Security Policy

We use commercially reasonable and industry-standard physical, management and technical safeguards to preserve the integrity and security of your Personal Information. We also use Secure Sockets Layer (SSL) encryption when transmitting sensitive information. Whilst we endeavour to protect the security and integrity of sensitive Personal Information provided to this Website, due to the inherent nature of the Internet as an open global communications vehicle, we cannot guarantee that information, either during transmission through the Internet or while stored on our systems or otherwise in our care, will be absolutely safe from intrusion by others, such as hackers.

If you contact us by e-mail or a “Contact us” or similar feature on the Website, you should be aware that your transmission might not be secure. An unaffiliated third party could view information you send by these methods in transit. We accept no liability for disclosure of your information due to errors or unauthorised acts by third parties during or after transmission.

In the unlikely event that we believe that the security of your Personal Information in our possession or control may have been compromised, we may seek to notify you of that development. If notification is appropriate, we shall endeavour to do so as promptly as possible under the circumstances, and (insofar as we have your e-mail address) we may notify you by e-mail. You consent to our use of e-mail as a means of such notification. If you would prefer us to use another method to notify you in this situation, please e-mail us at contact@peoplegoal.com with the alternative contact information you would like us to use.

Security Practices

Security is a serious matter to us and we aim to be as clear and open as we can about the way we handle security.

If you have questions regarding our security, we are happy to answer them. Please write to contact@peoplegoal.com and we will respond as quickly as we can.

Confidentiality

We place strict controls over our employees’ access to the data you and your users make available in your PeopleGoal account. We are committed to ensuring that user data is not seen by anyone who should not have access to it.

To facilitate PeopleGoal services in some cases our employees have access to the systems which store and process user data. For example to diagnose a problem you are having with your PeopleGoal account we need access to some of the user data. These employees have the permission to view user data only if it is necessary to do so and we monitor and document access to user data from our employees.

All of our employees and temp personnel are bound to our policies regarding customer data.

Employee Practices

PeopleGoal conducts background checks on all employees before employment, and employees receive privacy and security training during onboarding as well as on an ongoing basis. All employees are required to read and sign our comprehensive information security policy covering the security, availability, and confidentiality of the PeopleGoal services.

Compliance

Establish safeguards to prevent data tampering

PeopleGoal tracks user access by browser by location. If we detect a break-in attempt we lock the user account and check in with the account administration. All information inserted into PeopleGoal has a timestamp to avoid data tampering.

Establish safeguards to establish timelines

PeopleGoal is a real-time system; we store all data automatically in our servers as it is generated to prevent alteration or loss of data by any action. In addition we create logs with this information, and these can be retrieved at a later point.

Ensure that safeguards are operational

PeopleGoal is a web based program, it is available for an unlimited number of seats, and its operation can be accessed by any individual with a remote login to the system. We monitor in the background that the system is up and running and we provide clear indications of our shutdown times to our users in advance.

Periodically report the effectiveness of safeguards

PeopleGoal generates multiple reports in the background to track the operational effectiveness of our safeguards. We also track KPIs on the operational effectiveness of our safeguards.

Detect Security Breaches

PeopleGoal uses visitor traffic analytics to detect security breaches. The statistics we are using are:

  • Client geographic distribution
  • Requests served by edge location
  • How visitors are accessing your objects (PC, Mac, mobile, etc.)
  • Duration of visitor sessions
  • Unique visitor counts over time

Disclosure of security safeguards to independent auditors

PeopleGoal can provide access to auditors to specific reports without the ability to alter these reports or change components of the report or reconfigure PeopleGoal.

Disclose security breaches to independent auditors

PeopleGoal is capable of detecting security breaches, notifying users in real time, and permitting resolution to security incidents.

Disclose failures of security safeguards to independent auditors

PeopleGoal schedules periodic tests of network and information integrity, and verifies that certain messages are logged, indicating successful tests.

Site Security

We use 256-bit SSL certificates on all our domains and subdomains. Account level (application level) security is built in through the Rails 4.2.10 API, and through our application design. Your data is scoped off to your subdomain so that, at any stage or operation of PeopleGoal, only users in your specific account can access any of your company data. On an operational level, our databases and application environment are hosted on AWS, with the database itself being the latest version of PostgresQL.

Data backup

Our database is backed up daily by our Opsworks team. Backups are hosted on AWS RDS itself. We have never had cause to use a backup. Backup files are stored for 90 days.

Password Controls

We require an email address and password in order to access PeopleGoal. Passwords are hashed and encrypted in our database. We never transmit plain text passwords. Passwords are required to have upper and lowercase, numeric and special characters. Users are able to change passwords at any point, but we prohibit the re-use of the same password. We provide the option to sign in with connected accounts using OAuth 2.0 methodology. We do not enable or provide for "guest" accounts or other means of access that do not correlate a specific identity with the accounts or resources being utilized.

Data retention

We do not share customer data with any third parties, other than our payment services provider Stripe, who stores and creates your subscription. Data is retained on our database if you pause your subscription. If you would like your account data permanently deleted that option is available by request at support@peoplegoal.com, to which we provide confirmation of said deletion.

Hosting

PeopleGoal uses Heroku for the hosting of staging and production environments. Heroku has achieve the following certifications:

  • PCI DSS Level 1
  • HIPAA
  • ISO 27001, 27017, 27018
  • SOC 1, 2, 3

The scope of the certifications can be found here: https://www.heroku.com/compliance.

Heroku regularly performs audits and maintains PCI, HIPAA, ISO, and SOC compliance to further strengthen our trust with customers.

Location

Our application servers and databases are hosted on Heroku EU servers.