Effective Date: July, 31, 2020
We use Pudding every day to keep our team organized, connected, and focused on results. Ensuring our platform remains secure is vital to protecting our own data, and protecting your information is our highest priority.
Our security strategy covers all aspects of our business, including:
Every Pudding employee signs a Data Access Policy that binds them to the terms of our data confidentiality policies, available at pudding.app/terms and pudding.app/privacy. Access rights are based on employee’s job function and role.
Pudding has successfully completed its SOC 2 (Type I) and is currently under observation for SOC2 (Type II) audits for controls relevant to security, availability, and confidentiality. This means that an independent third party has both validated our processes and practices with respect to these three trust services criteria and confirmed our ability to maintain compliance with the controls we’ve implemented.
Pudding uses the git revision control system. Changes to Pudding’s code base go through a suite of automated tests and are reviewed and go through a round of manual review. When code changes pass the automated testing system, the changes are first pushed to a staging server wherein Pudding employees are able to test changes before an eventual push to production servers and our customer base. We also add a specific security review for particularly sensitive changes and features. Pudding engineers also have the ability to “cherry pick” critical updates and push them immediately to production servers.
In addition to a list where all access control changes are published, we have a suite of automated unit tests that check that access control rules are written correctly and enforced as expected. We also work with third-party security professionals to:
Pudding uses Amazon Web Services (RDS & S3) to manage user data. The database is backed up on a regular basis and also take regular snapshots of the database.
For the high availability, we have implemented AWS Multi-AZ both for compute and storage.
For our US based customers, we currently host data in secure data centers via Amazon RDS in the United States.
For our EU based customers, we currently host data in secure data centers via Amazon RDS in the EU.
Web connections to the Pudding service are via TLS 1.1 and above. We support forward secrecy and AES-GCM, and prohibit insecure connections using TLS 1.0 and below or RC4.
All laptops and workstations are secured via full disk encryption. We diligently apply updates to employee machines and monitor employee workstations for malware. We use industry-standard OTP technology to further secure access to our corporate infrastructure.
Pudding works with external security pentesters to get the penetration testing done on a regular basis.
Amazon employs a robust physical security program with multiple certifications, including an SSAE 16 certification. For more information on Amazon’s physical security processes, please visit aws.amazon.com/security.
We are committed to making Pudding consistently available to you and your teams. Our systems have built-in redundancy to withstand failures and are constantly monitored to keep your work uninterrupted.
Want to report a security concern?
Email us at [email protected]