Skip to content

Compliance Standard

Organization: FrontRunnerHC, Inc. (FRHC)
Parent Policy Reference: Summit Technology Holdings – Compliance Policy
Framework Reference: Secure Controls Framework – Compliance (CPL)


This standard defines how FrontRunnerHC (FRHC) implements the enterprise-wide Compliance requirements established by Summit Technology Holdings, LLC (STH). It documents the controls and practices used to identify and adhere to applicable statutory, regulatory, and contractual obligations, and to maintain oversight and assessment of cybersecurity and data protection controls.


This standard applies to all FRHC systems, personnel, and business activities subject to federal, state, or local regulatory requirements and to contractual commitments with customers and business partners. It governs compliance activities related to HIPAA, SOC 2, state breach notification laws, and contracts with customers including all clients and TransUnion.


3.1 Statutory, Regulatory & Contractual Compliance

Section titled “3.1 Statutory, Regulatory & Contractual Compliance”

FRHC’s Chief Information Security Officer (CISO) and Computer Security Team (CST) are responsible for staying informed of federal, state, and local compliance requirements, including HIPAA, SOC 2, Massachusetts information security law (201 CMR 17.00), and applicable state breach notification and data protection laws. Updates from the Secure Controls Framework (SCF) organization are routinely reviewed. When relevant changes are identified, the CISO and CST assess and revise internal security policies and standards to maintain compliance. Customer and vendor contracts are reviewed upon execution or amendment to ensure security requirements are understood and incorporated into operations.

  • Parent Policy Mapping: STH Compliance Policy, Section 3.1
  • SCF Mapping: CPL-01 (Statutory, Regulatory & Contractual Compliance)

3.2 Cybersecurity & Data Protection Controls Oversight

Section titled “3.2 Cybersecurity & Data Protection Controls Oversight”

FRHC’s CISO is responsible for implementing and managing the information security program, including defining, overseeing, and updating security and privacy controls based on risk and operational needs. The CST supports this function by reviewing existing controls, identifying improvement opportunities, and ensuring all safeguards remain aligned with regulatory and contractual expectations.

  • Parent Policy Mapping: STH Compliance Policy, Section 3.2
  • SCF Mapping: CPL-02 (Security, Compliance & Resilience Controls Oversight)

3.3 Cybersecurity & Data Protection Assessments

Section titled “3.3 Cybersecurity & Data Protection Assessments”

The CST routinely evaluates whether departments and teams are following established information security policies and procedures, identifying opportunities for improvement. To promote objectivity and meet regulatory requirements, FRHC engages third-party firms to perform annual SOC 2 Type II audits. Assessment results are documented and inform corrective actions and control updates.

  • Parent Policy Mapping: STH Compliance Policy, Section 3.3
  • SCF Mapping: CPL-03 (Security, Compliance & Resilience Assessments), CPL-03.1 (Independent Assessors)

FRHC maintains evidence supporting compliance controls, including regulatory obligation registers, control mapping documentation, internal assessment results, and external audit reports. Evidence is retained and made available to Summit Technology Holdings, LLC (STH) to support enterprise governance, audit, and compliance activities.


All users (employees, contractors, part-time and temporary workers) and those employed by others to perform work for the organization, or who have been granted access to IT assets or facilities, are covered by this standard and must comply with its associated policies, procedures, standards and guidelines.

Failure to comply with this standard and associated guidelines may result in suspension of use privileges or other disciplinary actions up to and including termination and/or legal action.


Parent Policy:

  • Summit Technology Holdings – Compliance Policy

Regulatory Requirements:

  • HIPAA Security Rule:
    • 45 CFR §164.308(a)(1)(ii)(A) – Risk Analysis
    • 45 CFR §164.308(a)(1)(ii)(B) – Risk Management
    • 45 CFR §164.308(a)(8) – Evaluation
  • AICPA SOC 2 Trust Services Criteria:
    • Security (CC1.1, CC7.2)
    • Confidentiality (C1)
    • Privacy (P8)
  • Massachusetts 201 CMR 17.00: §17.03 (Written Information Security Program Requirements)

Framework Alignment:

  • CPL-01 – Statutory, Regulatory & Contractual Compliance
  • CPL-02 – Security, Compliance & Resilience Controls Oversight
  • CPL-03 – Security, Compliance & Resilience Assessments
  • CPL-03.1 – Independent Assessors

RevDescriptionDateApproved
-Policy createdApril 2020M Machin
1.0Formatting UpdateOctober 2023M Machin
1.1Policy updated and approved for 2024May 2024WSI
2.0Updated and approved for 2025July 2025M Machin
3.0Converted to StandardApril 2026M Machin
3.1Added explicit 201 CMR 17.00 tracking reference (§3.1); added MA regulatory citationApril 2026M Machin

Internal Use Only