Security Overview

This document is intended for any PrevailHQ customer or potential customer who wants to learn more about how PrevailHQ approaches security. PrevailHQ is SOC 2 Type 2 certified.

PrevailHQ Security Principles

We believe that the best way to achieve security is to build all systems and processes with security in mind and to leverage all modern tools and standards.

Our high level security principles include:

• Employees of PrevailHQ only have access to client data on a need-to-know basis.
• Employees of PrevailHQ are required to use two-factor authentication to access all systems.
• Our application is securely hosted on Amazon Web Services infrastructure exclusively within the United States using the Render platform.
• Minimum password requirements are enforced for all users.
• We require encrypted connections (https) using TLS 1.2 at all times. Unencrypted access to the system is not supported.
• Our application is based on a REST API framework. Access to APIs is secured and reviewed periodically.

Infrastructure Security

Render

PrevailHQ uses Render to assist with infrastructure management, scaling, and security. Render is a cloud application platform running within AWS and used by organizations of all sizes to deploy and operate applications throughout the world. Render is designed to protect from threats by applying security controls at every layer from physical to application, isolating customer applications and data, and with its ability to rapidly deploy security updates without customer interaction or service interruption.

Render has security standards published here: https://trust.render.com

The environment is protected with the following and more:

• Firewalls
• DDoS Mitigation
• Spoofing and Sniffing Protections
• Porting Scanning
• Intrusion Detection

Amazon Web Services

PrevailHQ also leverages Amazon Web Services (AWS) for certain infrastructure, and Render actually uses AWS infrastructure.

AWS has security standards published here: https://aws.amazon.com/security/ and https://aws.amazon.com/compliance/

Amazon is one of the most trusted hosting providers in the world. Amazon maintains a series of security certifications including:

• ISO 27001, 27017, 27018
• PCI DSS Level 1
• AICPA and SOC
• HIPAA

AWS environments are continuously audited, with certifications from accreditation bodies across the globe. Amazon provides all server management for Render and PrevailHQ. PrevailHQ is hosted in the US-Central Amazon data center.

Application Security

PrevailHQ runs a modern web application and API backend. Our application is designed with security in mind.

Development Practices

We have robust testing framework in place which includes both automated testing as well as manual testing.

All code is reviewed by at least two engineers before pushing to production, and all deployments are signed off by the CTO.

If code is related to security or deemed to be high risk, at least three engineers must review the code, and additional testing must be completed before deployment.

Automated Code Reviews include:

• SQL injection
• Cross-site request forgery
• Session vulnerabilities
• Cross site scripting
• File access
• Authentication
• Denial of service

We review and promptly update any third party software used based on recent security updates.

Vulnerability Testing

• We periodically perform internal penetration testing and are happy to facilitate vulnerability testing by our clients upon request.
• 3rd party vulnerability testing is performed on a weekly basis. Found vulnerabilities are given the highest development priority and are fixed immediately.

Database Security

• All databases that contain production data are encrypted both in transit and at rest.
• We have point in time rollback for production databases with failover copies in multiple availability zones.
• Database credentials are limited to the CTO and Lead Developers and are always required to use two-step authentication to access this data.
• We will securely delete any client data from our servers within 30 days upon request.
• All clients have a right to request a full export of their data within 30 days upon request.

Security Incident Response

PrevailHQ is committed to keeping clients informed of any actual or potential security incidents and to provide support in the unlikely event of any incident.

• PrevailHQ will notify all clients by email within 24 hours of the discovery of any data breach or security incident
• PrevailHQ will assign a dedicated team of engineers within 24 hours to fully investigate the scope and severity of any security incident
• PrevailHQ will assist with the investigation of any security incident using all available monitoring tools and logging
• PrevailHQ will be available for any questions and follow up at support@prevailhq.com
• PrevailHQ will work with all clients to mitigate any security incident as much as possible

Disaster Recovery and Business Continuity

PrevailHQ is committed to providing a stable platform and is committed to restoring access to our systems quickly in the unlikely event of any disruption to our infrastructure or our business.

• PrevailHQ only uses industry-leading infrastructure providers and tools, such as Render and Amazon Web Services
• We have contingency plans to launch our databases and application in other regions of our cloud providers, or another cloud provider entirely, if there is a major failure in one
• Our application is built in a distributed and flexible way so that it does not depend on any specific servers but can be deployed quickly where necessary
• All user data is backed up at least every 24 hours, and encrypted backups are maintained in multiple regions (within the US)
• Our recovery time objective (RTO) is 4 hours and our recovery point objective (RPO) is 24 hours