ProdPad is a multi-tenancy application with the data logically separated between accounts. Data from one account cannot be accessed from another account, nor can it be shared.
Access to the data is only available by users with an appropriate role in the account or using one of the embeddable plugins.
If you are interested in single tenancy, please get in touch with firstname.lastname@example.org.
All data is encrypted at rest using AWS Key Management System (“AWS KMS”). This uses AES-256 encryption standard.
All passwords are salted and encrypted before being stored in the DB. We are unable to see what a password is, so if a password is forgotten it will need to be reset by the user. Password policies and two factor authentication can be added using one of the SSO integrations (Google Suite, Slack, SAML, OneLogin, Okta, Ping Identity or ADFS are currently supported).
Web Application Firewall
Each ALB has a Web Application Firewall (“WAF”) running that provides protection against SQLi and XSS along with other OSWAP Top 10 attacks.
The application has an audit log that can be used for both security and compliance.
Web application vulnerability scans are run on a weekly basis. Identified issues are resolved based on the scan’s risk assessment for the identified issue.
All code undergoes static analysis at each check-in to the DCSV. Identified vulnerabilities and bugs are addressed based on the scan risk assessment.
Penetration tests (Pen tests) are run annually. Identified issues are fixed based on the test risk assessment and the pen test re-done to confirm the issues have been fixed.
All emails sent from the ProdPad domain are signed using both DKIM and SPF. DMARC record is also available for receiving mail servers.
Separation of Environments
Production, staging and development environments are physically and logically separate. The staging environment is a replica of the production environment but is physically isolated from the production environment. Development is carried out on locally.
QA & Tests
Both automate Quality Assurance (“QA”) and manual QA. The automated QA consists of unit, integration and acceptance tests. These are run on each commit and before each deploy.
Manual QA is carried out on every bug fix and new feature prior to being merged into a release.