Process Street’s Statement on Security

Introduction

We use Process Street every day to keep our team organized, connected, and focused on results. Ensuring our platform remains secure is vital to protecting our own data, and protecting your information is our highest priority.

Our security strategy covers all aspects of our business, including:

• Process Street corporate security policies
• Physical and environmental security
• Operational security processes
• Scalability & reliability of our system architecture
• Data model access control in Process Street
• Systems development and maintenance
• Service development and maintenance
• Regularly working with third party security experts

Process Street complies with the latest industry standards, including SOC 2 Type II, GDPR, HIPAA, CCPA, and AWS CIS. Our SOC 2 report and additional compliance information are available upon request.

Process Street Compliance Standards

We continually exceed regulatory and compliance standards for data privacy and security, ensuring your data is managed with the highest standards in mind.

• SOC 2 Type II: Process Street is SOC 2 Type II certified, demonstrating rigorous controls for safeguarding customer data, as verified by an independent auditor.
• GDPR: We fully comply with the EU’s General Data Protection Regulation, ensuring that personal data collected from EU residents is handled responsibly. Our GDPR statement details how we manage and protect personal data.
• HIPAA: For healthcare clients, we maintain HIPAA compliance. We offer a Business Associate Agreement upon request to further protect sensitive health information.
• AWS CIS: Using the CIS AWS Foundations Benchmark, we implement best practices for AWS security, including robust configuration and monitoring.
• CCPA: As part of CCPA compliance, we provide California residents with access, deletion, and opt-out options for their data. We prioritize transparency and control in data handling.

Artificial Intelligence and Data Use: Any data processed by Process Street’s AI features is strictly limited to its intended workflows. Data used within a workflow is exclusive to that workflow instance, ensuring complete confidentiality and privacy.

Process Street Corporate Security Policies & Procedures

Every Process Street employee is expected to respect the terms of our data confidentiality policies, available at process.st/terms and process.st/privacy. Access rights are based on employee’s job function and role.

Security in our Software Development Lifecycle

Process Street uses the git revision control system. Changes to Process Street’s code base go through a suite of automated tests and are reviewed and go through a round of manual review. When code changes pass the automated testing system, the changes are first pushed to a staging server wherein Process Street employees are able to test changes before an eventual push to production servers and our customer base. We also add a specific security review for particularly sensitive changes and features. Process Street engineers also have the ability to “cherry pick” critical updates and push them immediately to production servers.

We also work with third-party security professionals to test our web application security.

Process Street Architecture & Scalability

Scalability/Reliability of Architecture

Process Street uses Amazon Web Services (RDS & S3) to manage user data. The database is replicated synchronously so that we can quickly recover from a database failure. As an extra precaution, we take regular snapshots of the database and securely move them to a separate data center so that we can restore them elsewhere as needed, even in the event of a regional Amazon failure.

We currently host data in secure SSAE 16 audited data centers via Amazon RDS.

Encrypted Transactions

Web connections to the Process Street service are via TLS 1.2 and above.

Information Security

Security Consulting and Application Review

We work with external security advisors, and have a responsible disclosure policy that allows security researchers to report vulnerabilities in our application.

Data Center Security

Amazon

Amazon employs a robust physical security program with multiple certifications, including an SSAE 16 certification. For more information on Amazon’s physical security processes, please visit aws.amazon.com/security.

Product Features

Administrator Management Features

Authentication – Process Street administrators can have employees authenticate via Google, Microsoft or SSO. If passwords are stored directly with Process Street, we secure them using salted bcrypt.

User Management – Administrators can see Last Activity, Guest/Member status, and deprovision users from a central administration interface.

User Features

Privacy, Visibility, & Sharing Settings – Customers determine who can access different categories of data like folders, templates, and checklists. You can limit a user’s access by inviting them as a Guest.

Privacy

Privacy Policy

Process Street’s privacy policy, which describes how we handle data input into Process Street, can be found at process.st/privacy.

Read our commitment to security and privacy as it relates to Process AI.

Availability

We are committed to making Process Street consistently available to you and your teams. Our systems have built-in redundancy to withstand failures and are constantly monitored to keep your work uninterrupted.

Want to report a security concern?

Email us at [email protected].