Description of Technical and Organizational Security Measures

Updated: November 2023

Welcome! At Productboard, the safety and security of our Customers is our top priority. Productboard  maintains an information security program that includes administrative, technical, and organizational safeguards designed to protect the confidentiality, integrity, and availability of Customer data based on best practices and industry standards as set forth below. The Customer Property of our Customers is secured in our network by the security and organizational measures described below.  From time to time, Productboard may update or modify such security standards, provided that such updates and modifications do not result in the degradation of the overall security of the Subscription Services.

Security Assessments and Certifications

• SOC2 and ISO27001.  Productboard is SOC2 Type II and ISO 27001:2013 certified. If you are interested in learning more, please refer to our self-service trust portal at https://trust.productboard.com/ which includes up-to-date security documentation, policies, penetration test and SOC2 reports, and certifications. 
• PCI-DSS. All payments made to Productboard go through Stripe. Productboard has completed PCI-DSS Self-Assessment Questionnaire (SAQ-A) to ensure compliance with this industry standard.

Cloud Security

1. Encryption. All data sent to or from Productboard is encrypted in transit using 256 bit encryption. Productboard’s API and application endpoints are TLS/SSL only and score an “A+” rating on Qualys SSL Labs‘ tests. This proves we only use strong cipher suites and have features such as HSTS and Perfect Forward Secrecy fully enabled. Productboard also encrypts data at rest using an industry-standard AES-256 encryption algorithm.
2. Logical Access.  Access to the Productboard Production Network is restricted by an explicit need-to-know basis, utilizes least privilege, is frequently audited and monitored, and is controlled by the Productboard Operations Team. Employees accessing the Productboard Production Network are required to use multiple factors of authentication and complete extensive background checks along with many technical and administrative controls.
3. Permissions and Authentication. Privileged Access to Customer Data is limited to authorized privileged employees who require it for their job responsibilities. Productboard implements security-in-depth architecture with a zero-trust approach. We have SAML Single Sign-on (SSO), 2-factor authentication (2FA), and strong password policies on OKTA, GitHub, Google, AWS and Productboard to ensure access to cloud services is protected.  
4. DDoS Mitigation. Productboard has designed a multi-layer approach to DDoS mitigation. A core technology partnership with Cloudflare provides network edge defenses, while the use of AWS scaling and protection tools provide deeper protection along with Productboard’s use of third party DDoS/WAF/RASP application tools and application-level rate limiting.
5. Backups and Monitoring. On an application level, Productboard produces audit logs for all activity, ships logs to SIEM for analysis, and uses S3 for archival purposes. All actions taken on production consoles or in the Productboard application are logged.
6. Virtual Private Cloud.  All Productboard production cloud resources are within Productboard’s own virtual private cloud (VPC) with network access control lists (ACLs) that prevent unauthorized requests getting to Productboard’s internal network. 
7. Physical Security. Productboard uses AWS data centers which are secure by design.  See https://aws.amazon.com/compliance/data-center/controls/.  
8. Business Continuity and Disaster Recovery.  All of Productboard’s infrastructure and data are spread across three AWS availability zones and will continue to work should any one of those data centers fail. Productboard relies on AWS Point-in-Time recovery (PITR) to ensure smooth data recovery in case of an incident. RPO and RTO are 24 hours. 
9. Security Team. Productboard has a dedicated security team that is on call 24/7 to respond to security alerts and events. Productboard employees are trained on security incident response processes, including communication channels and escalation paths.
10. Pentests & Vulnerability Scanning. Productboard uses third party security tools to continuously scan for and address vulnerabilities. Annually Productboard engages independent third-party security experts to perform detailed penetration tests on the Productboard application and network. 

Application Security

1. All Productboard engineers follow common best practices defined by standards like OWASP, NIST and CIS Benchmark.
2. Secure Code Development (SDLC).  At least annually, engineers participate in secure code training, part of Security Awareness Training covering OWASP Top 10 security risks, common attack vectors, and Productboard security controls.
3. Framework Security Controls. Productboard leverages modern and secure open-source frameworks with security controls to limit exposure to OWASP Top 10 security risks. These inherent controls reduce Productboard’s exposure to SQL Injection (SQLi), Cross Site Scripting (XSS), and Cross Site Request Forgery (CSRF), among others.
4. Quality Assurance. Productboard’s Quality Assurance (QA) department reviews and tests Productboard’s code base. Dedicated application security engineers on staff identify, test, and triage security vulnerabilities in code.
5. Separate Environments. Productboard logically separates testing and staging environments from the Production environment. 
6. Bug Bounty Program.  Productboard has a bug bounty program team where individuals who believe they have discovered a vulnerability can advise the Productboard Security Team. The Productboard Security Team will then work with the individual to investigate, resolve the issue promptly, and reward the first reporter of a vulnerability. For more information, please refer to this page. 

Product Security

1. Role-Based Access Control.  Access to data within the Productboard application is governed by role-based access controls (RBAC). Productboard has various permission levels for users (maker with admin access, maker, contributor, viewer). 
2. SSO.  Productboard offers SAML Single Sign-on (SSO) to allow our Customers (as applicable) to determine who has access to Productboard from their existing identity provider/SSO solution (i.e., Azure Active Directory, OneLogin, Okta, G Suite, etc.). Productboard supports Google SSO based on OAuth2.0. 
3. Password and Credential Storage. Productboard enforces a password complexity standard, and stores credentials using a PBKDF function (bcrypt).
4. IP Whitelisting.  Productboard can be configured to only allow access from designated IP address ranges. These restrictions can be applied to all users. 
5. Audit Logs. Makers with admin access can request the generation of an audit log export that shows workspace events from the past 90 days. Refer to this article.
6. Product Permissions. Product permissions allow you to determine which information users can view and edit within Productboard by maintaining control over your most important or sensitive data. Refer to this article.
7. External IDs for Anonymous Note-Creating Users. Using external IDs for notes from public users helps ensure Privacy By Default. Refer to this article.
8. Password Protected Shared Roadmaps. Sharing securely private roadmaps. Refer to this article. 
9. OAuth 2.0 for Integrations. Supporting industry-standard protocol for authorization and integration with various systems and existing processes. Refer to this article.

HR Security

1. Employee Training.  All employees complete Security and Awareness Training annually and during onboarding. Additionally, employees are trained on privacy by design and by default during monthly training. 
2. Policies. Productboard has a comprehensive set of security policies based on ISO 27002:2013 ISMS framework and SOC2 Trust Criteria Focus Points. These policies are regularly updated and communicated to all employees.
3. Employee Screening. Productboard performs background checks on all new employees in accordance with local, federal and state laws applicable to our business. The background check includes employment verification, criminal checks, credit checks, deeper historical references and education verification.
4. Confidentiality. All employee contracts include a confidentiality agreement.

Data Retention, Accountability, Portability & Erasure

1. Data Retention.  Productboard has a Customer Data Backup and Retention Policy, which identifies the backup in place to preserve Customer Data, and the retention periods for certain types of personal data.   
2. Accountability.  Productboard maintains an internal Personal Data Processing Policy advising employees on the steps Productboard takes to ensure its processing of EU personal data is in line with the EU’s GDPR.  
3. Portability & Erasure. Productboard has the capability to export Customer’s Data (personal data and all related product data generated by the usage) on request, and to irreversibly delete all Customer Personal Data and space data. 
4. Privacy & Data Subject Requests. Productboard has a Privacy Requests Handling Procedure to ensure a smooth process is in place for handling access, export, deletion data subject requests related to Privacy in accordance with Privacy Regulations and Standards.

Sub-Processors

1. Assistance to Customers.  Productboard has agreements with all of its Sub-processors wherein Sub-Processors agree to provide reasonable assistance to Productboard in responding to Customers’ reasonable inquiries relating to the Productboard Services.