Will ProsperWorks complete a security audit?
- ProsperWorks has completed SOC2 auditing of our security controls against control criteria based on the following American Institute of Certified Public Accountants' (AICPA) Trust Services Principles:
- Security – The system is protected against unauthorized access, use or modification.
- Availability – The system is available for operation and use as committed or agreed.
- Confidentiality – Information designated as confidential is protected as committed or agreed.
Is ProsperWorks GDPR compliant?
- ProsperWorks is currently certified under the EU and Swiss Privacy Shield frameworks for data protection.
- GDPR is a new European data privacy law that goes into effect May 25th, 2018.
- ProsperWorks will be in compliance of the GDPR when it becomes in-effect.
Where is customer data stored?
- ProsperWorks stores all of its data in the United States.
What features does ProsperWorks have to increase application and user security?
- Close integration with Google using OAuth which eliminates storing passwords by ProsperWorks.
- User management delegated to account owner(s) in the customer’s organization.
- Written request required from account owner to change ownership
- Session timeouts with lock-out after repeated failed attempts
- Annual penetration tests along with regular vulnerability scanning to identify and remediate any application vulnerabilities
What is our infrastructure and data security like?
- All Computer and Data servers are hosted on SOC2 / NIST 800-58 / ISO 27001 attested data-centers.
- Only a limited number of people at ProsperWorks have access to the infrastructure that hosts customer data that is protected with multi-factor authentication.
- All data is encrypted in transit using TLS 1.2 / AES 256 encryption.
- ProsperWorks has received a TRUSTe privacy certification.
How does ProsperWorks ensure uptime and availability?
- Redundancy and hot failover with the use of multiple data-centers.
- Tested disaster recovery plans that utilize backups to restore service.
What are ProsperWorks internal information security policies and procedures?
At ProsperWorks, we have a security program that includes the creation, maintenance, audit and enforcement of security policies and procedures; and designates responsibility and authority over security to dedicated personnel.
These policies include:
- Data Protection
- Change Management
- Security Incident Response
- Network Security
- Network Access and Authentication
- Vendor Management
- Disaster Recovery
- Clean Desk
- Roles and Responsibilities
Examples of the security controls:
- Hiring practices include criminal background checks, confidentiality agreements, annual security awareness training, and employee performance evaluation.
- Access to systems that process customer data are restricted by a strict approval process which limit granted access and capabilities to meet requirements of the Segregation of Duties and Least Privilege security models.
- Employee’s access to resources regularly evaluated. If the employee’s role has changed, access will be removed no later than 48 hours and immediately at the time of an employee’s termination.
- Agile development methodology with a strong change management which includes thorough code review, quality assurance verification and strict approval process for releases.
- Due diligence procedures are in place for third-party service providers to review and monitor their security controls.
Is ProsperWorks compliant with NIST 800-58, NIST 800-171 or FedRamp?
- We are not fully compliant at this time, only our data-centers that comprise of our services are compliant. Please make a support request here, so we know this is something you are interested in.
If you have any questions, please submit a request here