Compliance DFIN demonstrates compliance by making a number of reports available to our clients. Reporting on our compliance DFIN establishes various controls to ensure the confidentiality, integrity and availability of client data. Cornerstones of DFIN cybersecurity are ensuring our security controls are operating effectively and measuring the effectiveness of governance, risk and compliance programs. IT Governance and Risk Learn about IT governance and risk @DFIN. Reports and documents Learn how DFIN demonstrates compliance throughout the enterprise. Request-up-to-date reports and other artifacts. Overview IT Governance IT Risk Management Vendor Risk Management IT Governance and Risk DFIN’s IT governance is comprised of processes by which we align our IT (development, infrastructure, cybersecurity) practices within our overall business strategy. As a key part of our overall IT governance efforts, we are able to ensure efficiency, security, and effective resource use, as well as compliance with both internal and external regulations. Additionally, DFIN’s IT governance ensures that the needs of our stakeholders, including our clients, are evaluated to determine enterprise objectives, and are used to set direction (in decision making and prioritisation) to monitor performance and compliance. DFIN’s IT risk management program applies risk management methods to manage IT related threats. Our efforts involve procedures, polices and tools to identify, assess and remediate potential threats and vulnerabilities within DFIN’s information technology landscape. This includes both internal risk analysis as well as third party supplier risk (supply chain security). DFIN IT Governance IT Governance is defined as the processes that ensures the effective and efficient use of IT in enabling an organization to achieve its goals by the establishment of protocols such as policy and standards. The DFIN IT governance team facilitates this process by ensuring that these protocols exist, are formalized and are approved. The team tracks the documents throughout this process as well as promoting awareness by making them readily available to the organization. Our clients benefit from this well-organized IT Governance team because it ensures consistency, organization, predictability, and order. DFIN IT Risk Management IT Risk Management is a control methodology of detecting, assessing, reviewing, reporting, and tracking follow-up efforts on IT events that could adversely affect the organisation. The DFIN IT Risk Management team has developed and implemented a continuous risk assessment program that incorporates risks identified and assessed in varying support systems such as internal and external audit/compliance testing, Security scanning, client and supplier risk management, and exceptions to IT governance. DFIN clients truly benefit from this effort by ensuring that the DFIN IT security exposure/posture is at an acceptable low risk level. DFIN Vendor Risk Managment When evaluating partnerships, DFIN continuously looks to reduce risk across all threat vectors. Our vendor risk management program, referred to as supply chain security, evaluates the viability of all potential DFIN suppliers. DFIN’s well defined process categorises suppliers and evaluates their inherent risk. A vendor can be onboarded only after a supplier has been categorised, risk rated and approved. In addition to new suppliers, existing suppliers are re-evaluated on an annual basis, undergoing a comprehensive security review. A part of this process is complete remediation of issues to become or remain an approved DFIN supplier. IT Governance and Risk DFIN’s IT governance is comprised of processes by which we align our IT (development, infrastructure, cybersecurity) practices within our overall business strategy. As a key part of our overall IT governance efforts, we are able to ensure efficiency, security, and effective resource use, as well as compliance with both internal and external regulations. Additionally, DFIN’s IT governance ensures that the needs of our stakeholders, including our clients, are evaluated to determine enterprise objectives, and are used to set direction (in decision making and prioritisation) to monitor performance and compliance. DFIN’s IT risk management program applies risk management methods to manage IT related threats. Our efforts involve procedures, polices and tools to identify, assess and remediate potential threats and vulnerabilities within DFIN’s information technology landscape. This includes both internal risk analysis as well as third party supplier risk (supply chain security). DFIN IT Governance DFIN IT Governance IT Governance is defined as the processes that ensures the effective and efficient use of IT in enabling an organisation to achieve its goals by the establishment of protocols such as policy and standards. The DFIN IT governance team facilitates this process by ensuring that these protocols exist, are formalised and are approved. The team tracks the documents throughout this process as well as promoting awareness by making them readily available to the company. Our clients benefit from this well-organised IT Governance team because it ensures consistency, organisation, predictability, and order. DFIN IT Risk Management DFIN IT Risk Management IT Risk Management is a control methodology of detecting, assessing, reviewing, reporting, and tracking follow-up efforts on IT events that could adversely affect the organisation. The DFIN IT Risk Management team has developed and implemented a continuous risk assessment program that incorporates risks identified and assessed in varying support systems such as internal and external audit/compliance testing, Security scanning, client and supplier risk management, and exceptions to IT governance. DFIN clients truly benefit from this effort by ensuring that the DFIN IT security exposure/posture is at an acceptable low risk level. DFIN Vendor Risk Managment DFIN Vendor Risk Management When evaluating partnerships, DFIN continuously looks to reduce risk across all threat vectors. Our vendor risk management program, referred to as supply chain security, evaluates the viability of all potential DFIN suppliers. DFIN’s well defined process categorises suppliers and evaluates their inherent risk. A vendor can be onboarded only after a supplier has been categorised, risk rated and approved. In addition to new suppliers, existing suppliers are re-evaluated on an annual basis, undergoing a comprehensive security review. A part of this process is complete remediation of issues to become or remain an approved DFIN supplier. Overview SOC 2 Type II Global Investment Companies Global Capital Markets ActiveDisclosure SOC 2 + HITRUST ISO 27001 Certification ISO 9001 Certification Shared Assessment (SIG) Cloud Security Alliance CAIQ Bridge Letters Reports and documents DFIN’s GRC (Governance Risk and Compliance) team manages compliance activities across DFIN’s technology landscape to ensure our adherence with industry and governmental regulations. A large part of the GRC team’s efforts center around evaluation defining control frameworks and then evaluating and testing controls within those frameworks. Additionally, DFIN GRC’s Compliance team evaluates and tests our IT standards, policies and procedures via continuous assessment. DFIN understands that compliance is critical to our clients’ needs and makes several different reports and assessments available for review. Global Investment Companies DFIN’s third party auditor conducts an annual SOC 2 audit of GIC’s SOC 2 control framework. Our SOC 2 Type II audit runs for 6 months with the observation period of June 1st to November 30th. A SOC 2 type II report is then produced during the month of December and made available to clients thereafter. A bridge letter attesting that the effectiveness of our controls remains in place during the non-observation period of December 1st through May 31st. PRODUCTS & SERVICES COVERED ARC Suite ARC Pro Print and Composition Services Other Solutions The GIC SOC 2 Type II report is available to current and prospective clients under a singed non-disclosure agreement. Get the report Global Capital Markets DFIN’s third party auditor conducts an annual SOC 2 audit of GCM’s SOC 2 control framework. Our SOC 2 Type II audit runs for 6 months with the observation period of June 1st to November 30th. A SOC 2 type II report is then produced during the month of December and made available to clients thereafter. A bridge letter attesting that the effectiveness of our controls remains in place during the non-observation period of December 1st through May 31st. The GCM SOC 2 Type II report is available to current and prospective clients under a signed non-disclosure agreement. Get the report ActiveDisclosure DFIN’s third party auditor conducts an annual SOC 2 audit of GCM’s ActiveDisclosure SOC 2 control framework. We also test some SOC 1 controls as a part of our SOC 2 audit to provide further assurances related to financial reporting Our SOC 2 Type II audit runs for 6 months with the observation period of June 1st through November 30st. A SOC 2 type II report is then produced during the month of December and made available to clients thereafter. A bridge letter attesting that the effectiveness of our controls remains in place during the non-observation period of December 1st through May 31st. PRODUCTS & SERVICES COVERED AD The ActiveDisclosure report is available to current clients and prospective clients under a signed non-disclosure agreement. Get the report VENUE SOC 2 + HITRUST DFIN’s third party auditor conducts an annual SOC 2 + HITRUST of Venue’s SOC 2 control framework. Our SOC 2 + HITRUST type II audit runs for 6 months with the observation period of June 1st to November 30th. A SOC 2 type II report is then produced during the month of December and made available to clients thereafter. A bridge letter attesting that the effectiveness of our controls remains in place during the non-observation period of December 1st through May 31st. PRODUCTS & SERVICES COVERED Venue The VENUE SOC 2 + HITRUST report is available to current clients and prospective clients under a signed non-disclosure agreement. Get the report ISO 27001 Certification DFIN has obtained ISO 27001 in 2022 for the Enterprise. The ISO 27001 Certification is available to current clients and prospective clients under a signed non-disclosure agreement. Get the report ISO 9001 Certification DFIN has obtained ISO 9001 for our manufacturing facilities. These facilities cover print and composition work performed domestically. PRODUCTS & SERVICES COVERED Print Manufacturing The ISO 9001 certification is available to current clients and prospective clients under a signed non-disclosure agreement. Get the report Security Review Questionnaires DFIN annually produces several “SIG” type artifacts for client’s consumption to help with their Supplier Risk Management security review and/or audit processes. PRODUCTS & SERVICES COVERED Venue ActiveDisclosure ARC Products File16 Print and Composition SIGs, CAIQs and DDQs are made available to current clients and require a signed non-disclosure agreement or confidentiality language in an existing master service agreement to be in place prior request fufillment. Get the report Cloud Security Alliance CAIQ and STAR Registry As a part of Cloud Security Alliance (CSA) Security, Trust, Assurance, and Registry (STAR), DFIN has completed the CSA’s CAIQ v3.1 (v.4 pending) The CAIQ offers an industry accepted way to document cloud security controls for IaaS, PaaS and SaaS services and conveys our compliance to the CSA Cloud Controls Matrix. This helps our clients assess DFINs overall cloud security posture. DFIN is not currently STAR registered. PRODUCTS & SERVICES COVERED CAIQ completed for enterprise The CAIQ can be made available to current and future clients and require a signed non-disclosure agreement or confidentiality language in an existing master service agreement to be in place prior request fulfillment. Get the report Bridge Letter for SOC 2 Attestation DFIN provides bridge letters supporting all our SOC 2 reports. The bridge letter opines that our controls are in place and have not changed during the non-observation period of our SOC 2 audit. PRODUCTS & SERVICES COVERED GCM SOC 2 Report GIC SOC 2 Report ActiveDisclosure SOC 2 Report VENUE SOC 2 Report Bridge letters are available to current and prospective clients under a signed non-disclosure agreement. Get the report Reports and documents DFIN’s GRC (Governance Risk and Compliance) team manages compliance activities across DFIN’s technology landscape to ensure our adherence with industry and governmental regulations. A large part of the GRC team’s efforts center around evaluation defining control frameworks and then evaluating and testing controls within those frameworks. Additionally, DFIN GRC’s Compliance team evaluates and tests our IT standards, policies and procedures via continuous assessment. DFIN understands that compliance is critical to our clients’ needs and makes several different reports and assessments available for review. SOC 2 Type II Global Investment Companies Global Investment Companies DFIN’s third party auditor conducts an annual SOC 2 audit of GIC’s SOC 2 control framework. Our SOC 2 Type II audit runs for 6 months with the observation period of May 1st through October 31st. A SOC 2 type II report is then produced during the month of December and made available to clients thereafter. A bridge letter attesting that the effectiveness of our controls remains in place during the non-observation period of November 1st through April 30th. PRODUCTS & SERVICES COVERED ARC Suite ARC Pro Print and Composition Services Other Solutions The GIC SOC 2 Type II report is available to current and prospective clients under a singed non-disclosure agreement. Get the report Global Capital Markets Global Capital Markets DFIN’s third party auditor conducts an annual SOC 2 audit of GCM’s SOC 2 control framework. Our SOC 2 Type II audit runs for 6 months with the observation period of June 1st to November 30th. A SOC 2 type II report is then produced during the month of December and made available to clients thereafter. A bridge letter attesting that the effectiveness of our controls remains in place during the non-observation period of December 1st through May 31st. The GCM SOC 2 Type II report is available to current and prospective clients under a signed non-disclosure agreement. Get the report ActiveDisclosure ActiveDisclosure DFIN’s third party auditor conducts an annual SOC 2 audit of GCM’s ActiveDisclosure SOC 2 control framework. We also test some SOC 1 controls as a part of our SOC 2 audit to provide further assurances related to financial reporting Our SOC 2 Type II audit runs for 6 months with the observation period of June 1st through November 30st. A SOC 2 type II report is then produced during the month of December and made available to clients thereafter. A bridge letter attesting that the effectiveness of our controls remains in place during the non-observation period of December 1st through May 31st. PRODUCTS & SERVICES COVERED AD The ActiveDisclosure report is available to current clients and prospective clients under a signed non-disclosure agreement. Get the report SOC 2 + HITRUST VENUE SOC 2 + HITRUST DFIN’s third party auditor conducts an annual SOC 2 + HITRUST of Venue’s SOC 2 control framework. Our SOC 2 + HITRUST type II audit runs for 6 months with the observation period of June 1st to November 30th. A SOC 2 type II report is then produced during the month of December and made available to clients thereafter. A bridge letter attesting that the effectiveness of our controls remains in place during the non-observation period of December 1st through May 31st. PRODUCTS & SERVICES COVERED Venue The SOC 2 + HITRUST report is available to current clients and prospective clients under a signed non-disclosure agreement. Get the report ISO 27001 Certification ISO 27001 Certification DFIN has obtained ISO 27001 in 2022 for the Enterprise. The ISO 27001 Certification is available to current clients and prospective clients under a signed non-disclosure agreement. Get the report ISO 9001 Certification ISO 9001 Certification DFIN has obtained ISO 9001 for our manufacturing facilities. These facilities cover print and composition work performed domestically. PRODUCTS & SERVICES COVERED Print Manufacturing The ISO 9001 Certification is available to current clients and prospective clients under a signed non-disclosure agreement. Get the report Shared Assessment (SIG) Security Review Questionnaires DFIN annually produces several “SIG” type artifacts for client’s consumption to help with their Supplier Risk Management security review and/or audit processes. PRODUCTS & SERVICES COVERED Venue ActiveDisclosure ARC Products File16 Print and Composition SIGs, CAIQs and DDQs are made available to current clients and require a signed non-disclosure agreement or confidentiality language in an existing master service agreement to be in place prior request fufillment. Get the report Cloud Security Alliance CAIQ Cloud Security Alliance CAIQ and STAR Registry As a part of Cloud Security Alliance (CSA) Security, Trust, Assurance, and Registry (STAR), DFIN has completed the CSA’s CAIQ v3.1 (v.4 pending) The CAIQ offers an industry accepted way to document cloud security controls for IaaS, PaaS and SaaS services and conveys our compliance to the CSA Cloud Controls Matrix. This helps our clients assess DFINs overall cloud security posture. DFIN is not currently STAR registered. PRODUCTS & SERVICES COVERED CAIQ completed for enterprise The CAIQ can be made available to current and future clients and require a signed non-disclosure agreement or confidentiality language in an existing master service agreement to be in place prior request fulfillment. Get the report Bridge Letters Bridge Letter for SOC 2 Attestation DFIN provides bridge letters supporting all our SOC 2 reports. The bridge letter opines that our controls are in place and have not changed during the non-observation period of our SOC 2 audit. PRODUCTS & SERVICES COVERED GCM SOC 2 Report GIC SOC 2 Report ActiveDisclosure SOC 2 Report VENUE SOC 2 Report Bridge letters are available to current and prospective clients under a signed non-disclosure agreement. Get the report IT Governance and Risk Learn about IT governance and risk @DFIN. Overview IT Governance IT Risk Management Vendor Risk Management IT Governance and Risk DFIN’s IT governance is comprised of processes by which we align our IT (development, infrastructure, cybersecurity) practices within our overall business strategy. As a key part of our overall IT governance efforts, we are able to ensure efficiency, security, and effective resource use, as well as compliance with both internal and external regulations. Additionally, DFIN’s IT governance ensures that the needs of our stakeholders, including our clients, are evaluated to determine enterprise objectives, and are used to set direction (in decision making and prioritisation) to monitor performance and compliance. DFIN’s IT risk management program applies risk management methods to manage IT related threats. Our efforts involve procedures, polices and tools to identify, assess and remediate potential threats and vulnerabilities within DFIN’s information technology landscape. This includes both internal risk analysis as well as third party supplier risk (supply chain security). DFIN IT Governance IT Governance is defined as the processes that ensures the effective and efficient use of IT in enabling an organization to achieve its goals by the establishment of protocols such as policy and standards. The DFIN IT governance team facilitates this process by ensuring that these protocols exist, are formalized and are approved. The team tracks the documents throughout this process as well as promoting awareness by making them readily available to the organization. Our clients benefit from this well-organized IT Governance team because it ensures consistency, organization, predictability, and order. DFIN IT Risk Management IT Risk Management is a control methodology of detecting, assessing, reviewing, reporting, and tracking follow-up efforts on IT events that could adversely affect the organisation. The DFIN IT Risk Management team has developed and implemented a continuous risk assessment program that incorporates risks identified and assessed in varying support systems such as internal and external audit/compliance testing, Security scanning, client and supplier risk management, and exceptions to IT governance. DFIN clients truly benefit from this effort by ensuring that the DFIN IT security exposure/posture is at an acceptable low risk level. DFIN Vendor Risk Managment When evaluating partnerships, DFIN continuously looks to reduce risk across all threat vectors. Our vendor risk management program, referred to as supply chain security, evaluates the viability of all potential DFIN suppliers. DFIN’s well defined process categorises suppliers and evaluates their inherent risk. A vendor can be onboarded only after a supplier has been categorised, risk rated and approved. In addition to new suppliers, existing suppliers are re-evaluated on an annual basis, undergoing a comprehensive security review. A part of this process is complete remediation of issues to become or remain an approved DFIN supplier. IT Governance and Risk DFIN’s IT governance is comprised of processes by which we align our IT (development, infrastructure, cybersecurity) practices within our overall business strategy. As a key part of our overall IT governance efforts, we are able to ensure efficiency, security, and effective resource use, as well as compliance with both internal and external regulations. Additionally, DFIN’s IT governance ensures that the needs of our stakeholders, including our clients, are evaluated to determine enterprise objectives, and are used to set direction (in decision making and prioritisation) to monitor performance and compliance. DFIN’s IT risk management program applies risk management methods to manage IT related threats. Our efforts involve procedures, polices and tools to identify, assess and remediate potential threats and vulnerabilities within DFIN’s information technology landscape. This includes both internal risk analysis as well as third party supplier risk (supply chain security). DFIN IT Governance DFIN IT Governance IT Governance is defined as the processes that ensures the effective and efficient use of IT in enabling an organisation to achieve its goals by the establishment of protocols such as policy and standards. The DFIN IT governance team facilitates this process by ensuring that these protocols exist, are formalised and are approved. The team tracks the documents throughout this process as well as promoting awareness by making them readily available to the company. Our clients benefit from this well-organised IT Governance team because it ensures consistency, organisation, predictability, and order. DFIN IT Risk Management DFIN IT Risk Management IT Risk Management is a control methodology of detecting, assessing, reviewing, reporting, and tracking follow-up efforts on IT events that could adversely affect the organisation. The DFIN IT Risk Management team has developed and implemented a continuous risk assessment program that incorporates risks identified and assessed in varying support systems such as internal and external audit/compliance testing, Security scanning, client and supplier risk management, and exceptions to IT governance. DFIN clients truly benefit from this effort by ensuring that the DFIN IT security exposure/posture is at an acceptable low risk level. DFIN Vendor Risk Managment DFIN Vendor Risk Management When evaluating partnerships, DFIN continuously looks to reduce risk across all threat vectors. Our vendor risk management program, referred to as supply chain security, evaluates the viability of all potential DFIN suppliers. DFIN’s well defined process categorises suppliers and evaluates their inherent risk. A vendor can be onboarded only after a supplier has been categorised, risk rated and approved. In addition to new suppliers, existing suppliers are re-evaluated on an annual basis, undergoing a comprehensive security review. A part of this process is complete remediation of issues to become or remain an approved DFIN supplier. Reports and documents Learn how DFIN demonstrates compliance throughout the enterprise. Request-up-to-date reports and other artifacts. Overview SOC 2 Type II Global Investment Companies Global Capital Markets ActiveDisclosure SOC 2 + HITRUST ISO 27001 Certification ISO 9001 Certification Shared Assessment (SIG) Cloud Security Alliance CAIQ Bridge Letters Reports and documents DFIN’s GRC (Governance Risk and Compliance) team manages compliance activities across DFIN’s technology landscape to ensure our adherence with industry and governmental regulations. A large part of the GRC team’s efforts center around evaluation defining control frameworks and then evaluating and testing controls within those frameworks. Additionally, DFIN GRC’s Compliance team evaluates and tests our IT standards, policies and procedures via continuous assessment. DFIN understands that compliance is critical to our clients’ needs and makes several different reports and assessments available for review. Global Investment Companies DFIN’s third party auditor conducts an annual SOC 2 audit of GIC’s SOC 2 control framework. Our SOC 2 Type II audit runs for 6 months with the observation period of June 1st to November 30th. A SOC 2 type II report is then produced during the month of December and made available to clients thereafter. A bridge letter attesting that the effectiveness of our controls remains in place during the non-observation period of December 1st through May 31st. PRODUCTS & SERVICES COVERED ARC Suite ARC Pro Print and Composition Services Other Solutions The GIC SOC 2 Type II report is available to current and prospective clients under a singed non-disclosure agreement. Get the report Global Capital Markets DFIN’s third party auditor conducts an annual SOC 2 audit of GCM’s SOC 2 control framework. Our SOC 2 Type II audit runs for 6 months with the observation period of June 1st to November 30th. A SOC 2 type II report is then produced during the month of December and made available to clients thereafter. A bridge letter attesting that the effectiveness of our controls remains in place during the non-observation period of December 1st through May 31st. The GCM SOC 2 Type II report is available to current and prospective clients under a signed non-disclosure agreement. Get the report ActiveDisclosure DFIN’s third party auditor conducts an annual SOC 2 audit of GCM’s ActiveDisclosure SOC 2 control framework. We also test some SOC 1 controls as a part of our SOC 2 audit to provide further assurances related to financial reporting Our SOC 2 Type II audit runs for 6 months with the observation period of June 1st through November 30st. A SOC 2 type II report is then produced during the month of December and made available to clients thereafter. A bridge letter attesting that the effectiveness of our controls remains in place during the non-observation period of December 1st through May 31st. PRODUCTS & SERVICES COVERED AD The ActiveDisclosure report is available to current clients and prospective clients under a signed non-disclosure agreement. Get the report VENUE SOC 2 + HITRUST DFIN’s third party auditor conducts an annual SOC 2 + HITRUST of Venue’s SOC 2 control framework. Our SOC 2 + HITRUST type II audit runs for 6 months with the observation period of June 1st to November 30th. A SOC 2 type II report is then produced during the month of December and made available to clients thereafter. A bridge letter attesting that the effectiveness of our controls remains in place during the non-observation period of December 1st through May 31st. PRODUCTS & SERVICES COVERED Venue The VENUE SOC 2 + HITRUST report is available to current clients and prospective clients under a signed non-disclosure agreement. Get the report ISO 27001 Certification DFIN has obtained ISO 27001 in 2022 for the Enterprise. The ISO 27001 Certification is available to current clients and prospective clients under a signed non-disclosure agreement. Get the report ISO 9001 Certification DFIN has obtained ISO 9001 for our manufacturing facilities. These facilities cover print and composition work performed domestically. PRODUCTS & SERVICES COVERED Print Manufacturing The ISO 9001 certification is available to current clients and prospective clients under a signed non-disclosure agreement. Get the report Security Review Questionnaires DFIN annually produces several “SIG” type artifacts for client’s consumption to help with their Supplier Risk Management security review and/or audit processes. PRODUCTS & SERVICES COVERED Venue ActiveDisclosure ARC Products File16 Print and Composition SIGs, CAIQs and DDQs are made available to current clients and require a signed non-disclosure agreement or confidentiality language in an existing master service agreement to be in place prior request fufillment. Get the report Cloud Security Alliance CAIQ and STAR Registry As a part of Cloud Security Alliance (CSA) Security, Trust, Assurance, and Registry (STAR), DFIN has completed the CSA’s CAIQ v3.1 (v.4 pending) The CAIQ offers an industry accepted way to document cloud security controls for IaaS, PaaS and SaaS services and conveys our compliance to the CSA Cloud Controls Matrix. This helps our clients assess DFINs overall cloud security posture. DFIN is not currently STAR registered. PRODUCTS & SERVICES COVERED CAIQ completed for enterprise The CAIQ can be made available to current and future clients and require a signed non-disclosure agreement or confidentiality language in an existing master service agreement to be in place prior request fulfillment. Get the report Bridge Letter for SOC 2 Attestation DFIN provides bridge letters supporting all our SOC 2 reports. The bridge letter opines that our controls are in place and have not changed during the non-observation period of our SOC 2 audit. PRODUCTS & SERVICES COVERED GCM SOC 2 Report GIC SOC 2 Report ActiveDisclosure SOC 2 Report VENUE SOC 2 Report Bridge letters are available to current and prospective clients under a signed non-disclosure agreement. Get the report Reports and documents DFIN’s GRC (Governance Risk and Compliance) team manages compliance activities across DFIN’s technology landscape to ensure our adherence with industry and governmental regulations. A large part of the GRC team’s efforts center around evaluation defining control frameworks and then evaluating and testing controls within those frameworks. Additionally, DFIN GRC’s Compliance team evaluates and tests our IT standards, policies and procedures via continuous assessment. DFIN understands that compliance is critical to our clients’ needs and makes several different reports and assessments available for review. SOC 2 Type II Global Investment Companies Global Investment Companies DFIN’s third party auditor conducts an annual SOC 2 audit of GIC’s SOC 2 control framework. Our SOC 2 Type II audit runs for 6 months with the observation period of May 1st through October 31st. A SOC 2 type II report is then produced during the month of December and made available to clients thereafter. A bridge letter attesting that the effectiveness of our controls remains in place during the non-observation period of November 1st through April 30th. PRODUCTS & SERVICES COVERED ARC Suite ARC Pro Print and Composition Services Other Solutions The GIC SOC 2 Type II report is available to current and prospective clients under a singed non-disclosure agreement. Get the report Global Capital Markets Global Capital Markets DFIN’s third party auditor conducts an annual SOC 2 audit of GCM’s SOC 2 control framework. Our SOC 2 Type II audit runs for 6 months with the observation period of June 1st to November 30th. A SOC 2 type II report is then produced during the month of December and made available to clients thereafter. A bridge letter attesting that the effectiveness of our controls remains in place during the non-observation period of December 1st through May 31st. The GCM SOC 2 Type II report is available to current and prospective clients under a signed non-disclosure agreement. Get the report ActiveDisclosure ActiveDisclosure DFIN’s third party auditor conducts an annual SOC 2 audit of GCM’s ActiveDisclosure SOC 2 control framework. We also test some SOC 1 controls as a part of our SOC 2 audit to provide further assurances related to financial reporting Our SOC 2 Type II audit runs for 6 months with the observation period of June 1st through November 30st. A SOC 2 type II report is then produced during the month of December and made available to clients thereafter. A bridge letter attesting that the effectiveness of our controls remains in place during the non-observation period of December 1st through May 31st. PRODUCTS & SERVICES COVERED AD The ActiveDisclosure report is available to current clients and prospective clients under a signed non-disclosure agreement. Get the report SOC 2 + HITRUST VENUE SOC 2 + HITRUST DFIN’s third party auditor conducts an annual SOC 2 + HITRUST of Venue’s SOC 2 control framework. Our SOC 2 + HITRUST type II audit runs for 6 months with the observation period of June 1st to November 30th. A SOC 2 type II report is then produced during the month of December and made available to clients thereafter. A bridge letter attesting that the effectiveness of our controls remains in place during the non-observation period of December 1st through May 31st. PRODUCTS & SERVICES COVERED Venue The SOC 2 + HITRUST report is available to current clients and prospective clients under a signed non-disclosure agreement. Get the report ISO 27001 Certification ISO 27001 Certification DFIN has obtained ISO 27001 in 2022 for the Enterprise. The ISO 27001 Certification is available to current clients and prospective clients under a signed non-disclosure agreement. Get the report ISO 9001 Certification ISO 9001 Certification DFIN has obtained ISO 9001 for our manufacturing facilities. These facilities cover print and composition work performed domestically. PRODUCTS & SERVICES COVERED Print Manufacturing The ISO 9001 Certification is available to current clients and prospective clients under a signed non-disclosure agreement. Get the report Shared Assessment (SIG) Security Review Questionnaires DFIN annually produces several “SIG” type artifacts for client’s consumption to help with their Supplier Risk Management security review and/or audit processes. PRODUCTS & SERVICES COVERED Venue ActiveDisclosure ARC Products File16 Print and Composition SIGs, CAIQs and DDQs are made available to current clients and require a signed non-disclosure agreement or confidentiality language in an existing master service agreement to be in place prior request fufillment. Get the report Cloud Security Alliance CAIQ Cloud Security Alliance CAIQ and STAR Registry As a part of Cloud Security Alliance (CSA) Security, Trust, Assurance, and Registry (STAR), DFIN has completed the CSA’s CAIQ v3.1 (v.4 pending) The CAIQ offers an industry accepted way to document cloud security controls for IaaS, PaaS and SaaS services and conveys our compliance to the CSA Cloud Controls Matrix. This helps our clients assess DFINs overall cloud security posture. DFIN is not currently STAR registered. PRODUCTS & SERVICES COVERED CAIQ completed for enterprise The CAIQ can be made available to current and future clients and require a signed non-disclosure agreement or confidentiality language in an existing master service agreement to be in place prior request fulfillment. Get the report Bridge Letters Bridge Letter for SOC 2 Attestation DFIN provides bridge letters supporting all our SOC 2 reports. The bridge letter opines that our controls are in place and have not changed during the non-observation period of our SOC 2 audit. PRODUCTS & SERVICES COVERED GCM SOC 2 Report GIC SOC 2 Report ActiveDisclosure SOC 2 Report VENUE SOC 2 Report Bridge letters are available to current and prospective clients under a signed non-disclosure agreement. Get the report We can provide additional information including our SOC 2 Type II report, once a Non-Disclosure Agreement is signed Talk to an expert or call +44 203 047 6100 Our CISO, Dannie Combs, discusses security and regulatory compliance Read the blog More findings, right this way Blog Hello Group Expands Global Footprint with Happn – Powered by DFIN Venue December 2025 View blog Blog DFIN Supported Singapore’s Largest IPO in Eight Years: UltraGreen.ai Lists on SGX December 2025 View blog Article M&A in 2026: What’s Powering Deals and Why Venue VDR Leads the Way December 2025 Read article Case study Explore How AprilBio Enhanced its Global Licensing Partnership with DFIN Venue December 2025 Read case study Article Driving Finance Leadership in the Age of AI: Insights from the CIMA Annual Conference 2025 in Hong Kong – Supported by DFIN December 2025 Read article Blog Preparing Your 2025 Form 20-F: Key Disclosure Trends and Compliance Considerations for FPIs December 2025 | Patricia Myles View blog Article What Is a Virtual Data Room for Private Equity? December 2025 Read article Article Investment Companies 2026 Outlook December 2025 Read article Guide DFIN GIC Regulatory Filing Coverage Guide November 2025 View guide Resources What is ESG? November 2025 | Priya Shah View resource Blog DFIN at London Life Sciences Week 2025: Seven Years of Partnership at LSX Investival Showcase November 2025 | Luke Marshall View blog Article DFIN at the 2025 Asia Pacific Capital Markets Forum: Why London Remains a Strategic Listing Destination for APAC Issuers November 2025 Read article Fact Sheet ArcFlex – Flexible Financial Reporting October 2025 View fact sheet Resources What Is IPO Due Diligence? A Guide for Advisors Using Venue VDR October 2025 View resource Resources Cross-Border M&A in Life Sciences: What Dealmakers Need to Know About Data & Compliance October 2025 View resource Resources How to Choose the Right Virtual Data Room Provider for Global M&A, Fundraising and More October 2025 View resource Calendar 2026 Investment Companies Regulatory Calendar October 2025 View calendar Report DFIN's IPO & Public Listing Report - Q3 2025 Edition October 2025 Read report Resources What is a Schedule 13D & 13G SEC Filing? October 2025 View resource Resources SEC Form F-4 October 2025 View resource