REQUEST DEMO

    Security and Reliability

    Compliance

    At Salsify, we know your content, product information and personal data/information relating to your customers are some of your organization's most valuable assets. We are committed to protecting your data and the investment you’ve made in our technology and infrastructure. Here are some key security best practices and compliance tools that we employ which we can publicly share.

    ProductXM and SupplierXM

    Salsify has achieved SOC 2 Type II Compliance for its ProductXM and SupplierXM platforms. Salsify certifies its systems annually to AICPA SOC 2 Type II, successfully auditing the operational and security processes of our service and our company. You can request a copy of our SOC2 Type2 report through your Salsify sales or customer success contact.

    The Information Security System that manages the controls around our ProductXM and SupplierXM platform is based on ISO 27001:2013. This certification proves our expertise in securely managing information technology systems. 

    Download the ISO 27001 certificate

    Security

    People can be the greatest asset but also your greatest security risk. We work hard to make sure that everyone in our organization goes through annual security awareness training. New hires are trained as well.

    Our business continuity plans and physical security safeguards help ensure that during a non-system event that people know what to do.

    Our office is secured by security keycode access and other security protection methods. Employees have individual key cards to access our floor.

    We conduct thorough background checks on all of our employees prior to employment, including criminal and personal reference checks.

    Off-boarding procedures are put in place so that access is terminated when someone leaves the organization.

     

    Standardized Security Processes

    Salsify maintains standard security policies and processes. The policies, standards, and procedures are reviewed at least annually and updated as necessary. Our security framework is built based off of NIST 800 recommendations.

    Salsify arranges for rigorous third-party security assessments to be conducted at least once per year, including network and application vulnerability threats, penetration testing, and application security framework controls auditing. A letter of attestation of the test can be furnished upon customer request.

    We have a formal, management approved Incident Response and Security Incident Response plans. The Incident Response Plan defines the roles and responsibilities for the Incident Commander and supporting roles, as well as the response process, including customer notification, as well as a postmortem process to capture remediation actions. The Security Incident Response plan defines the security incident response team (SIRT) roles and responsibilities, as well as response plan steps.

    Software Development Lifecycle (SDLC)

    Salsify utilizes an agile development process with Continuous Integration (CI). Our CI pipeline includes development, staging, and production environments. This configuration allows for authorized access controls per environment.
    Security is built into each step of our process. Data handling, code deployment, configuration, and patch management each follow security best practices outlined in our security policies and SDLC.

    Our SDLC requires code review and approval for all changes, as well as a green build on all automated tests in our CI environment before deployment. All developed code is reviewed manually and automatically tested for potential security vulnerabilities. We strive to follow OWASP (Open Web Application Security Project) best practices.

    Identified and confirmed security vulnerabilities go through an impact and risk assessment. Patches or other means of remediation are first deployed in a development environment, tested in staging, and then sent into production.

    In addition, automated application penetration tests are run internally on a regular basis.

    Administrative Controls

    Salsify follows the principle of “least privilege”. Our practice is to only issue credentials to the individuals, and systems that absolutely need access to a system or resource. Access can only be granted by a member of our Operations team and is tracked for auditing purposes. Administrators can revoke access at any time; this supports our off-boarding process.

     

    High-Availability Architecture

    Salsify hosts all services on resilient and elastically scalable infrastructure, using a fault tolerant application architecture. This ensures high availability and consistent application performance, as described in our Terms of Service.

    Our cloud service providers adhere to industry standard compliance, certifying in ISO 27001, SOC 2 or similar. We obtain and review these reports on an annual basis to confirm compliance.

    All SSL certificates are created and updated with 2048-bit key length and SHA-256.

    Our keys are encrypted and stored using a key management service.

    Disaster Recovery

    Our infrastructure architecture supports a recoverable process. Automated data backups, documented recovery procedures and annual testing ensures that we have everything in place in the event of a disaster.

    Salsify has a defined Recovery Time Objective (RTO) and Recovery Point Objective (RPO) for our service.

    Authentication & Authorization

    Salsify utilizes a cloud service provider solution which includes multi-factor authentication in order to access environments. User defined groups and roles follow our “least privilege” concept. 

    Remote access to infrastructure is restricted to only authorized users and is accessible only through our VPN.

    Log monitoring is in place and we retain audit logs in accordance with our retention policy. Any suspicious activity or unauthorized access triggers alerting to our operations staff. The security team is engaged, as necessary, per our Incident Response plan.

    Passwords are rotated on a regular cadence for staff that supports our infrastructure.

    Customer Data

    We host customer data in a multi-tenant environment. Data segregation is supported at the application level, per customer. This prevents the potential of exposing customer data to unauthorized users at other organizations.

    All traffic is encrypted with a minimum of TLS V1.2. Salsify implements the latest encryption algorithms. We test and upgrade to newer and more secure standards as they become available. We currently use 256-bit AES encryption including the key management service as part of our cloud service provider’s offering.

    Data is also encrypted at rest including our system and database backups.

    Access to customer data is only provided to authorized personnel.

    Authentication & Single Sign-On (SSO)

    We support SAML 2.0 based Single Sign-On (SSO) integrations with many of the large identity providers, such as Okta, Onelogin, ADFS, and Google. This allows for simplicity and a better user experience as a user will only need to account for one login credential.

    Logins are based on only HTTPS requests and each user session requires an authentication token.

    Authorization

    Customers assign administrators in their organization to the Salsify product. These administrators set up user groups for their organization, usually based on the function of the group (ie, Marketing Team). Permissions are defined at the user group level and individuals are assigned to the appropriate group(s).

    Logging

    Application logging occurs using a combination of service providers. Logs are used for troubleshooting, issue resolution and forensic analysis by our development and security teams.

    We retain the logs based upon our retention policy.

    If you need to report a security concern please email: security@salsify.com.

    If you would like to report a security related bug or configuration issue please review our Responsible Disclosure Guidelines prior to submitting your report.

    For privacy questions or concerns, please refer to our privacy policy.

    Privacy

    GDPR

    Salsify’s IAM system provides a strong foundation for GDPR compliance and can help reduce your risk. You can learn more and download Salsify’s GDPR-compliant DPA by clicking the link.

    CCPA

    As of January 1, 2020, Salsify updated its privacy policy and necessary internal procedures to comply with CCPA.

    Sub-Processors

    To deliver platform services, we leverage selected sub-processors to support certain functionality. The services we engage may change over time as the platform evolves, but a current list of sub-processors is maintained here.

    Data Subject Requests

    You may submit Data Subject Access Requests (DSAR) here.

    Data Request

    Agreements

    TOS

    Terms of Service

    PDF

    Data Processing Agreement

    PDF

    US Mutual Non-Disclosure Agreement


    PDF

    EMEA Mutual Non-Disclosure Agreement