Security

Last Updated: Jun 30, 2022

You entrust us with your data and it is our responsibility to keep it safe. We use a wide gamut of technologies, policies and practices to make sure you and only you have access to it.

Technical measures

Encryption
  • We encrypt all data at rest using AES 256 bit encryption.

  • When you enter any information anywhere on the Service, we encrypt the transmission of that information using secure socket layer technology (SSL/TLS) v1.2 by default.

  • We encrypt all backups of the data. Our personal devices like mobile phones and laptops have data encryption turned on so that unauthorised users cannot access our data if the device is stolen.

  • We ensure user account passwords used in our application are stored and transferred securely using encryption and salted hashing.

Security testing
  • We operate a ‘bug bounty’ security program to encourage an active community of third-party security researchers to report any security bugs to us.

  • We conduct rigorous penetration tests annually to ensure our service is secured against known and potential attack vectors. The tests are conducted by a reputed external security agency.

  • We scan all files uploaded to our service for malware and quarantine them if required.

  • Our work devices have anti-virus protection turned on by default.

Resilience
  • We maintain backups at different time delays ranging from a few minutes to a few hours to a day so that we can effectively restore data to the closest recoverable point and minimise data loss in the case of a security event.

  • We maintain cross cloud backups to ensure the data is accessible in case of a major outage impacting one provider.

  • Backups are only retained for thirty (30) days and are securely deleted after that.

  • We have designed our architecture to be resilient against DDoS attacks. We publish our uptime stats at https://status.padlet.help/.

  • We have planned and documented disaster scenarios specific to our infrastructure and the steps needed to restore service to our users with the least possible downtime and data loss.

Physical measures

Data centers
  • Padlet is hosted on Google Cloud in the United States. Google maintains numerous certifications like ISO/IEC 27001 and SOC 2 to guarantee that our data is not any less protected than the bullion at Fort Knox. This includes secure perimeter defense systems, comprehensive camera coverage, biometric authentication, intrusion detection systems and a suite of other measures.
Our offices
  • The Service is hosted on servers at third-party facilities, with whom we have a contract providing for enhanced security measures. For example, personal information is stored on a server equipped with industry standard firewalls. In addition, the hosting facility provides a 24x7 security system, video surveillance, intrusion detection systems and locked cage areas. The Service provider is SOC 2 and ISO 27001 certified.

  • Padlet has its headquarters in San Francisco, United States and a regional office in Singapore.

    • The San Francisco office is located in Presidio which is a national park site. Access to the office is via an external door secured with a security lock. The access keys are only given to Padlet employees while they work at Padlet. The Presidio premise is monitored 24/7 by the Presidio Park Police.

    • The Singapore office is located in the Central Business District. Access to the Padlet office is via an external door secured with a security lock that can only be accessed by Padlet employees. There are other companies operating in the same building besides Padlet. All entry/exit points are monitored by CCTV cameras.

Organisational measures

  • We restrict access to personal information to authorized Padlet employees, agents or independent contractors who need to know that information in order to process it for us, and who are subject to strict confidentiality obligations and may be disciplined or terminated if they fail to meet these obligations.

  • We require sub-processors to comply with security requirements via separate data processing agreements.

  • We use a Password Manager to secure usernames, passwords, and any other means of gaining access to the Services or to User Data, at a level suggested by Article 4.3 of NIST 800-63-3.

  • We require 2FA authentication to be enabled for all services where applicable.

  • We conduct training on data privacy and security for all our employees at least once annually.

  • We maintain security conscious policies like Encryption key management policy, Vulnerability Management, Acceptable Use, Business Continuity and Disaster Recovery and update it actively for robustness.

  • We have a documented offboarding procedure to be executed when an employee leaves the company. We remove all physical and digital access to our services as soon as an employee leaves.