Application Security

Authentication

All passwords are salted and encrypted before being stored in the DB. We are unable to see what a password is, so if a password is forgotten it will need to be reset by the user. 

SSO

ProdPad supports the use of SAML to provide SSO. ProdPad supports specific providers (OneLogin, Okta, Ping Identify). Both Azure AD and ADFS are supported using SAML. Sign in with Google and Sign in with Slack are also supported.

Companies can use SSO providers to set password policies and require 2/multi factor Authentication (2FA / MFA). 

ProdPad also supports SCIM for specific subscription packages to enable automated provisioning.

Access Control

ProdPad provides role based access control. There are three levels: reviewers (free), editors and admins. 

Access on a mobile device

ProdPad on mobile uses the same system with mobile optimized views. All authentication and encryption performs the same as the main application. It works on both iOS and Android.

Secure Coding and QA

Vulnerability Scans

Web application vulnerability scans are run on a weekly basis. Identified issues are resolved based on the scan’s risk assessment for the identified issue.

Static Analysis

All code undergoes static analysis at each check-in to the DCSV. Identified vulnerabilities and bugs are addressed based on the scan risk assessment.

Penetration Tests

Penetration tests (Pen tests) are run annually. Identified issues are fixed based on the test risk assessment and the pen test re-done to confirm the issues have been fixed.

A copy of the most recent Pen Test report is available to customers on request. Please contact hello@prodpad.com.

Separation of Environments

Production, staging and development environments are physically and logically separate. The staging environment is a replica of the production environment but is physically isolated from the production environment. Development is carried out locally.

The staging and development environments do not use any data (customer or otherwise) from production.

SDLC and Change Management

The ProdPad application is developed using our SLDC which governs how items of work progresses through QA and Testing into Deployment. Release notes are made available through our Support channels to advise of any changes. 

Change Management is maintained using the GitHub development version control system.

QA & Tests

Both automated Quality Assurance (“QA”) and manual QA. The automated QA consists of unit, integration and acceptance tests. These are run on each commit and before each deployment.

Manual QA is carried out on every bug fix and new feature prior to being merged into a release. Manual QA includes smoke testing.

Patch Management

Patching of third-party software and operating systems is performed in a timely manner:

  • operating system updates are applied automatically
  • various services updates are done manually
  • application code updates are done weekly or faster in case of hotfixes

Anti-malware

All Scoped Systems (information systems, applications, databases, infrastructure, platforms, and networks connected to or accessed by CreateShift) have anti-malware, anti-virus, and data leakage prevention controls installed.

Response and Resolution Times

Service targets are based on ticket priority, such as low, normal, high, and urgent, as well as the impact the issue has on the overall performance of the platform. The Service Level Agreement provides more detail.

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.

Still need help? Contact Us Contact Us

Related Articles