- PeopleGrove Security Principles
- Infrastructure Security
- Application Security
- Security Incident Response
- Disaster Recover and Business Continuity
This document is intended for any PeopleGrove client or potential client who wants to learn more about how PeopleGrove approaches security.
We believe that the best way to achieve security is to build all systems and processes with security in mind and to leverage all modern tools and standards.
Our high level security principles include:
- Employees of PeopleGrove only have access to client data on a need-to-know basis.
- Employees of PeopleGrove are required to use two-factor authentication to access all systems.
- Our application is securely hosted on Amazon Web Services infrastructure exclusively within the United States using the Heroku platform (a Salesforce company).
- Minimum password requirements are enforced for all users.
- We require encrypted connections (https) using TLS 1.2 at all times. Unencrypted access to the system is not supported.
- Our application is based on a REST API framework. Access to APIs is secured and reviewed periodically.
PeopleGrove uses Heroku (a Salesforce company) to assist with infrastructure management, scaling, and security. Heroku is a cloud application platform used by organizations of all sizes to deploy and operate applications throughout the world. Heroku is designed to protect from threats by applying security controls at every layer from physical to application, isolating customer applications and data, and with its ability to rapidly deploy security updates without customer interaction or service interruption.
Heroku has security standards published here: https://www.heroku.com/policy/security
Heroku is compliant with the following certifications:
- ISO 27001
- SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II)
- PCI Level 1
- FISMA Moderate
- Sarbanes-Oxley (SOX)
Heroku also provides the following threat management tools:
- DDoS Mitigation
- Spoofing and Sniffing Protections
- Porting Scanning
Amazon Web Services
PeopleGrove also leverages Amazon Web Services (AWS) for certain infrastructure, and Heroku actually uses AWS infrastructure.
AWS has security standards published here: https://aws.amazon.com/security/ andhttps://aws.amazon.com/compliance/
Amazon is one of the most trusted hosting providers in the world. Amazon maintains a series of security certifications including:
- ISO 27001
- PCI Compliance (Level 1)
- AICPA and SOC
AWS environments are continuously audited, with certifications from accreditation bodies across the globe. Amazon provides all server management for Heroku and PeopleGrove. PeopleGrove is hosted in the US-West Amazon data center.
We have robust testing framework in place which includes both automated testing as well as manual testing.
All code is reviewed by at least two engineers before pushing to production, and all deployments are signed off by the CTO.
If code is related to security or deemed to be high risk, at least three engineers must review the code, and additional testing must be completed before deployment.
- SQL injection
- Cross-site request forgery
- Session vulnerabilities
- Cross site scripting
- File access
- Denial of service
We review any promptly update any third party software used based on recent security updates.
- We periodically perform internal penetration testing and are happy to facilitate vulnerability testing by our clients upon request.
- We are in the process of commissioning 3rd party penetration and vulnerability testing.
- All databases that contain production data are encrypted both in transit and at rest.
- We perform automated daily database backups that are retained for two weeks, and weekly database backups that are retained for three months. All database backups are encrypted at rest and stored securely.
- Database credentials are limited to the CTO and Lead Developers and are always required to use two-step authentication to access this data.
- We will securely delete any client data from our servers within 30 days upon request.
- All clients have a right to request a full export of their data within 30 days upon request.
PeopleGrove is committed to keeping clients informed of any actual or potential security incidents and to provide support in the unlikely event of any incident.
- PeopleGrove will notify all clients by email within 24 hours of the discovery of any data breach or security incident
- PeopleGrove will assign a dedicated team of engineers within 24 hours to fully investigate the scope and severity of any security incident
- PeopleGrove will assist with the investigation of any security incident using all available monitoring tools and logging
- PeopleGrove will be available for any questions and follow up at firstname.lastname@example.org
- PeopleGrove will work with all clients to mitigate any security incident as much as possible
PeopleGrove is committed to providing a stable platform and is committed to restoring access to our systems quickly in the unlikely event of any disruption to our infrastructure or our business.
- Disaster Recovery
- PeopleGrove only uses industry-leading infrastructure providers and tools, such as Heroku (a Salesforce company), Amazon Web Services, and Google Cloud Platform
- We have contingency plans to launch our databases and application in other regions of our cloud providers, or another cloud provider entirely, if there is a major failure in one
- Our application is built in a distributed and flexible way so that it does not depend on any specific servers but can be deployed quickly where necessary
- All user data is backed up at least every 24 hours, and encrypted backups are maintained in multiple regions (within the US)
- Our recovery time objective (RTO) is 4 hours and our recovery point objective (RPO) is 24 hours
- Business Continuity
- PeopleGrove maintains offices across the world in the US and in India and has contingency plans to continue operations if one office becomes unavailable