We often get questions from our users about our security practices and what we’re doing to protect their data. And though we don’t want to reveal too much of what we do behind the curtain, we want to lay out some of the most important things we do to protect your data and also what you can do to protect your own data when using 15Five.
What we do to protect your data:
Data Handling
We take handling your data very seriously. We classify all data, and our employees are trained on proper handling of your (and our) data. Our employees are granted access to systems that hold your data on a “need-to-know” basis (i.e. if required to perform their job). Employees who have access to systems that hold your data are required to use strong passwords and multi-factor authentication.
Data Encryption
We encrypt all communication between you and our applications using industry standard SSL/TLS encryption. We also store your data encrypted with a key specific to your company, which means that even our engineering staff with direct access to our databases cannot see your private data. We hash all passwords and have no way to decrypt them so if you forget your password, resetting it is the only option. We store all your data in ISO 27001 compliant data centers in the United States.
Credit Card Safety
When you purchase a paid subscription with 15Five, we neither store nor transmit your credit card information. We use Zuora, a PCI-DSS Level 1 compliant payment processor to handle all credit card transactions.
Keep Things Simple
One of our core values is to keep things simple. We embody this by keeping our technical stack, our application, and our business processes lean and free of unnecessary complexity. We automate as much testing, deployment and backup processes as possible to reduce any human error. All new code is seen by at least two pairs of eyes and evaluated against our secure coding standards. We regularly tear out code that has reached the end of its usefulness to keep our application simple, elegant, and secure.
Always Be Learning and Growing
Another of our core values is to always be learning and growing. All of our employees receive regular security and data handling training to be made aware of common and new security threats and how to mitigate them. Our engineering staff are constantly evaluating and integrating new technologies into our stack and application to create the best possible user experience and to increase security.
Monitoring
We actively monitor security issues and releases of our technical stack and deploy patches as quickly as possible. We utilize multiple types of logging to monitor the live (and past) state of our application to help detect and recover from any security events. We maintain a list of our vendors’ security policies and monitor our vendors for security breaches that could lead back to our application.
External verification
To ensure that 15Five’s practices align with industry-best practices, 15Five has adopted the AICPA’s Trust Services Criteria and has taken organizational and procedural steps to ensure the security, availability, processing integrity, confidentiality and privacy of the services we provide our customers. We have been audited by an independent firm to confirm that we are compliant with the SOC 2 framework. To receive a copy of our SOC 2 report, please contact [email protected] to receive a copy of our NDA.
To ensure the software that we write doesn’t contain bugs or flaws, 15Five has implemented strict review processes of manual and automatic review and testing. We also periodically run vulnerability scans and hire external penetration testers to independently verify our software’s security.
We do more
This is not a comprehensive list of the security measures we keep to safeguard your data. If you have any more questions please contact us, we’re glad to answer any and all of your questions.
What you can do to protect your data:
Use Multi-factor Authentication (or SSO)
Our application allows you and your colleagues to enable multi-factor authentication, which helps prevent against unauthorized access. If you already have a single sign-on at your organization (e.g. Okta, Azure SSO) we provide integration (1) to most SAML providers, which means you wouldn’t need to remember another password.
Manage Users Automatically
Manually adding and removing users and permissions can often be overlooked and are a common source of unauthorized access to data (i.e. it can be easy to forget to remove an employee from 15Five when they leave your organization). To prevent this, we recommend automatically managing users. 15Five provides integrations with Bamboo HR and Namely. Users can alternatively be managed by any IdP that supports the SCIM 2.0 protocol (Okta, Azure, OneLogin, G-Suite). Our public API can be used for more complex or obscure systems.
Security Audits
Our application keeps security logs of user access (user logins and IPs) and many other events (e.g. changes to groups, changes of reviewers, etc…) which can be audited through the company settings page by administrators at anytime. (2)
Learn about privacy settings
Different companies have different demands as to privacy settings. 15Five provides many options when it comes to privacy, but this means that you need to ensure you understand and are using our application in a way consistent with your requirements. For any privacy concerns, you can take a look at our privacy policy here. Feel free to emails us for any additional questions at [email protected].
Reporting security issues
If you believe you’ve found something in 15Five that has security implications, please email them to [email protected]
Notes
(1) SSO is included with some plans or can be purchased as an add-on for others.
(2) Security events are logged for all accounts, but these are only accessible on some plans.