Peoplevine has implemented and will maintain appropriate technical and organizational measures to protect Customer Account Data, Customer Usage Data, and Customer Content from (a) accidental or unlawful destruction and (b) loss, alteration, unauthorized disclosure of, or access to such data (a “Security Incident”). Measures to protect Customer Content from a Security Incident are described in this article.
Peoplevine is dedicated to the security and compliance of our platform in order to protect your business when using our tools. Here are many of the things we perform to achieve the highest level of security in our platform:
The Peoplevine platform and all of its components are hosted within Microsoft Azure, behind and monitored via Microsoft Defender. Please see their data center policy on physical security. SOC-3 Compliance
Peoplevine’s proprietary code is managed and deployed via GitHub Enterprise with Security and Vulnerability Scanning built-in. This ensures our multiple code bases and teams meet the highest standards in software architecture, vulnerability management, package management and security. SOC-1 Type 2 Doc, SOC-2 Type 2 Doc
Payments are processed by Stripe or GoCardless using their “zero-touch” method for tokenizing payments, ensuring your customer’s payment information is captured directly via their JavaScript interface, securely stored and then tokenized for future payments.
Stripe Docs: AOC PCI, SOC-3 Compliance, PCI DSS Responsibility, More Info
GoCardless Regulations
Each provider we work with, ensures the utmost security and strict regulations for managing their environments. This ensures they are SOC compliant, perform regular PCI validation and meet the highest standards in Information Security.
Leveraging our partner, Evolve Security, we perform annual penetration testing to identify any potential risks within our application and architecture.
Lastly, access to critical systems are locked down to specific devices, networks or IP address in an effort to limit availability of these key systems to non-authorized users.
We have a strict access policy for any virtual resources, system access, finance management, code management and deployment processes.
We also provide the tools necessary so you can achieve the following compliances:
GDPR Compliance which is designed to provide general data protection for your consumers with full transparency on how their data is used and the self-service tools necessary to remain compliant.
HIPAA Ready which allows our clients in the healthcare space to ensure data related to healthcare activity is properly managed. This also provides our platform with best practices on keeping sensitive data secured.
In addition to the general security preventing external access, our platform ensures the following:
We encrypt all passwords, credit card tokens and other secured data at rest, in addition to limited database access, row level encryption and data field masking.
Access to the SQL database is limited to key engineers and reporting personnel. Their access limits visibility to PII data such as last name, email, mobile number, phone number, address, city, state, zip and payment information using column level masking.
We ensure that any access to the database or API are properly authenticated with 5 auth data fields in our API and our RESTful API utilizes expiring tokens and keys to prevent abuse.
Clients have the ability to manage their users, control their access and block future attempts with a few clicks using the Manage Users Dashboard. We support SSO through Microsoft Entra ID enforcing strict access rules.
The PeopleVine database is backed up continuously for a point in time recovery that can be rolled back up to 30 days.
Data storage is indefinite as long as the customer is an active paying customer. Inactive customers will have their data purged after 90 days of cancelling their subscription.
Self-hosted licensed customers can control their own backup and data storage policies.
Peoplevine's shared (SaaS) environment is hosted in Microsoft Azure using a combination of Web Apps, Azure SQL, Storage and other components of the Azure platform. With the reliability of Microsoft and the scalability of the cloud, we can dynamically handle volume on a needed basis to ensure a quick and engaging experience for your consumers. Microsoft has detailed a document highlighting the overall security settings in place for data stored and transmitted via Azure here.
Redundancy and Backups Built In
PeopleVine has built in redundancy spreading its database and web server across both the west coast and east coast of USA to ensure complete availability in the event of an outage in a specific region. We also ensure that all content, files and data are backed up on a daily basis in the event a data retrieval is needed.
CDN, Bandwidth and Usage
All media (files, graphics, etc.) that are uploaded into the PeopleVine platform are automatically added to our Content Delivery Network (CDN) in order to ensure the quickest retrieval time available. There are no limitations on bandwidth and usage of the PeopleVine platform provided you are actively enrolled in a PeopleVine plan. This may change over time based on length of service, volume and external factors.
Support from Azure
Peoplevine maintains an active support plan with Azure support to ensure we get quick responses and fixes in the event there's a system outage or glitch that needs to be resolved.
To learn more about Azure visit www.azure.com.
On top of the security levels provided by our vendor(s), PeopleVine also employs several security mechanisms to guarantee the safety of your data and user experience:
All client data has unique identifiers for clear separation of data.
Each request sent to our platform runs through several levels of authentications to ensure proper access of the data based on the user's permissions and access.
Security is handled both in our customer facing tools, such as the control panel and portal, as well as the API to ensure multiple levels of security.
Credit card data is captured and tokenized by Stripe and then encrypted in our platform via a proprietary algorithm. Peoplevine does not have access to credit card numbers, we only pass a token to Stripe when processing a payment.
API applications built on the Peoplevine platform can only access other company accounts if the user has authenticated through Peoplevine directly. So your username and password is never shared with the 3rd party app.
All content built in the Peoplevine platform is only visible via a registered domain name, so you can not access another company's information without having the direct URL or access.
All media files uploaded throughout the Peoplevine platform (unless otherwise checked to keep the same name) are encrypted with a unique identifier, folder and extension in order to prevent file/folder browsing.
All transaction data includes the IP Address, Session ID and Device Info of the person who submitted the transaction for trace-ability purposes.
All create, update and delete activities are logged for audit and restore abilities. All data exports, only accessible by administrators, is logged for traceability.
We take security serious within the Peoplevine environment and work with leading vendors to ensure data is encrypted and secured at the highest level.
If you have any questions or feedback, please visit peoplevine.com/feedback to let us know. Learn more about our service level agreement.