Security is a serious matter to us and we aim to be as clear and open as we can about the way we handle security.
If you have questions regarding our security, we are happy to answer them. Please write to firstname.lastname@example.org and we will respond as quickly as we can.
We place strict controls over our employees’ access to the data you and your users make available in your PeopleGoal account. We are committed to ensuring that user data is not seen by anyone who should not have access to it.
To facilitate PeopleGoal services in some cases our employees have access to the systems which store and process user data. For example to diagnose a problem you are having with your PeopleGoal account we need access to some of the user data. These employees have the permission to view user data only if it is necessary to do so and we monitor and document access to user data from our employees.
All of our employees and temp personnel are bound to our policies regarding customer data.
PeopleGoal conducts background checks on all employees before employment, and employees receive privacy and security training during onboarding as well as on an ongoing basis. All employees are required to read and sign our comprehensive information security policy covering the security, availability, and confidentiality of the PeopleGoal services.
Establish safeguards to prevent data tampering
PeopleGoal tracks user access by browser by location. If we detect a break-in attempt we lock the user account and check in with the account administration. All information inserted into PeopleGoal has a timestamp to avoid data tampering.
Establish safeguards to establish timelines
PeopleGoal is a real-time system; we store all data automatically in our servers as it is generated to prevent alteration or loss of data by any action. In addition we create logs with this information, and these can be retrieved at a later point.
Ensure that safeguards are operational
PeopleGoal is a web based program, it is available for an unlimited number of seats, and its operation can be accessed by any individual with a remote login to the system. We monitor in the background that the system is up and running and we provide clear indications of our shutdown times to our users in advance.
Periodically report the effectiveness of safeguards
PeopleGoal generates multiple reports in the background to track the operational effectiveness of our safeguards. We also track KPIs on the operational effectiveness of our safeguards.
Detect Security Breaches
PeopleGoal uses visitor traffic analytics to detect security breaches. The statistics we are using are:
Disclosure of security safeguards to independent auditors
PeopleGoal can provide access to auditors to specific reports without the ability to alter these reports or change components of the report or reconfigure PeopleGoal.
Disclose security breaches to independent auditors
PeopleGoal is capable of detecting security breaches, notifying users in real time, and permitting resolution to security incidents.
Disclose failures of security safeguards to independent auditors
PeopleGoal schedules periodic tests of network and information integrity, and verifies that certain messages are logged, indicating successful tests.
We use 256-bit SSL certificates on all our domains and subdomains. Account level (application level) security is built in through the Rails 4.2.10 API, and through our application design. Your data is scoped off to your subdomain so that, at any stage or operation of PeopleGoal, only users in your specific account can access any of your company data. On an operational level, our databases and application environment are hosted on AWS, with the database itself being the latest version of PostgresQL.
Our database is backed up daily by our Opsworks team. Backups are hosted on AWS RDS itself. We have never had cause to use a backup. Backup files are stored for 90 days.
We require an email address and password in order to access PeopleGoal. Passwords are hashed and encrypted in our database. We never transmit plain text passwords. Passwords are required to have upper and lowercase, numeric and special characters. Users are able to change passwords at any point, but we prohibit the re-use of the same password. We provide the option to sign in with connected accounts using OAuth 2.0 methodology. We do not enable or provide for "guest" accounts or other means of access that do not correlate a specific identity with the accounts or resources being utilized.
We do not share customer data with any third parties, other than our payment services provider Stripe, who stores and creates your subscription. Data is retained on our database if you pause your subscription. If you would like your account data permanently deleted that option is available by request at email@example.com, to which we provide confirmation of said deletion.
Our application servers and databases are hosted on AWS EU, which is the availability zone in Ireland.