DESCRIPTION OF TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES
(Outdated)

ProductBoard implements and maintains the security standards set out below. ProductBoard may update or modify such security standards from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Services.

ProductBoard’s security and availability architecture is built on top of ISO 27002:2013 controls and SOC 2 Focus Points to enable best practice protection controls, implemented based on industry standards.  

• SOC:  ProductBoard is SOC2 Type II certified. If you are interested about the report, please reach out to us or your account manager to provide it to you, under NDA. 
• PCI-DSS: All payments made to ProductBoard go through Stripe. ProductBoard has completed PCI-DSS Self-Assessment Questionnaire (SAQ-A) to ensure compliance with this industry standard.

Cloud Security

1. Encryption. All data sent to or from ProductBoard is encrypted in transit using 256 bit encryption. ProductBoard’s API and application endpoints are TLS/SSL only and score an “A+” rating on Qualys SSL Labs‘ tests. This proves we only use strong cipher suites and have features such as HSTS and Perfect Forward Secrecy fully enabled. ProductBoard also encrypt data at rest using an industry-standard AES-256 encryption algorithm.
2. Logical Access.  Access to the ProductBoard Production Network is restricted by an explicit need-to-know basis, utilizes least privilege, is frequently audited and monitored, and is controlled by the ProductBoard Operations Team. Employees accessing the ProductBoard Production Network are required to use multiple factors of authentication and complete extensive background checks along with many technical and administrative controls.
3. Permissions and Authentication. ProductBoard limits access to customer data is limited to authorized privileged employees who require it for their job responsibilities. ProductBoard runs a zero-trust corporate network. We have SAML Single Sign-on (SSO), 2-factor authentication (2FA), and strong password policies on OKTA, GitHub, Google, AWS, and ProductBoard to ensure access to cloud services is protected.  
4. DDoS Mitigation. ProductBoard has designed a multi-layer approach to DDoS mitigation. A core technology partnership with Cloudflare provides network edge defenses, while the use of AWS scaling and protection tools provide deeper protection along with ProductBoard’s use of third party DDoS/WAF/RASP application tools.
5. Backups and Monitoring.  On an application level, ProductBoard produces audit logs for all activity, ships logs to Datadog for analysis, and uses S3 for archival purposes. All actions taken on production consoles or in the ProductBoard application are logged.
6. Virtual Private Cloud.  All ProductBoard servers are within ProductBoard’s own virtual private cloud (VPC) with network access control lists (ACLs) that prevent unauthorized requests getting to ProductBoard’s internal network. 
7. Physical Security. ProductBoard uses AWS data centers which are secure by design.  See https://aws.amazon.com/compliance/data-center/controls/.  
8. Disaster Recovery.  All of ProductBoard’s infrastructure and data are spread across three AWS availability zones and will continue to work should any one of those data centers fail. 
9. Security Team. ProductBoard has a dedicated security team that is on call 24/7 to respond to security alerts and events. ProductBoard employees are trained on security incident response processes, including communication channels and escalation paths.
10. Pentests & Vulnerability Scanning. ProductBoard uses third party security tools to continuously scan for and address vulnerabilities. Annually ProductBoard engages independent third-party security experts to perform detailed penetration tests on the ProductBoard application and network. 

Application Security

11. All ProductBoard engineers utilize common best practices defined by standards like OWASP, NIST and CIS Benchmark.
12. Secure Code Development (SDLC).  At least annually, engineers participate in secure code training covering OWASP Top 10 security risks, common attack vectors, and ProductBoard security controls.
13. Framework Security Controls. ProductBoard leverages modern and secure open-source frameworks with security controls to limit exposure to OWASP Top 10 security risks. These inherent controls reduce ProductBoard’s exposure to SQL Injection (SQLi), Cross Site Scripting (XSS), and Cross Site Request Forgery (CSRF), among others.
14. Quality Assurance.  ProductBoard’s Quality Assurance (QA) department reviews and tests ProductBoard’s code base. Dedicated application security engineers on staff identify, test, and triage security vulnerabilities in code.
15. Separate Environments. ProductBoard logically separates testing and staging environments from the Production environment. 
16. Bug Bounty program.  ProductBoard has a bug bounty program team where individuals who believe they have discovered a vulnerability can advise the ProductBoard Security Team, that will work with the individual to investigate, resolve the issue promptly and reward the first reporter of a vulnerability.

Product Security

17. Role-Based Access Control.  Access to data within the ProductBoard application is governed by role-based access controls (RBAC). ProductBoard has various permission levels for users (maker with admin access, maker, contributor, viewer). 
18. SSO.  ProductBoard offers SAML Single Sign-on (SSO) to allow customers to determine who has access to ProductBoard from their existing identity provider/SSO solution (i.e., Azure Active Directory, OneLogin, Okta, G Suite, etc.). ProductBoard supports Google SSO based on OAuth2.0. 
19. Password and Credential Storage. ProductBoard enforces a password complexity standard, and stores credentials using a PBKDF function (bcrypt).
20. IP Whitelisting.  ProductBoard can be configured to only allow access from designated IP address ranges. These restrictions can be applied to all users. 

HR Security

21. Employee Training.  All employees complete Security and Awareness training annually and during onboarding. Additionally, employees are trained on privacy by design and by default during monthly trainings. 
22. Policies. ProductBoard has a comprehensive set of security policies based on ISO 27002:2013 ISMS framework and SOC 2 Trust Criteria Focus Points. These policies are regularly updated and communicated to all employees.
23. Employee Screening. ProductBoard performs background checks on all new employees in accordance with local, federal and state laws applicable to our business. The background check includes employment verification, criminal checks, credit checks, deeper historical references and education verification.
24. Confidentiality. All employee contracts include a confidentiality agreement.

Data Retention, Accountability, Portability & Erasure

25. Data Retention.  ProductBoard has a Customer Data Backup and Retention Policy, which identifies the backup in place to preserve customer data, and the retention periods for certain types of personal data.   
26. Accountability.  ProductBoard maintains an internal Personal Data Processing Policy advising employees on the steps ProductBoard takes to ensure its processing of EU personal data is in line with the EU’s GDPR.  
27. Portability & Erasure. ProductBoard has the capability to export customer’s data (personal data and all related product data generated by the usage) on request, and to irreversibly delete all customer personal data and space data.  

Sub-processors

28. Assistance to Customer.  ProductBoard has entered into written contracts with all of its sub-processors wherein sub-processors agree to provide reasonable assistance to ProductBoard in responding to customers’ reasonable inquires relating to the ProductBoard Services.