We often get questions from our users about our security practices and what we’re doing to protect their data. And though we don’t want to reveal too much of what we do behind the curtain, we want to lay out some of the most important things we do to protect your data and also what you can do to protect your own data when using 15Five.
What we do to protect your data:
We take handling your data very seriously. We classify all data, and our employees are trained on proper handling of your (and our) data. Our employees are granted access to systems that hold your data on a “need-to-know” basis (i.e. if required to perform their job). Employees who have access to systems that hold your data are required to use strong passwords and multi-factor authentication.
We encrypt all communication between you and our applications using industry standard SSL/TLS encryption. We also store your data encrypted with a key specific to your company, which means that even our engineering staff with direct access to our databases cannot see your private data. We hash all passwords and have no way to decrypt them so if you forget your password, resetting it is the only option. We store all your data in ISO 27001 compliant data centers in the United States.
Credit Card Safety
When you purchase a paid subscription with 15Five, we neither store nor transmit your credit card information. We use Recurly, a PCI-DSS Level 1 compliant payment processor to handle all credit card transactions.
Keep Things Simple
One of our core values is to keep things simple. We embody this by keeping our technical stack, our application, and our business processes lean and free of unnecessary complexity. We automate as much testing, deployment and backup processes as possible to reduce any human error. All new code is seen by at least two pairs of eyes and evaluated against our secure coding standards. We regularly tear out code that has reached the end of its usefulness to keep our application simple, elegant, and secure.
Always Be Learning and Growing
Another of our core values is to always be learning and growing. All of our employees receive regular security and data handling training to be made aware of common and new security threats and how to mitigate them. Our engineering staff are constantly evaluating and integrating new technologies into our stack and application to create the best possible user experience and to increase security.
We actively monitor security issues and releases of our technical stack and deploy patches as quickly as possible. We utilize multiple types of logging to monitor the live (and past) state of our application to help detect and recover from any security events. We maintain a list of our vendors’ security policies and monitor our vendors for security breaches that could lead back to our application.
We do more
This is not a comprehensive list of the security measures we keep to safeguard your data. If you have any more questions please contact us, we’re glad to answer any and all of your questions.
If you have (a lot) more questions and your company or organization uses the Standardized Information Gathering Questionnaire (SIG) from the Santa Fe Group, we keep answers on file, just send us a copy of your blank questionnaire and scoping document.
What you can do to protect your data:
Use Multi-factor Authentication (or SSO)
Our application allows you and your colleagues to enable multi-factor authentication, which helps prevent against unauthorized access. If you already have a single sign-on at your organization (e.g. Okta, Azure SSO) we provide integration1 to most SAML providers, which means you wouldn’t need to remember another password.
Our application keeps security logs of user access (user logins and IPs) and many other events (e.g. changes to groups, changes of reviewers, etc…) which can be audited through the company settings page by administrators at anytime.2
Learn about privacy settings
Reporting security issues
If you believe you’ve found something in 15Five that has security implications, please email them to firstname.lastname@example.org