Security & Policy

6000+ companies trust Productboard

We’ve built our product according to the highest security standards and offer industry-leading administration and access management tools.

We take security seriously. Productboard meets ISO 27001:2013 and SOC2 standards and we conduct comprehensive audits of our applications, systems, and networks to ensure that your data is always protected.

Product security & reliability Cloud Security Application Security HR Security Compliance Privacy & Data Protection

Product security & reliability

Productboard offers many security features, including SAML SSO, IP Whitelisting, audit and changelogs, private views, RBAC, and manage access across multiple workspaces to ensure best-in-class protection.

Productboard offers SAML Single Sign-on (SSO) to allow admins to determine who has access to Productboard from your existing identity provider/SSO solution β€”Β Azure Active Directory, OneLogin, Okta, G Suite, and more. Productboard also supports Google SSO based on OAuth2.0.

Access to data within the Productboard application is governed by role-based access controls (RBAC). Productboard has various permission levels for users (maker with admin access, maker, contributor, viewer).

Productboard enforces a password complexity standard, and stores credentials using a PBKDF function (bcrypt).

Productboard has 99% or higher uptime.

Productboard can be configured to only allow access from designated IP address ranges. These restrictions can be applied to all users.

Cloud Security

Productboard’s security and availability architecture is built on top of ISO 27002:2013 controls and SOC 2 Focus Points to enable best practice protection controls, implemented based on industry standards.

Productboard uses AWS data centers in the United States. The services and data are hosted in Amazon Web Services (AWS) facilities (us-east-1) in the USA.

Productboard’s Security Team is on call 24/7 to respond to security alerts and events.

Productboard has designed multiple layers of security monitoring to detect anomalous behavior. When incidents and security events exceed predetermined thresholds, our 24/7 on-duty security team acts upon it.

Productboard has designed a multi-layer approach to DDoS mitigation. A core technology partnership with Cloudflare provides network edge defenses, while the use of AWS scaling and protection tools provide deeper protection along with our use of third party DDoS/WAF/RASP application tools.

Access to the Productboard Production Network is restricted by an explicit need-to-know basis, utilizes least privilege, is frequently audited and monitored, and is controlled by our Operations Team. Employees accessing the Productboard Production Network are required to use multiple factors of authentication and complete extensive background checks along with many technical and administrative controls.

Productboard was built with disaster recovery in mind. All of our infrastructure and data are spread across 3 AWS availability zones and will continue to work should any one of those data centers fail.Β 

All Productboard servers are within our own virtual private cloud (VPC) with network access control lists (ACLs) that prevent unauthorized requests getting to our internal network.

On an application level, Productboard produces audit logs for all activity, ships logs to Datadog for analysis, and uses S3 for archival purposes. All actions taken on production consoles or in the Productboard application are logged.

Access to customer data is limited to authorized privileged employees who require it for their job responsibilities. Productboard runs a zero-trust corporate network. We have SAML Single Sign-on (SSO), 2-factor authentication (2FA), and strong password policies on OKTA, GitHub, Google, AWS, and Productboard to ensure access to cloud services is protected.

All data sent to or from Productboard is encrypted in transit using 256 bit encryption. Our API and application endpoints are TLS/SSL only and score an β€œA+” rating on Qualys SSL Labsβ€˜ tests. This proves we only use strong cipher suites and have features such as HSTS and Perfect Forward Secrecy fully enabled. We also encrypt data at rest using an industry-standard AES-256 encryption algorithm.

Productboard uses third party security tools to continuously scan for vulnerabilities. Our dedicated security team responds to issues raised. Annually we engage independent third-party security experts to perform detailed penetration tests on the Productboard application and network.

In case of a system alert, events are escalated to Productboard’s 24/7 teams providing Operations, Network Engineering, and Security coverage. Employees are trained on security incident response processes, including communication channels and escalation paths.

Application Security

Productboard practices extensive processes and controls to ensure application security. All Productboard engineers utilize common best practices defined by standards like OWASP, NIST and CIS Benchmark.

At least annually, engineers participate in secure code training covering OWASP Top 10 security risks, common attack vectors, and Productboard security controls.

Productboard leverages modern and secure open-source frameworks with security controls to limit exposure to OWASP Top 10 security risks. These inherent controls reduce our exposure to SQL Injection (SQLi), Cross Site Scripting (XSS), and Cross Site Request Forgery (CSRF), among others.

Our Quality Assurance (QA) department reviews and tests our code base. Dedicated application security engineers on staff identify, test, and triage security vulnerabilities in code.

Testing and staging environments are logically separated from the Production environment. No Service Data is used in our development or test environments.

For more information regarding Bug bounty program, please visit this page.

HR Security

At Productboard we ensure that our employees adhere to the highest security standards by implementing extensive employee background checks and multiple administrative controls.

All employees complete Security and Awareness training annually and during onboarding.

Productboard has developed a comprehensive set of security policies based on ISO 27002:2013 ISMS framework and SOC 2 Trust Criteria Focus Points. These policies are updated frequently and communicated to all employees.

Productboard performs background checks on all new employees in accordance with local, federal and state laws applicable to our business. The background check includes employment verification, criminal checks, credit checks, deeper historical references and education verification.

All employee contracts include a confidentiality agreement.

Compliance

Productboard has built its Information Security Management System on top of ISO 27002:2013 controls and SOC 2 Focus Points to ensure the best practice protection controls are implemented based on industry standards and we are compliant with applicable local, federal and state regulations, as well as industry standards.

Productboard is SOC2 Type II certified. If you are interested about the report, please reach out to your account manager or request a copy of the Productboard SOC 2 Type 2 Report.

All payments made to Productboard go through Stripe. (Stripe’s security setup and PCI compliance) Productboard has completed PCI-DSS Self-Assessment Questionnaire (SAQ-A) to ensure Compliance with this industry standard.

Privacy & Data Protection

For information on Productboard’s legal and privacy terms, please visit:

Security concern?

Security concern?

If you think you may have found a security vulnerability, please get in touch with our security team at security@productboard.com

Learn more about security at Productboard

Read the white paper