We take security seriously. Productboard meets ISO 27001:2013 and SOC2 standards and we conduct comprehensive audits of our applications, systems, and networks to ensure that your data is always protected.
Access to data within the Productboard application is governed by role-based access controls (RBAC). Productboard has various permission levels for users (maker with admin access, maker, contributor, viewer).
Productboard enforces a password complexity standard, and stores credentials using a PBKDF function (bcrypt).
Productboard has 99% or higher uptime.
Productboard can be configured to only allow access from designated IP address ranges. These restrictions can be applied to all users.
Productboard uses AWS data centers in the United States. The services and data are hosted in Amazon Web Services (AWS) facilities (us-east-1) in the USA.
Productboard’s Security Team is on call 24/7 to respond to security alerts and events.
Productboard has designed multiple layers of security monitoring to detect anomalous behavior. When incidents and security events exceed predetermined thresholds, our 24/7 on-duty security team acts upon it.
Productboard has designed a multi-layer approach to DDoS mitigation. A core technology partnership with Cloudflare provides network edge defenses, while the use of AWS scaling and protection tools provide deeper protection along with our use of third party DDoS/WAF/RASP application tools.
Access to the Productboard Production Network is restricted by an explicit need-to-know basis, utilizes least privilege, is frequently audited and monitored, and is controlled by our Operations Team. Employees accessing the Productboard Production Network are required to use multiple factors of authentication and complete extensive background checks along with many technical and administrative controls.
Productboard was built with disaster recovery in mind. All of our infrastructure and data are spread across 3 AWS availability zones and will continue to work should any one of those data centers fail.
All Productboard servers are within our own virtual private cloud (VPC) with network access control lists (ACLs) that prevent unauthorized requests getting to our internal network.
On an application level, Productboard produces audit logs for all activity, ships logs to Datadog for analysis, and uses S3 for archival purposes. All actions taken on production consoles or in the Productboard application are logged.
Access to customer data is limited to authorized privileged employees who require it for their job responsibilities. Productboard runs a zero-trust corporate network. We have SAML Single Sign-on (SSO), 2-factor authentication (2FA), and strong password policies on OKTA, GitHub, Google, AWS, and Productboard to ensure access to cloud services is protected.
All data sent to or from Productboard is encrypted in transit using 256 bit encryption. Our API and application endpoints are TLS/SSL only and score an “A+” rating on Qualys SSL Labs‘ tests. This proves we only use strong cipher suites and have features such as HSTS and Perfect Forward Secrecy fully enabled. We also encrypt data at rest using an industry-standard AES-256 encryption algorithm.
Productboard uses third party security tools to continuously scan for vulnerabilities. Our dedicated security team responds to issues raised. Annually we engage independent third-party security experts to perform detailed penetration tests on the Productboard application and network.
In case of a system alert, events are escalated to Productboard’s 24/7 teams providing Operations, Network Engineering, and Security coverage. Employees are trained on security incident response processes, including communication channels and escalation paths.
At least annually, engineers participate in secure code training covering OWASP Top 10 security risks, common attack vectors, and Productboard security controls.
Productboard leverages modern and secure open-source frameworks with security controls to limit exposure to OWASP Top 10 security risks. These inherent controls reduce our exposure to SQL Injection (SQLi), Cross Site Scripting (XSS), and Cross Site Request Forgery (CSRF), among others.
Our Quality Assurance (QA) department reviews and tests our code base. Dedicated application security engineers on staff identify, test, and triage security vulnerabilities in code.
Testing and staging environments are logically separated from the Production environment. No Service Data is used in our development or test environments.
For more information regarding Bug bounty program, please visit this page.
All employees complete Security and Awareness training annually and during onboarding.
Productboard has developed a comprehensive set of security policies based on ISO 27002:2013 ISMS framework and SOC 2 Trust Criteria Focus Points. These policies are updated frequently and communicated to all employees.
Productboard performs background checks on all new employees in accordance with local, federal and state laws applicable to our business. The background check includes employment verification, criminal checks, credit checks, deeper historical references and education verification.
All employee contracts include a confidentiality agreement.
Productboard is SOC2 Type II certified. If you are interested about the report, please reach out to your account manager or request a copy of the Productboard SOC 2 Type 2 Report.
All payments made to Productboard go through Stripe. (Stripe’s security setup and PCI compliance) Productboard has completed PCI-DSS Self-Assessment Questionnaire (SAQ-A) to ensure Compliance with this industry standard.