We take the security and privacy of your data on ProductLift very seriously. We understand the importance of keeping your data private and strive to keep it this way.
Our engineers have experience working on highly reliable, scalable, and secure systems at global banks and insurance companies. We always have someone on call to address any issues or outages as fast as possible.
ProductLift invests significant resources in maintaining compliance with the GDPR and we also aim to help our customers comply with the processes and policies outlined. Please also see our GDPR Data Processing Agreement.
ProductLift production services are hosted on DigitalOcean servers. The physical servers are located in DigitalOcean’s EU data centers.
DigitalOcean is AICPA SOC 2 Type II certified. By achieving compliance with this globally recognized information security controls framework, audited by their independent auditor, DigitalOcean has demonstrated a commitment to protecting sensitive customer and company information.
DigitalOcean is committed to working with third-party data center providers that maintain industry-leading access control, including video surveillance, security, access lists, and exit procedures.
All user content is stored within EU regions of DigitalOcean. User content can also be found in ProductLift backups, stored in Amazon AWS S3.
ProductLift uses industry-standard Transport Layer Security (“TLS”) to create a secure connection using 256-bit Advanced Encryption Standard (“AES”) encryption. This includes all data sent between the web, desktop, iOS, and Android apps and the ProductLift servers. There is no non-TLS option for connecting to ProductLift. All connections are made securely over HTTPS.
Data drives on servers holding user data use full disk, industry-standard AES encryption with a unique encryption key for each server. File attachments to ideas are stored in Amazon’s S3 service. Attachments are only accessible using a secure HTTPS connection by authorized users.
We maintain separate and distinct production, staging, and development environments for ProductLift. To access production environments, authorized and trained members authenticate to the VPN using unique strong passwords and 2FA and then only access the production environment via ssh terminal connections using passphrase-protected personal RSA certificates.
For Authorized Personnel, any workstations running Windows or MacOS must be running current and active anti-virus software. Those members are also trained not to replicate non-public user data stored in ProductLift’s production environment onto their workstations or mobile devices.
Production environments are constantly monitored on performance, uptime, and several other metrics. There is a warning system in place to warn when metrics are exceeding their thresholds.
All changes to the ProductLift production system, be they code or system configuration changes, require review prior to deployment to the production environment. Automated unit tests are run against all production code prior to deployment. Production code is also subject to regularly conducted automated vulnerability scans. All changes to ProductLift’s code are tested in other environments prior to deployment to production. Patches to the ProductLift are deployed on a rolling basis, usually several times per week. ProductLift’s production servers are managed via a configuration system. We use source code management tools and repositories.
All production servers are running an LTS (Long Term Support) distribution of their operating system to ensure timely updates are available.
We use a fully automated process from private Git repositories to staging to production servers including database migrations.
When logging in directly to ProductLift using a username or email and password, ProductLift requires a minimum of 8 characters. Repeated failed login attempts trigger a 60-second lock before a user can retry. Passwords are stored in a hashed form (via OpenSSL using AES-256 encryption) and will never be sent via email—upon account creation and password reset, ProductLift will send a link to the email associated with the account that will enable the user to create a new password. Password complexity and session length requirements cannot be customized within the app.
Data entered into ProductLift is backed up regularly. All backups are encrypted and stored at multiple offsite locations to help ensure that they are available in the unlikely event that a restore is necessary.
Files uploaded to ProductLift as card attachments are not backed up on the same schedule, and instead rely on Amazon S3’s internal redundancy mechanism.
Because user data stored in ProductLift is on a shared infrastructure, we can't recover a subset of that information from backups. If any customer is particularly concerned with maintaining a complete record of their information in ProductLift, we suggest that such customer frequently exports its data.
ProductLift’s primary database is backed up daily and before any code change or database migration. Additionally, a snapshot of the primary servers is taken once every 7 days.
All ProductLift backups are retained on AWS S3 (separate server) for at least 90 days after upload. Next to this, Digital Ocean creates regularly server snapshots.
Only authorized members of the ProductLift operations team have access to the backup locations so that they can monitor the performance of the backup processes, and in the very unlikely event that a restore becomes necessary.
Attachments directly uploaded to ProductLift are handled differently than the primary database backups. To backup file attachments, ProductLift primarily relies on S3’s internal redundancy mechanism, which Amazon states provides 99.99% yearly data durability.
If you have any remaining questions or concerns about our security, don’t hesitate to contact us.