Security: How we keep your data safe

At Prodly, data security is integral to our operations and solutions. We understand the sensitive nature of the data our application processes, so we take an industry-leading approach to ensuring your data is fully protected.

Prodly is built on the Salesforce platform. As such, it enjoys the platform’s stringent security measures. Because Prodly is a composite app that also relies on AWS, we have built a robust infrastructure layer that provides replication, backup, and disaster recovery planning. Network services have advanced threat detection, as well as encryption in transit. Application services implement identity, authentication, and user permissions, which we defer to the Salesforce platform.

Additionally, Prodly meets the rigorous security requirements imposed by Salesforce on its app partners. The AppExchange security review regularly tests the security posture of our solutions, including how well they protect customer data.

To do this, it uses threat-modeling profiles based on the most common web vulnerabilities and attempts to penetrate our defenses. For example, it tests for SOQL and SQL injection, cross-site scripting, non-secure authentication and access control protocols, and vulnerabilities specific to the Salesforce platform, such as record-sharing violations.

We also have an independent third party perform penetration testing on an annual basis.

SOC 2® - SOC for service organizations

We maintain our SOC 2 Type II certification rigorously with processes and practices that guarantee oversight across our organization, ensuring that our customers’ data is protected from any unusual, unauthorized, or suspicious activity. These processes and practices include:

  • Access controls: Physical and logical restrictions on assets to prevent access by unauthorized personnel
  • Change management: A controlled process for managing changes to IT systems and methods for preventing unauthorized changes
  • System operations: Controls that monitor ongoing operations—plus, detect and resolve any deviations from organizational procedures
  • Risk mitigation: Methods and processes that allow us to identify, respond to, and mitigate risks

Read on to learn about the specific security measures we implement to make sure your data is safe at all times.

Governance

We have a full Information Security Management System that aligns to ISO 27001 and complies with GDPR requirements for the protection of personal data. Its policies cover all aspects of information security within our organization and support all our security controls. We refresh the system’s policies regularly and share them with our employees to make sure everyone understands their role in keeping our system secure.

Data processing

We ensure your Salesforce data is encrypted at all times. Prodly solutions only retain certain metadata data post processing such as record IDs and org IDs. When data’s in transit, we use AES 256-bit encryption to safeguard it.

Encryption

Our cryptographic policy meets the strict requirements of NIST SP 800-175B. We encrypt all communications that carry sensitive information across the public internet using TLS v1.2 with cyphers that have minimum key lengths of 2048 bit. We encrypt communications with our production environment, as well as all data at rest, with AES 256-bit encryption.

Privacy

To guarantee privacy, we design our solutions to collect the minimum amount of personal data possible—we only collect users’ Salesforce username, email address, and org ID for billing and auditing purposes. We comply with GDPR and CCPA privacy requirements for personal identifiable information (PII) and have processes in place to identify, modify, and delete personal data upon request.

Access control

We use role-based access control according to the principles of segregation of duties, least privilege, and need to know. Our password policy requires employees to use complex passwords that are in line with top industry requirements for critical business systems. They must renew these passwords every 90 days and store them in a secure password manager to prevent them from being compromised. We have implemented multifactor authentication for access to all sensitive environments.

Network security

We maintain completely segregated production and common networks. Administrative access is exclusively possible through a secured session manager that can only be accessed via whitelisted IP addresses. We restrict access to our solutions through the use of load balancers, security groups, and network access control groups.

Logging and monitoring

We collect system and environmental logs in a secure central location and automatically analyze them as they’re generated. Any abnormalities generate alerts that our DevOps partner triages and escalates to Prodly’s engineering team for incident response. We choose log retention lengths that ensure logs are useful for forensic investigation in the event of a breach.

Vulnerability management

To prevent security breaches, we make sure our systems are up to date and free of all known security breaches. We test and install critical security patches within one week of release and all other patches within one month of release. We scan our systems for new security vulnerabilities on a regular schedule, and we use these scans to verify that patching processes perform as expected. In addition, we manually test our cloud environment’s configuration and our solutions’ security to identify any vulnerabilities automated scans don’t detect.

Incident response

We have an incident response plan in place that’s ready to address the most likely breach scenarios. We regularly test the plan so it’s relevant and fully functional in the event it’s needed. In addition, we partner with Mirai Security to ensure trained experts are available to respond in the event of a serious incident.

Disaster recovery

We regularly back up all sensitive data we hold to a remote location and test the backups to verify recovery procedures will work as required following a disaster. To further ensure availability of our solutions in the event of a local disaster, our systems are hosted in data centers within Amazon’s AWS US-East-2 availability region.

Employee training

To maintain the security of our organization and the sensitive data we process and store, we require our employees to complete regular, curated training on recognizing phishing emails, selecting good passwords, and other important aspects of our security policies. We perform regular phishing tests to make sure our training works. In addition, we train our developers to avoid common coding security flaws according to OWASP recommendations.