How Pipl Secures Your Data

Data protection is paramount, especially when it comes to private data. We safeguard data with multiple layers of security, including strict access controls, encryption, network security and other technical, administrative and operational procedures and policies.

Continue for more information on many of the security measures we have put in place

Compliance

Pipl is SOC 2 compliant. We are audited annually. Please speak to your account representative to learn more and receive the full certification report.

Data Centers

Pipl production services are hosted in SOC 2, ISO 27001 and GDPR compliant data centers. We receive and review our providers’ reports and certifications annually.

Access Control

Pipl handles personal information that may be used to identify individuals. Protecting this information is critical and we invest heavily to control access to it. Only authorized and trained staff have access to our data. We follow the “least privilege” principle: access to specific types of data is restricted based on business need, requires formal approval by the data owner (not to be confused with data subject), and is continuously logged and monitored. We require employees to complete multi-factor authentication (MFA) wherever possible.

Network Security

As a cloud-based, identity trust company, we are acutely aware of the risks of operating on the internet. Thus, our network security is state-of-the-art and deliberately designed based on the zero trust concept. We monitor ingress and egress traffic, frequently test security measures and continuously improve our architecture to ensure that our networks are as secure as possible.

Vendor Management

As a vendor for some of the largest companies in the world, our security measures are frequently assessed, and we do the same for our vendors. Our expectation is that our vendors will align with our security posture. If they have access to our data, we also expect them to comply with our privacy policy.

Cryptographic Controls

Pipl holds large volumes of data, most of which is personally-identifiable information (PII), by the definition of our services. We use industry-standard encryption for data in-transit, at-rest and in-process. Any type of data we don’t need is either deleted or hashed, based on business needs and our data retention policy.

Secure Software Development Life Cycle

Pipl is a software development company. We develop the applications to handle our data and deliver our services. If our applications are at risk, our service and business continuity are at risk. 

We base our application designs and development practices on security and privacy principles from the ground up. Our developers follow secure development practices, such as OWASP Top 10. Our DevOps team continuously ensures that our environments are configured based on practices such as CIS (aka Center of Internet Security).

We continuously verify that we have successfully followed these measures with application and infrastructure penetration tests. We also monitor all systems using next generation technologies and a 24/7 team of Security Analysts.

Endpoint Security

Pipl invests heavily in securing the data we manage, whether owned by us or our customers. As data can reside in endpoints, we take great care to secure those endpoints.

All of our host servers, whether they are physically owned by us or belong to a third party such as a cloud provider, are protected by strict cryptographic controls. We follow the least privilege principle: access to our host servers is restricted based on business needs, and must be authorized prior to granting access.

The same is true of our employee endpoints (eg. laptops). They are all configured with full disk encryption, strong password policies and other mechanisms, to ensure they are kept safe and secure through their lifecycle. This includes deletion of the data when they are no longer in use, crypto shredding of encryption keys, etc.

All our hosts are centrally managed, continuously patched, and closely monitored for suspicious activities by either humans or automated processes. All activities are logged and monitored 24/7.

Business Continuity and Disaster Recovery

The Pipl Operations team has designed systems to keep our services running even if the underlying infrastructure experiences an outage or other significant issue. Every critical Pipl service has a secondary, redundant service running simultaneously, with mirrored data in a different data center than the primary server. Furthermore, each database server is continuously replicated in a third data center.

Our backup policy and operational process ensures that we can recover even if both of our primary data facilities become unavailable. We regularly create and store encrypted backups of our data at multiple offsite locations, further ensuring that we can recover in the event of a disaster that disrupts our service. Encrypted backups can only be decrypted by members of the Pipl operations team who have received training and have been authorized to decrypt the backups.

We constantly create live duplicates of our live database, and full product snapshots every 24 hours. 

All backups are retained at the following locations:

• Dedicated file servers in our cloud data center

• A distributed storage service

• A remote location physically and logically separated from the cloud data center

Only authorized members of the Pipl operations team have access to the backup locations, so that they are able to monitor the performance of the backup processes, and take action in the very unlikely event that a restore becomes necessary.

Security Awareness and Training

Pipl’s employees also sign a confidentiality agreement when their employment begins. During their first couple of days of working for the company, they take part in our information security awareness training.

All of our employees and freelancers complete awareness training once a year, and periodically during company meetings.

We also perform drills from time to time, to test our staff awareness and alertness.

Physical Security

Pipl takes preventive and detective measures to physically secure our office facilities, and to keep our staff aware of the importance of physical security controls when working outside our premises.

Because Pipl uses cloud services, and those providers are responsible for their data center’s physical security, we take proper measures to ensure their level of security is aligned with ours. This is done by choosing the right vendors and also by annually re-assessing those vendors.