Security

Last Updated: Apr 25, 2024

You entrust us with your data and it is our responsibility to keep it safe. We use a wide gamut of technologies, policies and practices to make sure you and only you have access to it.

Certifications

We have successfully demonstrated to third parties that we stand by our commitment to keep your data secure.

Systems and Organization Controls 2 (SOC 2)

SOC 2 logo

The SOC 2 is a report based on the Auditing Standards Board of the American Institute of Certified Public Accountants’ (AICPA) existing Trust Services Criteria (TSC). The purpose of this report is to evaluate an organization’s information systems relevant to security, availability, processing integrity, confidentiality, and privacy.

As of Jan 2023, Padlet is SOC 2 Type 1 certified. We have successfully demonstrated to an auditor that we have the right policies in place, our systems are secure and our staff understand the importance of security.

We can send you a copy of the SOC 2 report upon request.

1EdTech Data Privacy and LTI certification

1EdTech Data Privacy badge

1EdTech is an organisation responsible for establishing and evaluating certification criteria for educational technology solutions.

Padlet has successfully completed the certification process to validate our adherence to 1EdTech’s strict data privacy standards. This means we have implemented robust security protocols and procedures to protect your data.

In addition, we have attained certification in 1EdTech’s Learning Tools Interoperability (LTI) standards that will help schools seamlessly integrate their EdTech tools with Padlet’s content.

Safer Technology 4 Schools (ST4S) Australia

Safer Technology for Schools Badge

Safer Technologies 4 Schools (ST4S) is a national service that assesses the safety of digital products and services used by Australian schools. Padlet’s product for schools, Padlet for Schools, has successfully qualified to be part of the ST4S Product Badge Program in 2020.

This means that we have undergone a rigorous assessment that indicates that Padlet for Schools, when used appropriately, does not present a significant safety or privacy risk to schools.

Security measures overview

We have listed here some of the security measures that we have put in place.

Technical measures

Encryption
  • We encrypt all data at rest using AES 256 bit encryption.

  • When you enter any information anywhere on the Service, we encrypt the transmission of that information using secure socket layer technology (SSL/TLS) v1.2 by default.

  • We encrypt all backups of the data. Our personal devices like mobile phones and laptops have data encryption turned on so that unauthorised users cannot access our data if the device is stolen.

  • We ensure user account passwords used in our application are stored and transferred securely using encryption and salted hashing.

Security testing
  • We operate a ‘bug bounty’ security program to encourage an active community of third-party security researchers to report any security bugs to us.

  • We conduct rigorous penetration tests annually to ensure our service is secured against known and potential attack vectors. The tests are conducted by a reputed external security agency.

  • We scan all files uploaded to our service for malware and quarantine them if required.

  • Our work devices have anti-virus protection turned on by default.

Resilience
  • We maintain backups at different time delays ranging from a few minutes to a few hours to a day so that we can effectively restore data to the closest recoverable point and minimise data loss in the case of a security event.

  • We maintain cross cloud backups to ensure the data is accessible in case of a major outage impacting one provider.

  • Backups are only retained for thirty (30) days and are securely deleted after that.

  • We have designed our architecture to be resilient against DDoS attacks. We publish our uptime stats at https://status.padlet.help/.

  • We have planned and documented disaster scenarios specific to our infrastructure and the steps needed to restore service to our users with the least possible downtime and data loss.

Physical measures

Data centers
  • Padlet is hosted on Google Cloud in the United States. Google maintains numerous certifications like ISO/IEC 27001 and SOC 2 to guarantee that our data is not any less protected than the bullion at Fort Knox. This includes secure perimeter defense systems, comprehensive camera coverage, biometric authentication, intrusion detection systems and a suite of other measures.
Our offices
  • The Service is hosted on servers at third-party facilities, with whom we have a contract providing for enhanced security measures. For example, personal information is stored on a server equipped with industry standard firewalls. In addition, the hosting facility provides a 24x7 security system, video surveillance, intrusion detection systems and locked cage areas. The Service provider is SOC 2 and ISO 27001 certified.

  • Padlet has its headquarters in San Francisco, United States and a regional office in Singapore.

    • The San Francisco office is located in Presidio which is a national park site. Access to the office is via an external door secured with a security lock. The access keys are only given to Padlet employees while they work at Padlet. The Presidio premise is monitored 24/7 by the Presidio Park Police.

    • The Singapore office is located in the Central Business District. Access to the Padlet office is via an external door secured with a security lock that can only be accessed by Padlet employees. There are other companies operating in the same building besides Padlet. All entry/exit points are monitored by CCTV cameras.

Organisational measures

  • We restrict access to personal information to authorized Padlet employees, agents or independent contractors who need to know that information in order to process it for us, and who are subject to strict confidentiality obligations and may be disciplined or terminated if they fail to meet these obligations.

  • We require sub-processors to comply with security requirements via separate data processing agreements.

  • We use a Password Manager to secure usernames, passwords, and any other means of gaining access to the Services or to User Data, at a level suggested by Article 4.3 of NIST 800-63-3.

  • We require 2FA authentication to be enabled for all services where applicable.

  • We conduct training on data privacy and security for all our employees at least once annually.

  • We maintain security conscious policies like Encryption key management policy, Vulnerability Management, Acceptable Use, Business Continuity and Disaster Recovery and update it actively for robustness.

  • We have a documented offboarding procedure to be executed when an employee leaves the company. We remove all physical and digital access to our services as soon as an employee leaves.