Security
Operations & Security
Great products come from great ideas. We have the security measures in place to protect your company’s future. Service and security you can trust with ProdPad.
For the deepest understanding of how we keep our customers’ data safe and to view our real-time security and compliance status, visit our Trust & Compliance Center.
Data Protection
All data entered into ProdPad is encrypted at rest and in transit. We use AWS Key Management Store to manage the encryption at rest using AES-256 keys.
All data stores are snapshotted nightly and stored for 30 days. These backups are encrypted. Point-in-time logs complement the nightly snapshots, enabling us to recover data within seconds of a failure and quickly rebuild in another region should it be required.
Layered Protection
At ProdPad we layer protections. Firewalls exist at the host, network, and application level. These firewalls have content policies for both inbound and outbound content. Intrusion detection and response systems exist at both the network and host level. Automated vulnerability scans are run regularly (at least once a week) on all levels.
Audit logs exist on all levels to support comprehensive compliance and security requirements. All code is statically analyzed and run through automated and manual QA processes.
Hosting Protection
ProdPad is hosted on Amazon Web Services, in the EU (Ireland) region. We benefit from the wealth of experience that AWS has built up over the years on running secure, resilient applications. We follow AWS security best practices.
AWS has numerous certifications including ISO 27001, ISO 27017, ISO 27018, and SOC1-3 along with more specialist certifications such as HIPAA, FISMA, NIST, C5, G-Cloud, FISC, IRAP, MTCS Tier 3, and Cyber Essentials Plus.
Compliance
ProdPad is fully SOC2 (Service Organization Control 2) Type II compliant, confirmed by an independent assessment by a certified auditor.
To find out more about our compliance and request a copy of the report, visit our Trust & Compliance Center.
CreateShift Ltd maintains the Cyber Essentials certification backed by the UK’s National Cyber Security Centre.
We are GDPR compliant, and an overview of our Data Processing Agreement is included within our Terms of Service. For further details contact hello@prodpad.com.
We maintain basic PCI compliance. All credit card details are handled by Recurly, Inc. and Stripe, Inc. At no point do we receive or store any credit card details.
Compliance is an ongoing process and we will be adding additional certifications in the future.
Privacy
We don’t re-sell or re-use your data in any way. While our staff are authorized to view the information in your database and logs when specifically required for troubleshooting, we can’t simply log in and see your data.
You can find more information in our Privacy Policy.
Support and SLAs
ProdPad is based in the UK, so our support team is available to help you during UK business hours. However, we’re a pretty responsive team, so you’ll often find us responding to your requests earlier or later than you’d expect. We also have an active Slack community for active customers, which can be a big help if you just have a question on how to use the system.
Our Slack community is moderated by the ProdPad team, and no member is permitted to solicit or spam other members of the community. We are a friendly bunch, so just ask!
FAQs
Information Security FAQs
- Where is ProdPad hosted?
ProdPad is hosted by AWS in the EU region (Ireland, to be specific). We are able to provide alternative hosting arrangements if required, or even on-premise. See our Enterprise page for more details.
- Are you compliant with GDPR?
We are compliant with GDPR and have a Data Processing Schedule in our Terms of Service.
- Who owns the data in ProdPad?
You own your own data.
- Do users have to give consent before entering data into ProdPad?
Yes, we have a consent step for our terms of service, privacy policy, and cookie policy during the account creation process.
Application and Networks Security FAQs
- Do you encrypt your data?
Yes, all data is encrypted in transit and at rest.
- Have you performed a PEN test in the last 12 months?
Yes, we perform PEN tests annually.
- Do you have a regularly reviewed disaster management/business continuity plan?
Yes, this is one of the many policies and procedures which we have documented to ensure good risk management.
- Do you perform vulnerability and application scans?
Yes, we perform vulnerability scans weekly.
Standards, policies and procedures FAQs
- Do you maintain policies and procedures to govern the support and maintenance of the application?
Yes, we have a full set of policies and procedures which govern risk management, business continuity, information security, network security, physical security, remote access, HR, etc. We’re happy to work within an AUP (Agreed upon Procedures) engagement upon request.
- Do you work with third-party providers?
Yes, we work with AWS and other suppliers. We have privacy and confidentiality agreements in place with our suppliers including Data Processing Addendums, Standard Contract Clauses, Privacy Shield, and contracts.
- Are you compliant with ISO 27001 or any other standards?
ProdPad is currently collecting evidence and actively preparing for a SOC2 (Service Organization Control 2) Type II audit of our control environment via an independent assessment by a certified auditor. You can follow our journey to SOC2 Type II certification by visiting our Trust & Compliance Center. CreateShift Ltd also maintains Cyber Essential certification backed by the National Cyber Security Centre. We haven’t applied for ISO 27001 compliance, however we have designed our policies and procedures around the requirements specified within that standard. Our hosting provider AWS is ISO 27001, ISO 27017, and ISO 27018 compliant. ProdPad has basic PCI compliance and does not store or receive credit card data.
Additional Information
Opting for an Enterprise plan gives you the option of a single-tenanted or even on-premise implementation.
We will also work with your procurement team throughout the evaluation process, with a comprehensive vendor assessment, including security, information security, and risk assessments. You can learn more by contacting sales@prodpad.com.
Further technical information about ProdPad can be found in our Help Center.
If you have any feedback on our approach to security, feel free to let us know via security@prodpad.com.