Security and Trust at ProcedureFlow

Businesses trust ProcedureFlow to reliably store and secure their data using enterprise-grade data protection.

SOC 2 Type 2 compliant
Hosted on Amazon Web Services
Data encrypted in transit and at rest
Annual penetration tests
Monthly vulnerability scans
Intelligent threat monitoring
Full encrypted backups every 24 hours
Access controls
SAML 2.0 SSO for Enterprise customers
Offline Backup for 24/7 availability
Average 99.97% uptime

Compliance

ProcedureFlow is compliant with SOC 2 Type 2.

Data Center and Network Security

ProcedureFlow hosts all its software in Amazon Web Services (AWS) data centers in the USA. Amazon is compliant with an extensive list of programs including ISO 9001/27000/27017/27018, CSA, PCI DSS Level 1, and SOC 1/2/3. See Amazon's compliance and security pages for more information.
ProcedureFlow's servers are located within a dedicated virtual private cloud (VPC) that is protected by restricted security groups. Only the minimal required communication is allowed between servers.

Application Security

OWASP guidelines are followed for web application architecture and implementation using ASP.NET MVC and .NET.
Application actions are protected with unique permissions evaluated based on context such as the user and roles.
Annual penetration tests are conducted by a third-party.
Monthly vulnerability scans (including OWASP Top 10) are conducted by a third-party.
ProcedureFlow supports Single Sign-On (SSO) via SAML 2.0 which allows your users to authenticate without requiring them to enter login credentials for ProcedureFlow. New users via SSO can be automatically provisioned. SSO can be enforced for non-Administrator users.
Passwords are one-way hashed and stored in ProcedureFlow's encrypted database. User login is protected from brute force attack with rate limiting.
Administrators can see when a user was last active and any activity using the procedures.

Data Security

Connections to ProcedureFlow are encrypted using TLS (HTTPS). Attempts to use HTTP are redirected to HTTPS.
Customer data (including procedures, flows, activity, and user information) is encrypted at rest and in transit.
Data is stored in industry-standard PostgreSQL and Redis systems hosted and managed by AWS.
Full encrypted database backups are created every 24 hours.
Authorization and access to systems is provided on a need-to-know basis and based on principle of least privilege. Access to AWS is restricted to key employees and is controlled via secure and narrow identity keys and protected by two-factor authentication.
Customer data may be requested and purged from ProcedureFlow after contract termination (see the Terms of Service and Privacy Policy).

Security Policies

Security policies are maintained, communicated, and approved by management. Employees are required to review and sign security policies to ensure everyone clearly knows their security responsibilities. Policies are audited as part of our compliance with SOC 2.
The employee hiring process includes background checks.
Employees are required to undergo regular security awareness training and testing. Employees are trained to not replicate customer data onto their workstations.
Employee workstations are required to use current anti-virus software and disk encryption.
Third-party vendors undergo a risk assessment annually. Vendors are required to provide compliance audits or, at a minimum, submit to a security assessment to demonstrate security best practices.

Software Development Life Cycle (SDLC)

Application code changes follow a documented SDLC process.
Code reviews are mandatory for code changes. A series of checks must pass before changes are accepted such as: automated tests, security, performance, and privacy assesments.
Periodic security reviews are performed of architecture and sensitive code.
The production environment used by customers is separate and isolated from environments used for development, testing, and staging. Customer data does not leave the production environment.

Application Monitoring

All access to ProcedureFlow is logged and audited. Logs are kept for at least 1 year.
System information and performance is monitored using a third-party service.
An intelligent threat detection service continuously monitors for malicious activity and unauthorized behavior.
ProcedureFlow has an incident response plan to track issues to resolution and conduct postmortems.

Availability and Uptime

ProcedureFlow's typical uptime is 99.97% including scheduled maintenance.
A publicly accessible status page is maintained including uptime, system availability, scheduled maintenance, and incident history.
The Offline Backup feature can provide 24/7 emergency access to your procedures in a read-only format. Offline Backups can be stored in a file repository within your secure network for contingency purposes.
Production infrastructure is designed with redundancy using techniques such as fail over, content delivery networks, load balancing, and standby replicas.
ProcedureFlow maintains a Business Continuity Plan. Disaster recovery is tested semi-annually. A Risk Assessment is performed annually.

Responsible Disclosure

If you've discovered a security vulnerability or have questions about our security, please contact us and we will respond as soon as possible: security@procedureflow.com

Frequently Asked Questions

No, our team is here to help you navigate the product and see its full potential. We do offer a pilot program if you wish to try out the product without full financial commitment. We can also create a custom demo with one of your procedures so you get a better understanding of how it will look and feel in our platform.

Typically, our team of experts can have our clients up and running in 90 days with a dedicated set of processes.

It’s important to assemble the proper stakeholders to ensure a successful rollout and identify key roles and responsibilities to manage your processes. You will want to bring in your technical team if we are integrating with any of your other systems.

Don’t fret. Part of our approach is to interview your experts, so processes are properly documented, and the best knowledge is captured. Sometimes starting fresh is best.

There are no limits to the number of users or procedures you can have in ProcedureFlow. Our pricing model is user based so you simply pay for what’s required. You’ll want to make sure you set the proper permissions to manage users and their access.

Yes, we take data security very seriously. You can see our full list of security standards here.