure access when using the Sequoia People Platform. 

Recommendations for Employers:

  • Enable SSO (Single Sign On)
  • Enable Multi-factor authentication (MFA)
  • Enforce strong passwords and rotate passwords on a frequent basis
  • Follow the Sequoia Trust Center for any new security alerts
  • Share the CISA Avoiding Social Engineering and Phishing Attacks
  • Ensure your employees know that Sequoia system emails are sent to their work email leveraging your corporate domain, not to their personal emails. Exceptions:
    1. Dependents will be sent system emails to whichever email they signed up with
    2. Early-stage companies who sign-up without an established domain (rare)

Upcoming Enhancements to the Sequoia People Platform:

  • MFA will be applied to non-SSO access to our mobile app for extra security
  • As an extra reassurance to your people that they are in the right place, your company logo will now be shown as an interstitial step during the login process (right after email verification)

    Recommendations for Employees:

    • Sequoia notification emails will always come from an @sequoia.com email address
    • Access to the Sequoia portal is always through a @sequoia.com domain, example: login.sequoia.com, admin.sequoia.com or px.sequoia.com
    • As one of our employees, your Sequoia notifications will come to your work email, never to your personal email.
      • Note the exception: Your dependents will receive notifications to whatever email they signed up with

    Phishing attempts are unfortunately all too common. Here are some general tips on staying vigilant:

    • Always check who the email was sent from. Don’t simply act on familiar aesthetics.
    • Check for grammatical errors, incorrect spelling, and unusual capitalization
    • Avoid acting impulsively to urgent messages – this is a common scammer tactic
    • Double check the URL links in any email by mousing over them. Look for the proper domains. When in doubt, type in the URL address manually.
    • If you receive an email that looks suspicious or you are not the intended recipient, don’t click on any links and report it to your IT and Security team at your organization