Missed out on the product management event of the year?

Watch here

4000+ companies
trust Productboard

We’ve built our product according to the highest security standards and offer industry-leading administration and access management tools.

Security & Privacy

We take security seriously. Productboard meets ISO 27001:2013 and SOC2 standards and we conduct comprehensive audits of our applications, systems, and networks to ensure that your data is always protected.

Product security & reliability Cloud Security Application Security HR Security Compliance Privacy & Data Protection

Product security & reliability

Productboard offers many security features, including SAML SSO, IP Whitelisting, audit and changelogs, private views, RBAC, and manage access across multiple workspaces to ensure best-in-class protection.

Productboard offers SAML Single Sign-on (SSO) to allow admins to determine who has access to Productboard from your existing identity provider/SSO solution — Azure Active Directory, OneLogin, Okta, G Suite, and more. Productboard also supports Google SSO based on OAuth2.0.

Access to data within the Productboard application is governed by role-based access controls (RBAC). Productboard has various permission levels for users (maker with admin access, maker, contributor, viewer).

Productboard enforces a password complexity standard, and stores credentials using a PBKDF function (bcrypt).

Productboard has 99% or higher uptime.

Productboard can be configured to only allow access from designated IP address ranges. These restrictions can be applied to all users.

Cloud Security

Productboard’s security and availability architecture is built on top of ISO 27002:2013 controls and SOC 2 Focus Points to enable best practice protection controls, implemented based on industry standards.

Productboard uses AWS data centers in the United States. The services and data are hosted in Amazon Web Services (AWS) facilities (us-east-1) in the USA.

Productboard’s Security Team is on call 24/7 to respond to security alerts and events.

Productboard has designed multiple layers of security monitoring to detect anomalous behavior. When incidents and security events exceed predetermined thresholds, our 24/7 on-duty security team acts upon it.

Productboard has designed a multi-layer approach to DDoS mitigation. A core technology partnership with Cloudflare provides network edge defenses, while the use of AWS scaling and protection tools provide deeper protection along with our use of third party DDoS/WAF/RASP application tools.

Access to the Productboard Production Network is restricted by an explicit need-to-know basis, utilizes least privilege, is frequently audited and monitored, and is controlled by our Operations Team. Employees accessing the Productboard Production Network are required to use multiple factors of authentication and complete extensive background checks along with many technical and administrative controls.

Productboard was built with disaster recovery in mind. All of our infrastructure and data are spread across 3 AWS availability zones and will continue to work should any one of those data centers fail. 

All Productboard servers are within our own virtual private cloud (VPC) with network access control lists (ACLs) that prevent unauthorized requests getting to our internal network.

On an application level, Productboard produces audit logs for all activity, ships logs to Datadog for analysis, and uses S3 for archival purposes. All actions taken on production consoles or in the Productboard application are logged.

Access to customer data is limited to authorized privileged employees who require it for their job responsibilities. Productboard runs a zero-trust corporate network. We have SAML Single Sign-on (SSO), 2-factor authentication (2FA), and strong password policies on OKTA, GitHub, Google, AWS, and Productboard to ensure access to cloud services is protected.

All data sent to or from Productboard is encrypted in transit using 256 bit encryption. Our API and application endpoints are TLS/SSL only and score an “A+” rating on Qualys SSL Labs‘ tests. This proves we only use strong cipher suites and have features such as HSTS and Perfect Forward Secrecy fully enabled. We also encrypt data at rest using an industry-standard AES-256 encryption algorithm.

Productboard uses third party security tools to continuously scan for vulnerabilities. Our dedicated security team responds to issues raised. Annually we engage independent third-party security experts to perform detailed penetration tests on the Productboard application and network.

In case of a system alert, events are escalated to Productboard’s 24/7 teams providing Operations, Network Engineering, and Security coverage. Employees are trained on security incident response processes, including communication channels and escalation paths.

Application Security

Productboard practices extensive processes and controls to ensure application security. All Productboard engineers utilize common best practices defined by standards like OWASP, NIST and CIS Benchmark.

At least annually, engineers participate in secure code training covering OWASP Top 10 security risks, common attack vectors, and Productboard security controls.

Productboard leverages modern and secure open-source frameworks with security controls to limit exposure to OWASP Top 10 security risks. These inherent controls reduce our exposure to SQL Injection (SQLi), Cross Site Scripting (XSS), and Cross Site Request Forgery (CSRF), among others.

Our Quality Assurance (QA) department reviews and tests our code base. Dedicated application security engineers on staff identify, test, and triage security vulnerabilities in code.

Testing and staging environments are logically separated from the Production environment. No Service Data is used in our development or test environments.

We care deeply about keeping our users safe. If you believe you have discovered a vulnerability, we ask that you disclose it in a responsible manner. The Productboard Security Team will work with you to investigate, resolve the issue promptly and reward the first reporter of a vulnerability.

Out-of-scope Vulnerabilities.

We are interested in critical vulnerabilities in our infrastructure and product, not in an output of automated scanners

These vulnerabilities are out-of-scope and not subject to any reward:

  • Denial of service or Distributed Denial of service attacks
  • Presence/absence/misconfiguration of SPF/DKIM/DMARC records or any email misconfiguration in general
  • Lack of CSRF tokens
  • Clickjacking issues
  • Missing security headers which do not lead directly to a vulnerability
  • Missing best practices (we require exploitable evidence of a security vulnerability)
  • Reports from automated tools or scans
  • Reports of insecure SSL/TLS ciphers (unless you have a working proof of concept, and not just a report from a scanner)
  • Absence of rate limiting
  • Outdated software without any noteworthy vulnerability

Responsible Disclosure Policy

While we welcome ethical and responsible identification and investigation of potential vulnerabilities, we ask that all security researchers stick to the following principles:

  • Do not engage in testing that:
    • Degrades Productboard’s information systems and products.
    • Results in you, or any third party, accessing, modifying, storing, sharing or destroying Productboard’s customer data.
    • Includes Denial of Service or brute-force attack mechanisms
    • Involves social engineering techniques
    • Directly addresses Productboard customers or end users.
    • Includes usage of automated tools and scanners.
  • When your investigation requires authorized access (e.g. you suspect potential privilege escalation or multi-tenancy issue), create a dedicated trial account for that purpose. Never attempt to bypass our security measures under a commercial account.
  • Do not exploit identified or known vulnerabilities on our infrastructure further than necessary to reasonably determine its presence. The Bounty Program is about improving security for Productboard users, not deliberately trying to put the community at risk.
  • In case you encounter customer data or other information that is not your own, please stop and report this activity to our team so we can investigate. Please report to us what information was accessed and delete the data. Do not save, copy, transfer, or otherwise use this data. Continuing to access such data may demonstrate a lack of good faith.

Submission Process

Submission reports should include a detailed description of your discovery with clear, concise steps allowing us to reproduce the issue, or a working proof-of-concept.

All communications between you and Productboard should go through vuln-disc -at- productboard.com.

Please only submit one report per issue.

When submitting a vulnerability report you agree that you may not publicly disclose your findings or the contents of your submission to any third parties in any way without Productboard’s prior written approval.


You may be eligible to receive a reward if:

  • (i) you are the first person to submit a given vulnerability;
  • (ii) that vulnerability is determined to be a valid security issue by the Productboard Security Team
  • (iii) you have complied with the Productboard’s Bug Bounty program policy and guidelines.

The decision to grant a reward for the discovery of a valid security issue is at Productboard’s sole discretion. The amount of each bounty is based on the classification and sensitivity of the data impacted, the completeness of your report, ease of exploit and overall risk for Productboard’s users and brand.

Legal Safe Harbor

Any activities conducted in a good faith and in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

HR Security

At Productboard we ensure that our employees adhere to the highest security standards by implementing extensive employee background checks and multiple administrative controls.

All employees complete Security and Awareness training annually and during onboarding.

Productboard has developed a comprehensive set of security policies based on ISO 27002:2013 ISMS framework and SOC 2 Trust Criteria Focus Points. These policies are updated frequently and communicated to all employees.

Productboard performs background checks on all new employees in accordance with local, federal and state laws applicable to our business. The background check includes employment verification, criminal checks, credit checks, deeper historical references and education verification.

All employee contracts include a confidentiality agreement.


Productboard has built its Information Security Management System on top of ISO 27002:2013 controls and SOC 2 Focus Points to ensure the best practice protection controls are implemented based on industry standards and we are compliant with applicable local, federal and state regulations, as well as industry standards.

Productboard is SOC2 Type II certified. If you are interested about the report, please reach out to us or your account manager to provide it to you, under NDA or visit this link.

All payments made to Productboard go through Stripe. (Stripe’s security setup and PCI compliance) Productboard has completed PCI-DSS Self-Assessment Questionnaire (SAQ-A) to ensure Compliance with this industry standard.

Privacy & Data Protection

For information on Productboard’s legal and privacy terms, please visit:

Security concern?

Security concern?

If you think you may have found a security vulnerability, please get in touch with our security team at security@productboard.com

Learn more about security at Productboard

Read the white paper