Application Security
Authentication
All passwords are salted and encrypted before being stored in the DB. We are unable to see what a password is, so if a password is forgotten it will need to be reset by the user.
SSO
ProdPad supports the use of SAML to provide SSO. ProdPad supports specific providers (OneLogin, Okta, Ping Identify). Both Azure AD and ADFS are supported using SAML. Sign in with Google and Sign in with Slack are also supported.
Companies can use SSO providers to set password policies and require 2/multi factor Authentication (2FA / MFA).
ProdPad also supports SCIM for specific subscription packages to enable automated provisioning.
Access Control
ProdPad provides role based access control. There are three levels: reviewers (free), editors and admins.
Access on a mobile device
ProdPad on mobile uses the same system with mobile optimized views. All authentication and encryption performs the same as the main application. It works on both iOS and Android.
Secure Coding and QA
Vulnerability Scans
Web application vulnerability scans are run on a weekly basis. Identified issues are resolved based on the scan’s risk assessment for the identified issue.
Static Analysis
All code undergoes static analysis at each check-in to the DCSV. Identified vulnerabilities and bugs are addressed based on the scan risk assessment.
Penetration Tests
Penetration tests (Pen tests) are run annually. Identified issues are fixed based on the test risk assessment and the pen test re-done to confirm the issues have been fixed.
A copy of the most recent Pen Test report is available to customers on request. Please contact hello@prodpad.com.
Separation of Environments
Production, staging and development environments are physically and logically separate. The staging environment is a replica of the production environment but is physically isolated from the production environment. Development is carried out locally.
The staging and development environments do not use any data (customer or otherwise) from production.
SDLC and Change Management
The ProdPad application is developed using our SLDC which governs how items of work progresses through QA and Testing into Deployment. Release notes are made available through our Support channels to advise of any changes.
Change Management is maintained using the GitHub development version control system.
QA & Tests
Both automated Quality Assurance (“QA”) and manual QA. The automated QA consists of unit, integration and acceptance tests. These are run on each commit and before each deployment.
Manual QA is carried out on every bug fix and new feature prior to being merged into a release. Manual QA includes smoke testing.
Patch Management
Patching of third-party software and operating systems is performed in a timely manner:
- operating system updates are applied automatically
- various services updates are done manually
- application code updates are done weekly or faster in case of hotfixes
Anti-malware
All Scoped Systems (information systems, applications, databases, infrastructure, platforms, and networks connected to or accessed by CreateShift) have anti-malware, anti-virus, and data leakage prevention controls installed.
Response and Resolution Times
Service targets are based on ticket priority, such as low, normal, high, and urgent, as well as the impact the issue has on the overall performance of the platform. The Service Level Agreement provides more detail.