Security & Privacy
Trust that your data is not only secure, but private where necessary.
OUR SECURITY PHILOSOPHY
People.ai drives transparency and alignment across go-to-market teams while automating the manual task of data entry into the CRM. With this level of data transparency also comes a great responsibility to maintain the highest standards of data privacy and security. With laser-focus on Security, Data Privacy, and GDPR readiness, we aim to strike the perfect balance between transparent communications and maintaining your employees’ and customers’ right to privacy.
"People.ai has always considered security and privacy as a top requirement for our Product, Infosec and Engineering teams. While many companies are scrambling to become GDPR-ready before the May 25 deadline, People.ai has been preparing for more than a year. GDPR compliance is crucial for our success post May 25, 2018 and we plan to stay ahead of the pack! There is nothing more important to us than the trust of our customers."
PEOPLE.AI SECURITY POSTURE
At People.ai, Customer Trust is our #1 priority – thus, Security and Privacy are at the forefront of every decision we make. In order to achieve this goal, People.ai has been built from the ground up to comply with the highest standards possible to be considered a secure organization. People.ai’s SOC 2 Type II compliance is just one example of our commitment to security and data integrity throughout our organization.
SOC 2 Type II – We are SOC 2 Type II certified. This certification is reserved for organizations that have demonstrated standard operating procedures for organizational oversight, vendor management, risk management, and regulatory oversight over a length of time. Our SOC 2 Type II report is available upon request.
CSA STAR – We are registered with CSA STAR, the industry’s most powerful program for security assurance in the cloud.
Amazon Web Services (AWS) – People.ai exclusively uses Amazon Web Services (AWS) for the hosting of staging and production environments. AWS data centers are monitored by 24×7 security, biometric scanning, video surveillance and are SOC 1, SOC 2, and SOC 3 certified. (Read more about AWS Security)
Data Encryption – Data is encrypted in-transit using bank-grade TLS 1.2, the safest method available today. Data is encrypted at-rest using 256-bit encryption via native AWS capabilities including S3 with a per-client encryption key and separate S3 buckets.
OAuth – Customers always authenticate via their platform of choice (Okta, GSuite or Office365) and never set a People.ai-specific password.
Penetration Testing – In addition to our annual SOC 2 audits, People.ai is committed to conducting manual penetration testing by specialized Tier-1 vendors. Latest reports from our partners at Casaba are available upon request.
Dedicated Security Team – We employ onsite staff responsible for reviewing, updating, testing and maintaining our security and privacy controls in accordance with our SOC 2 certification and in preparation for new certifications, security threats, laws and regulations.
Security Project Reviews – All engineering project plans must go through architecture review and receive sign off from the Security team before work can begin.
Security Code Reviews – Engineers are required to complete a security review checklist as a part of software development life cycle for all code changes.
Intrusion detection system (IDS) – We implement security checks throughout the delivery pipeline for continuous vulnerability and anomaly detection.
SSO/SCIM/MDM – We never use or store passwords internally. From the wifi and applications we use to do our jobs to how we secure our physical location, the only authentication source-of-truth is our SSO/SCIM/MDM solution. People.ai does not support login or password-driven access. All access controls are centralized around tight integration with our IAM system (Okta), MDM (Okta), and AWS IAM per industry best practices.
Breach Notifications – We treat breaches with the highest level of urgency and are committed to delivering timely communications to customers who might be impacted. Any breaches will be communicated within 72 hours per internal process and GDPR compliance. FYI: There have been no recorded breaches to date.
Employee Devices – We use exclusively Macs. This, combined with the implementation of our strictest MDM policies, restricts all employees from downloading data from our production environment, mounting external drives in MacOS on personal devices, or transferring files online without leaving a significant trail behind.
Mandatory Employee Training – All employees are required to complete training on data privacy and best practices for securing and handling user data.
Employee Background Checks – All employees are submitted for thorough background checks executed by a Tier 1 vendor as a prerequisite for employment.
HOW DOES PEOPLE.AI EXECUTE GDPR COMPLIANCE?
Data Protection by Design and by Default (Article 25)
- All customer data is stored in logically separated AWS S3 buckets with double encryption, using native AWS means and AES 256bit encryption algorithm
- Review of data sharing and processing agreements of all partner organizations to ensure compliance with the provisions of the GDPR
- Exclusive use of AWS infrastructure for all data processing
Right to Data Portability (Article 20)
- Easy user data export in-app
- Request user data export via Support
- Export activity data via API
Right to Erasure (Article 17)
- Also known as “Right to Be Forgotten”
- Easy user data removal via Support
- Delete activity data via API
Pseudonymisation (Article 5(c))
- No PII (or) sensitive information in application log
- All PII (or) sensitive information has been pseudonymized
Breach Notifications (Article 33)
- Early notification upon identified breach
- Details about our commitments are outlined in our EUSA
- Automated sensitive content flagging and notification
- People.ai does not collect or store PCI, HIPAA or Special Categories of Personal Data (Article 9)
Opt-Outs for All External Communications
- All customers have the right and option to opt-out of People.ai communications
- Mandatory onboarding training on data protection, GDPR, and the rights and freedoms of data subjects
- Quarterly engineering training on InfoSec and web application security