Pudding App’s Statement on Security

Effective Date: July, 31, 2020

Introduction

We use Pudding every day to keep our team organized, connected, and focused on results. Ensuring our platform remains secure is vital to protecting our own data, and protecting your information is our highest priority.

Our security strategy covers all aspects of our business, including:

  • Pudding corporate security policies
  • Physical and environmental security
  • Operational security processes
  • Scalability & reliability of our system architecture
  • Data model access control in Pudding
  • Systems development and maintenance
  • Service development and maintenance
  • Regularly working with third party security experts

Pudding Corporate Security Policies & Procedures

Every Pudding employee signs a Data Access Policy that binds them to the terms of our data confidentiality policies, available at pudding.app/terms and pudding.app/privacy. Access rights are based on employee’s job function and role.

SOC 2 (Type 1 and 2)

Pudding has successfully completed its SOC 2 (Type I) and is currently under observation for SOC2 (Type II) audits for controls relevant to security, availability, and confidentiality. This means that an independent third party has both validated our processes and practices with respect to these three trust services criteria and confirmed our ability to maintain compliance with the controls we’ve implemented.

Security in our Software Development Lifecycle

Pudding uses the git revision control system. Changes to Pudding’s code base go through a suite of automated tests and are reviewed and go through a round of manual review. When code changes pass the automated testing system, the changes are first pushed to a staging server wherein Pudding employees are able to test changes before an eventual push to production servers and our customer base. We also add a specific security review for particularly sensitive changes and features. Pudding engineers also have the ability to “cherry pick” critical updates and push them immediately to production servers.

In addition to a list where all access control changes are published, we have a suite of automated unit tests that check that access control rules are written correctly and enforced as expected. We also work with third-party security professionals to:

  • Test our code for common exploits
  • Use network scanning tools against our production servers

Pudding Architecture & Scalability

Scalability/Reliability of Architecture

Pudding uses Amazon Web Services (RDS & S3) to manage user data. The database is backed up on a regular basis and also take regular snapshots of the database.

For the high availability, we have implemented AWS Multi-AZ both for compute and storage.

For our US based customers, we currently host data in secure data centers via Amazon RDS in the United States.

For our EU based customers, we currently host data in secure data centers via Amazon RDS in the EU.

Encrypted Transactions

Web connections to the Pudding service are via TLS 1.1 and above. We support forward secrecy and AES-GCM, and prohibit insecure connections using TLS 1.0 and below or RC4.

Pudding Information Security

Employee Devices

All laptops and workstations are secured via full disk encryption. We diligently apply updates to employee machines and monitor employee workstations for malware. We use industry-standard OTP technology to further secure access to our corporate infrastructure.

Penetration Testing

Pudding works with external security pentesters to get the penetration testing done on a regular basis.

Data Center Security

Amazon

Amazon employs a robust physical security program with multiple certifications, including an SSAE 16 certification. For more information on Amazon’s physical security processes, please visit aws.amazon.com/security.

Product Features

Administrator Management Features

  • Authentication – Pudding administrators can force employees to authenticate via Google Accounts or set up SAML
  • Pudding has implemented a password less mechanism to login into Pudding. This eliminates the need of storing passwords in Pudding.
  • User Management – Administrators can deprovision users from a central administration interface.

User Features

  • Privacy, Visibility, & Sharing Settings – Customers determine who can access different categories of data like Workspaces, projects, and tasks. Access to Pudding Organization is based on your company email domain. Administrators can limit a user’s access by using Role Based Access Control (RBAC).

Privacy

Privacy Policy

Pudding’s privacy policy, which describes how we handle data input into Pudding, can be found here.

Availability

We are committed to making Pudding consistently available to you and your teams. Our systems have built-in redundancy to withstand failures and are constantly monitored to keep your work uninterrupted. 

Want to report a security concern?

Email us at [email protected]