At PeopleStrong, our top priority is keeping our customers’ data secure. We implement stern security controls at the organizational, architectural, and operational levels to ensure that your data, applications, and infrastructure remain safe.
Our customers serve as the data controller while PeopleStrong is the data processor. This means that customers have full control of the data entered into services, as well as all setup and configurations. Because customers control the data—and we only process it—they don’t have to rely on us to perform day-to-day tasks such as:
Assigning security authorization and manipulating roles
Creating new reports
Configuring business process flows, alerts, rules, and more
Creating new integrations
Changing or creating new organizational structures
Monitoring all business transactions
Looking at all historical data and configuration changes
PeopleStrong encrypts every attribute of customer data before it’s persisted in a database. We use the Advanced Encryption Standard (AES) algorithm with a key size of 256 bits and a unique encryption key for each customer.
Transport Layer Security (TLS) protects user access via the internet, helping to secure network traffic from passive eavesdropping, active tampering, or message forgery. File-based integrations can be encrypted via PGP or a public/private key pair generated by PeopleStrong, using a customer-generated certificate. WS-Security is also supported for web services integrations to the PeopleStrong’s API.
A dedicated Identity Provider (Alt IDP) supporting multiple types of authentication providers including LDAP, OpenID Connect based Single Sign-on in Alt Applications and support for SAML for third party single sign-on integrations.
Alt IDP allows seamless single-sign-on experience between the customer’s internal applications and PeopleStrong by integrating customers authentication systems (Octa, ADFS, Office365, Google etc.) allowing both Auth2.0/OpenID Connect and SAML protocols. Customers have to just login to their company’s internal web portal using any of their own authentication system/IDP presented with a link to PeopleStrong apps, which automatically gives customers access without having to log in again.
If someone leaves their console open or multiple users’ access PeopleStrong applications from the same device, organizations that use SAML as an authentication type can secure the connection against unauthorized access by identifying critical items. This allows the user to force a second level of authentication factor that users must enter to access the required items.
For customers who wish to use our native login, PeopleStrong only stores the passwords in the form of a secure hash as opposed to the password itself. Unsuccessful login attempts are measured along with successful login/logout activity for audit purposes. Inactive user sessions are automatically timed out after a specified time, which is customer configurable by the user. User configurable encryption rules include length, complexity, expiration, and forgotten password challenge questions.
PeopleStrong applications are hosted in the public cloud of leading cloud computing platforms, which are designed to protect mission-critical computer systems with fully redundant subsystems and compartmentalized security zones. Our application hosting data centres adhere to the strictest security measures encompassing
Cloud Security Alliance Controls, ISO 9001, ISO 27001, ISO 27017, ISO 27018, SOC1, SOC 2 and SOC 3.
All-access to the data centres is highly restricted and stringently regulated by Cloud Service Provider
PeopleStrong has established detailed operating policies, procedures, and processes designed to help manage the overall quality and integrity of our environment. We’ve also implemented proactive security procedures, such as perimeter defence and network intrusion prevention systems (IPSs), Intrusion Detection System (IDS), Distributed Denial of Service (DDOS), Application Filtering, etc.
We also maintain a Network Operation Centre & Security Operations Centre for identifying, investigating, prioritizing, escalating and resolving issues
PeopleStrong has implemented an enterprise Secure Software Development Life Cycle (SDLC) to help ensure the continued security of PeopleStrong applications.
This program includes an in-depth security risk assessment and review of PeopleStrong Alt features. Also, both static and dynamic source code analyses which are automated to help integrate enterprise security into the development lifecycle. Automated binary analysis and VA/PT on quarterly intervals helps add a level of application security. The development process is further enhanced by application security training for developers and penetration testing of the application.
Security begins on day one at PeopleStrong. All users receive security and compliance training the moment they are onboarded on the system. Though the extent of involvement may vary by role, security is everybody’s responsibility at PeopleStrong.
With our collaboration with a leading security vendor, we perform an application-level security vulnerability assessment of our web and mobile application before each major release. The firm performs testing procedures to identify standard and advanced web application security vulnerabilities, including, but not limited to, the following:
Security weaknesses linked with Flash, AJAX, Flex and ActionScript
Cross-site request forgery (CSRF)
Improper input handling (such as cross-site scripting, SQL injection, XML injection, and cross-site flashing)
XML and SOAP attacks
Data validation flaws and data model constraint inconsistencies
Insufficient authentication or authorization
HTTP response splitting
Misuse of SSL/TLS
Use of unsafe HTTP methods
Misuse of cryptography
External vulnerability tools scan all internet-facing assets, including firewalls, routers, and web servers for potential weaknesses that could allow unauthorized access to the network. Also, an authenticated internal vulnerability network and system assessment are performed to identify potential weaknesses and inconsistencies with general system security policies.