Security and Trust at ProcedureFlow

Businesses trust ProcedureFlow to reliably store and secure their data using enterprise-grade data protection.

Compliance

  • ProcedureFlow is engaged with a third-party consultant and auditor to prepare for a SOC 2 compliance audit by early 2021.

Data Center and Network Security

  • ProcedureFlow hosts all its software in Amazon Web Services (AWS) data centers in the USA. Amazon is compliant with an extensive list of programs including ISO 9001/27000/27017/27018, CSA, PCI DSS Level 1, and SOC 1/2/3. See Amazon's compliance and security pages for more information.
  • ProcedureFlow's servers are located within a dedicated virtual private cloud (VPC) that is protected by restricted security groups. Only the minimal required communication is allowed between servers.

Application Security

  • OWASP guidelines are followed for web application architecture and implementation using ASP.NET MVC and .NET.
  • Application actions are protected with unique permissions evaluated based on context such as the user and roles.
  • Annual penetration tests are conducted by a third-party.
  • Monthly vulnerability scans (including OWASP Top 10) are conducted by a third-party.
  • ProcedureFlow supports Single Sign-On (SSO) via SAML 2.0 which allows your users to authenticate without requiring them to enter login credentials for ProcedureFlow. New users via SSO can be automatically provisioned. SSO can be enforced for non-Administrator users.
  • Passwords are one-way hashed and stored in ProcedureFlow's encrypted database. User login is protected from brute force attack with rate limiting.
  • Administrators can see when a user was last active and any activity using the procedures.

Data Security

  • Connections to ProcedureFlow are encrypted using TLS (HTTPS). Attempts to use HTTP are redirected to HTTPS.
  • Customer data (including procedures, flows, activity, and user information) is encrypted at rest and in transit.
  • Data is stored in industry-standard PostgreSQL and Redis systems hosted and managed by AWS.
  • Full encrypted database backups are created every 24 hours.
  • Authorization and access to systems is provided on a need-to-know basis and based on principle of least privilege. Access to AWS is restricted to key employees and is controlled via secure and narrow identity keys and protected by two-factor authentication.
  • Customer data may be requested and purged from ProcedureFlow after contract termination (see the Terms of Service and Privacy Policy).

Security Policies

  • Security policies are maintained, communicated, and approved by management. Employees are required to review and sign security policies to ensure everyone clearly knows their security responsibilities. Policies are audited as part of our compliance with SOC 2.
  • The employee hiring process includes background checks.
  • Employees are required to undergo regular security awareness training and testing. Employees are trained to not replicate customer data onto their workstations.
  • Employee workstations are required to use current anti-virus software and disk encryption.
  • Third-party vendors undergo a risk assessment annually. Vendors are required to provide compliance audits or, at a minimum, submit to a security assessment to demonstrate security best practices.

Software Development Life Cycle (SDLC)

  • Application code changes follow a documented SDLC process.
  • Code reviews are mandatory for code changes. A series of checks must pass before changes are accepted such as: automated tests, security, performance, and privacy assesments.
  • Periodic security reviews are performed of architecture and sensitive code.
  • The production environment used by customers is separate and isolated from environments used for development, testing, and staging. Customer data does not leave the production environment.

Application Monitoring

  • All access to ProcedureFlow is logged and audited. Logs are kept for at least 1 year.
  • System information and performance is monitored using a third-party service.
  • An intelligent threat detection service continuously monitors for malicious activity and unauthorized behavior.
  • ProcedureFlow has an incident response plan to track issues to resolution and conduct postmortems.

Availability and Uptime

  • ProcedureFlow's typical uptime is 99.97% including scheduled maintenance.
  • A publicly accessible status page is maintained including uptime, system availability, scheduled maintenance, and incident history.
  • The Offline Backup feature can provide 24/7 emergency access to your procedures in a read-only format. Offline Backups can be stored in a file repository within your secure network for contingency purposes.
  • Production infrastructure is designed with redundancy using techniques such as fail over, content delivery networks, load balancing, and standby replicas.
  • ProcedureFlow maintains a Business Continuity Plan. Disaster recovery is tested semi-annually. A Risk Assessment is performed annually.

Responsible Disclosure

If you've discovered a security vulnerability or have questions about our security, please contact us and we will respond as soon as possible: security@procedureflow.com

Frequently Asked Questions

What type of data is stored in ProcedureFlow?

ProcedureFlow provides guidance using generic, sanatized procedures. There is no data flow that would pass your confidential or restricted data through ProcedureFlow (such as your customers' data, personally identifiable information, or personal health information).

Here are some examples of data that our customers store in ProcedureFlow: generic procedures, sanatized training screenshots, and reference charts.

How do you communicate service outages?

We communicate service outages, scheduled maintenance, and other issues affecting our customers via our status page: https://status.procedureflow.com

Is data encrypted when using ProcedureFlow?

Yes. Data transmitted to ProcedureFlow is encrypted in transit through the use of TLS/HTTPS.

Our databases are also encrypted at rest.

How do I report a security vulnerability?

Our Engineering team rapidly investigates all reported security issues. If you believe you’ve discovered an issue with ProcedureFlow’s security, please contact us: security@procedureflow.com

We will respond as quickly as possible to your report. We request that you not publicly disclose the issue until it has been addressed by ProcedureFlow’s Engineering team.