Compliance Standard
Organization: FrontRunnerHC, Inc. (FRHC)
Parent Policy Reference: Summit Technology Holdings – Compliance Policy
Framework Reference: Secure Controls Framework – Compliance (CPL)
1. Purpose
Section titled “1. Purpose”This standard defines how FrontRunnerHC (FRHC) implements the enterprise-wide Compliance requirements established by Summit Technology Holdings, LLC (STH). It documents the controls and practices used to identify and adhere to applicable statutory, regulatory, and contractual obligations, and to maintain oversight and assessment of cybersecurity and data protection controls.
2. Applicability
Section titled “2. Applicability”This standard applies to all FRHC systems, personnel, and business activities subject to federal, state, or local regulatory requirements and to contractual commitments with customers and business partners. It governs compliance activities related to HIPAA, SOC 2, state breach notification laws, and contracts with customers including all clients and TransUnion.
3. Standard
Section titled “3. Standard”3.1 Statutory, Regulatory & Contractual Compliance
Section titled “3.1 Statutory, Regulatory & Contractual Compliance”FRHC’s Chief Information Security Officer (CISO) and Computer Security Team (CST) are responsible for staying informed of federal, state, and local compliance requirements, including HIPAA, SOC 2, Massachusetts information security law (201 CMR 17.00), and applicable state breach notification and data protection laws. Updates from the Secure Controls Framework (SCF) organization are routinely reviewed. When relevant changes are identified, the CISO and CST assess and revise internal security policies and standards to maintain compliance. Customer and vendor contracts are reviewed upon execution or amendment to ensure security requirements are understood and incorporated into operations.
- Parent Policy Mapping: STH Compliance Policy, Section 3.1
- SCF Mapping: CPL-01 (Statutory, Regulatory & Contractual Compliance)
3.2 Cybersecurity & Data Protection Controls Oversight
Section titled “3.2 Cybersecurity & Data Protection Controls Oversight”FRHC’s CISO is responsible for implementing and managing the information security program, including defining, overseeing, and updating security and privacy controls based on risk and operational needs. The CST supports this function by reviewing existing controls, identifying improvement opportunities, and ensuring all safeguards remain aligned with regulatory and contractual expectations.
- Parent Policy Mapping: STH Compliance Policy, Section 3.2
- SCF Mapping: CPL-02 (Security, Compliance & Resilience Controls Oversight)
3.3 Cybersecurity & Data Protection Assessments
Section titled “3.3 Cybersecurity & Data Protection Assessments”The CST routinely evaluates whether departments and teams are following established information security policies and procedures, identifying opportunities for improvement. To promote objectivity and meet regulatory requirements, FRHC engages third-party firms to perform annual SOC 2 Type II audits. Assessment results are documented and inform corrective actions and control updates.
- Parent Policy Mapping: STH Compliance Policy, Section 3.3
- SCF Mapping: CPL-03 (Security, Compliance & Resilience Assessments), CPL-03.1 (Independent Assessors)
4. Compliance & Governance
Section titled “4. Compliance & Governance”FRHC maintains evidence supporting compliance controls, including regulatory obligation registers, control mapping documentation, internal assessment results, and external audit reports. Evidence is retained and made available to Summit Technology Holdings, LLC (STH) to support enterprise governance, audit, and compliance activities.
5. Enforcement
Section titled “5. Enforcement”All users (employees, contractors, part-time and temporary workers) and those employed by others to perform work for the organization, or who have been granted access to IT assets or facilities, are covered by this standard and must comply with its associated policies, procedures, standards and guidelines.
Failure to comply with this standard and associated guidelines may result in suspension of use privileges or other disciplinary actions up to and including termination and/or legal action.
6. References
Section titled “6. References”Parent Policy:
- Summit Technology Holdings – Compliance Policy
Regulatory Requirements:
- HIPAA Security Rule:
- 45 CFR §164.308(a)(1)(ii)(A) – Risk Analysis
- 45 CFR §164.308(a)(1)(ii)(B) – Risk Management
- 45 CFR §164.308(a)(8) – Evaluation
- AICPA SOC 2 Trust Services Criteria:
- Security (CC1.1, CC7.2)
- Confidentiality (C1)
- Privacy (P8)
- Massachusetts 201 CMR 17.00: §17.03 (Written Information Security Program Requirements)
Framework Alignment:
- CPL-01 – Statutory, Regulatory & Contractual Compliance
- CPL-02 – Security, Compliance & Resilience Controls Oversight
- CPL-03 – Security, Compliance & Resilience Assessments
- CPL-03.1 – Independent Assessors
7. Revision Tracking
Section titled “7. Revision Tracking”| Rev | Description | Date | Approved |
|---|---|---|---|
| - | Policy created | April 2020 | M Machin |
| 1.0 | Formatting Update | October 2023 | M Machin |
| 1.1 | Policy updated and approved for 2024 | May 2024 | WSI |
| 2.0 | Updated and approved for 2025 | July 2025 | M Machin |
| 3.0 | Converted to Standard | April 2026 | M Machin |
| 3.1 | Added explicit 201 CMR 17.00 tracking reference (§3.1); added MA regulatory citation | April 2026 | M Machin |
