We take security seriously. Productboard meets ISO 27001:2013 and SOC2 standards and we conduct comprehensive audits of our applications, systems, and networks to ensure that your data is always protected.
Access to data within the Productboard application is governed by role-based access controls (RBAC). Productboard has various permission levels for users (maker with admin access, maker, contributor, viewer).
Productboard enforces a password complexity standard, and stores credentials using a PBKDF function (bcrypt).
Productboard has 99% or higher uptime.
Productboard can be configured to only allow access from designated IP address ranges. These restrictions can be applied to all users.
Productboard uses AWS data centers in the United States. The services and data are hosted in Amazon Web Services (AWS) facilities (us-east-1) in the USA.
Productboard’s Security Team is on call 24/7 to respond to security alerts and events.
Productboard has designed multiple layers of security monitoring to detect anomalous behavior. When incidents and security events exceed predetermined thresholds, our 24/7 on-duty security team acts upon it.
Productboard has designed a multi-layer approach to DDoS mitigation. A core technology partnership with Cloudflare provides network edge defenses, while the use of AWS scaling and protection tools provide deeper protection along with our use of third party DDoS/WAF/RASP application tools.
Access to the Productboard Production Network is restricted by an explicit need-to-know basis, utilizes least privilege, is frequently audited and monitored, and is controlled by our Operations Team. Employees accessing the Productboard Production Network are required to use multiple factors of authentication and complete extensive background checks along with many technical and administrative controls.
Productboard was built with disaster recovery in mind. All of our infrastructure and data are spread across 3 AWS availability zones and will continue to work should any one of those data centers fail.
All Productboard servers are within our own virtual private cloud (VPC) with network access control lists (ACLs) that prevent unauthorized requests getting to our internal network.
On an application level, Productboard produces audit logs for all activity, ships logs to Datadog for analysis, and uses S3 for archival purposes. All actions taken on production consoles or in the Productboard application are logged.
Access to customer data is limited to authorized privileged employees who require it for their job responsibilities. Productboard runs a zero-trust corporate network. We have SAML Single Sign-on (SSO), 2-factor authentication (2FA), and strong password policies on OKTA, GitHub, Google, AWS, and Productboard to ensure access to cloud services is protected.
All data sent to or from Productboard is encrypted in transit using 256 bit encryption. Our API and application endpoints are TLS/SSL only and score an “A+” rating on Qualys SSL Labs‘ tests. This proves we only use strong cipher suites and have features such as HSTS and Perfect Forward Secrecy fully enabled. We also encrypt data at rest using an industry-standard AES-256 encryption algorithm.
Productboard uses third party security tools to continuously scan for vulnerabilities. Our dedicated security team responds to issues raised. Annually we engage independent third-party security experts to perform detailed penetration tests on the Productboard application and network.
In case of a system alert, events are escalated to Productboard’s 24/7 teams providing Operations, Network Engineering, and Security coverage. Employees are trained on security incident response processes, including communication channels and escalation paths.
At least annually, engineers participate in secure code training covering OWASP Top 10 security risks, common attack vectors, and Productboard security controls.
Productboard leverages modern and secure open-source frameworks with security controls to limit exposure to OWASP Top 10 security risks. These inherent controls reduce our exposure to SQL Injection (SQLi), Cross Site Scripting (XSS), and Cross Site Request Forgery (CSRF), among others.
Our Quality Assurance (QA) department reviews and tests our code base. Dedicated application security engineers on staff identify, test, and triage security vulnerabilities in code.
Testing and staging environments are logically separated from the Production environment. No Service Data is used in our development or test environments.
We care deeply about keeping our users safe. If you believe you have discovered a vulnerability, we ask that you disclose it in a responsible manner. The Productboard Security Team will work with you to investigate, resolve the issue promptly and reward the first reporter of a vulnerability.
We are interested in critical vulnerabilities in our infrastructure and product, not in an output of automated scanners
These vulnerabilities are out-of-scope and not subject to any reward:
While we welcome ethical and responsible identification and investigation of potential vulnerabilities, we ask that all security researchers stick to the following principles:
Submission reports should include a detailed description of your discovery with clear, concise steps allowing us to reproduce the issue, or a working proof-of-concept.
All communications between you and Productboard should go through
vuln-disc -at- productboard.com.
Please only submit one report per issue.
When submitting a vulnerability report you agree that you may not publicly disclose your findings or the contents of your submission to any third parties in any way without Productboard’s prior written approval.
You may be eligible to receive a reward if:
The decision to grant a reward for the discovery of a valid security issue is at Productboard’s sole discretion. The amount of each bounty is based on the classification and sensitivity of the data impacted, the completeness of your report, ease of exploit and overall risk for Productboard’s users and brand.
Any activities conducted in a good faith and in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
All employees complete Security and Awareness training annually and during onboarding.
Productboard has developed a comprehensive set of security policies based on ISO 27002:2013 ISMS framework and SOC 2 Trust Criteria Focus Points. These policies are updated frequently and communicated to all employees.
Productboard performs background checks on all new employees in accordance with local, federal and state laws applicable to our business. The background check includes employment verification, criminal checks, credit checks, deeper historical references and education verification.
All employee contracts include a confidentiality agreement.
Productboard is SOC2 Type II certified. If you are interested about the report, please reach out to us or your account manager to provide it to you, under NDA or visit this link.
All payments made to Productboard go through Stripe. (Stripe’s security setup and PCI compliance) Productboard has completed PCI-DSS Self-Assessment Questionnaire (SAQ-A) to ensure Compliance with this industry standard.