At Salsify, we know your content and product information is one of your organization's most valuable assets. We are committed to protecting your data and the investment you’ve made in our technology and infrastructure. Here are some key security best practices that we employ which we can publicly share.
Salsify uses an independent, third-party auditor to audit our controls and processes.
In December of 2017, we received our SOC 2 Type 1 certification by the auditing firm. Current customers may request a letter of attestation.
In November of 2018, we received our SOC 2 Type 2 certification.
The standards are outlined by the American Institute of CPAs (AICPA).
General Data Protection Regulation (GDPR)
On April 27, 2018, Salsify received finalization of our Privacy Shield self-certification. We will self-certify on an annual basis.
We are committed to compliance when the regulation becomes enforceable on May 25, 2018.
Please visit our GDPR page for more information.
People can be the greatest asset but also your greatest security risk. We work hard to make sure that everyone in our organization goes through annual security awareness training. New hires are trained as well.
Our business continuity plans and physical security safeguards help ensure that during a non-system event that people know what to do.
Our office is secured by security keycode access and other security protection methods. Employees have individual key cards to access our floor.
We conduct thorough background checks on all of our employees prior to employment, including criminal and personal reference checks.
Off-boarding procedures are put in place so that access is terminated when someone leaves the organization.
Salsify maintains standard security policies and processes. The policies, standards, and procedures are reviewed at least annually and updated as necessary. Our security framework is built based off of NIST 800 recommendations.
Salsify arranges for rigorous third-party security assessments to be conducted at least once per year, including network and application vulnerability threats, penetration testing, and application security framework controls auditing. A letter of attestation of the test can be furnished upon customer request.
We have a formal, management approved Incident Response and Security Incident Response plans. The Incident Response Plan defines the roles and responsibilities for the Incident Commander and supporting roles, as well as the response process, including customer notification, as well as a postmortem process to capture remediation actions. The Security Incident Response plan defines the security incident response team (SIRT) roles and responsibilities, as well as response plan steps.
Salsify utilizes an agile development process with Continuous Integration (CI). Our CI pipeline includes development, staging, and production environments. This configuration allows for authorized access controls per environment.
Security is built into each step of our process. Data handling, code deployment, configuration, and patch management each follow security best practices outlined in our security policies and SDLC.
Our SDLC requires code review and approval for all changes, as well as a green build on all automated tests in our CI environment before deploy. All developed code is reviewed manually and automatically tested for potential security vulnerabilities. We strive to follow OWASP (Open Web Application Security Project) best practices.
Identified and confirmed security vulnerabilities go through an impact and risk assessment. Patches or other means of remediation are first deployed in a development environment, tested in staging, and then sent into production.
In addition, automated application penetration tests are run internally on a regular basis.
Salsify follows the principle of “least privilege”. Our practice is to only issue credentials to the individuals, and systems that absolutely need access to a system or resource. Access can only be granted by a member of our Operations team and is tracked for auditing purposes. Administrators can revoke access at any time; this supports our off-boarding process.
Security by Design
Salsify hosts all services on resilient and elastically scalable infrastructure, using a fault tolerant application architecture. This ensures high availability and consistent application performance, as described in our Terms of Service.
Our cloud service providers adhere to industry standard compliance, certifying in ISO 27001, SOC 2 or similar. We obtain and review these reports on an annual basis to confirm compliance.
All SSL certificates are created and updated with 2048-bit key length and SHA-256.
Our keys are encrypted and stored using a key management service.
Our infrastructure architecture supports a recoverable process. Automated data backups, documented recovery procedures and annual testing ensures that we have everything in place in the event of a disaster.
Salsify has a defined Recovery Time Objective (RTO) and Recovery Point Objective (RPO) for our service.
Authentication & Authorization
Salsify utilizes a cloud service provider solution which includes multi-factor authentication in order to access environments. User defined groups and roles follow our “least privilege” concept.
Remote access to infrastructure is restricted to only authorized users and is accessible only through our VPN.
Log monitoring is in place and we retain audit logs in accordance to our retention policy. Any suspicious activity or unauthorized access triggers alerting to our operations staff. The security team is engaged, as necessary, per our Incident Response plan.
Passwords are rotated on a regular cadence for staff that supports our infrastructure.
We host customer data in a multi-tenant environment. Data segregation is supported at the application level, per customer. This prevents the potential of exposing customer data to unauthorized users at other organizations.
All traffic is encrypted with a minimum of TLS V1.2. Salsify implements the latest encryption algorithms. We test and upgrade to newer and more secure standards as they become available. We currently use 256-bit AES encryption including the key management service as part of our cloud service provider’s offering.
Data is also encrypted at rest including our system and database backups.
Access to customer data is only provided to authorized personnel.
Authentication & Single Sign-On (SSO)
We support SAML 2.0 based Single Sign-On (SSO) integrations with many of the large identity providers, such as Okta, Onelogin, ADFS, and Google. This allows for simplicity and a better user experience as a user will only need to account for one login credential.
Logins are based on only HTTPS requests and each user session requires an authentication token.
Customers assign administrators in their organization to the Salsify product. These administrators setup user groups for their organization, usually based on the function of the group (ie, Marketing Team). Permissions are defined at the user group level and individuals are assigned to the appropriate group(s).
Application logging occurs using a combination of service providers. Logs are used for troubleshooting, issue resolution and forensic analysis by our development and security teams.
We retain the logs based upon our retention policy.
If you need to report a security concern please email, firstname.lastname@example.org.