Security Practices

(as of October 1, 2022) 

Information Security Team

An internal Productiv group is responsible for enforcing the information and operational security policies, including those in this Schedule. This group currently consists of the CTO, Head of Security, engineers and other security personnel. The team may be contacted at [email protected].

Infrastructure

Productiv operates its SaaS intelligence platform, analytics and services (“Services”) on a multitenant architecture that is designed to segregate and restrict access to the data related to Customer’s organization, SaaS application usage and spend submitted by or on behalf of Customer to the Services (“Customer Data”). Productiv uses infrastructure provided by Amazon Web Services, Inc. (“AWS”) to host and process Customer Data. Information about security provided by AWS is available from the AWS Security website. Information about security and privacy-related audits and certifications received by AWS, including information on ISO 27001 certification and SOC reports, is available from the AWS Compliance website.

Security Controls

Productiv will implement and maintain appropriate technical and organizational measures designed to protect Customer Data against accidental or unlawful destruction, loss, alteration, and unauthorized disclosure of or access to Customer Data processed or transmitted through the Services. Security controls include the following:

• Encryption: The Services use TLS 1.2 and AES-256 encryption to protect Customer Data (1) during transmissions between a customer’s network and the Services; and (2) when at rest.
• Access Controls: Productiv maintains access controls for its website, APIs, and backend data stores. Productiv source-code utilizes GitHub and Customer Data is primarily processed from AWS. For each of these services, we require manager approval before Productiv personnel are granted access to these systems, have multiple levels of access starting with read-only access to limited sections, and only grant the minimum level of access required. Productiv performs recurring audits of users with access to these systems, and their levels of access. Productiv utilizes single sign-on to enforce 2-factor authentication, strong password requirements, and automatic password-expiry for all of these services.
• Threat Detection: Productiv has set up tools for automated threat detection. This includes both internal and external vulnerability scans for networks and systems. Productiv performs annual penetration testing from an independent / third party on Productiv’s external network, internal network and applications.

Product Security

Productiv supports the capability to set up SAML-based authentication for access to the Services. The Services support different roles that allow different levels of access to different aspects of the platform, including controls on financial data, specific apps, or user management.

Audits

The Services undergo security assessments by internal personnel and external security firms who perform regular audits to verify that Productiv’s security practices are sound and to monitor the Services for new vulnerabilities discovered by the security research community. Confidential SOC 2 reports are available to customers and prospects upon request under non-disclosure agreement.

Incident Management

Productiv will maintain incident management policies and procedures designed to promptly investigate, identify, and remediate unauthorized disclosure of Customer Data. In the event of any confirmed or reasonably suspected unauthorized disclosure of Customer Data resulting from a breach of Productiv’s security obligations, Productiv will promptly notify Customer. Upon request
from a Customer, Productiv will communicate the status and post-mortem details of such an incident.

Backup and Disaster Recovery

The Services are built with redundancy and availability in mind. All Customer Data stored in AWS is replicated for high availability. All production and backup services are hosted within the continental United States. The primary AWS region is set to us-west-2 (Oregon) and Productiv utilizes us-east-1 (N. Virginia) for backup. The Services run physically separated and isolated availability zones connected through low-latency links. Each availability zone comprises one or more discrete data centers, each with redundant power, networking, and connectivity, housed in separate facilities. Productiv has configured systems in AWS in a way that disaster-recovery – for datacenter and availability zone failures – is automatic and no human intervention is needed. In the event of a complete failure in the us-west-2 region, Productiv has processes and procedures in place to implement a failover to us-east-1. Failover testing is performed twice per year to help ensure Productiv is prepared in the event of a scenario requiring failover.

Data Deletion

Customer may request deletion of Customer Data at any time by emailing [email protected]. Productiv deletes Customer Data from the primary AWS datastores and backups within 60 business days of request and supplies notification of completion via email.

Productiv may aggregate and de-identify Customer Data to generate and retain data about Productiv customers (“Aggregate Usage Data“). Aggregate Usage Data does not constitute Customer Data and will be maintained in accordance with Productiv’s data retention practices.

Personnel Practices

All employees with access to technical resources are required to complete security training. When an employee’s work relationship with Productiv is ending or ends, Productiv’s operations team revokes access to any proprietary technical systems.