Encryption and Key Management

Governance

Human Resources Security

Identity and Access Management

Incident Response

Mobile Device Security

Privacy Management

Product Security

Risk Management

Secure System Development

Security Culture

Vendor Management

Business continuity is the ability of an organization to maintain essential functions during, as well as after, a disaster has occurred.

Business Continuity

Organization has instrumented an infrustructure monitoring system, e.g. PagerDuty, and has designated responsible workforce members for incident response.

Infrastructure Monitoring & Dedicated Response Team

Encryption keys for at-rest data are rotated frequently

Rotates At-rest Encryption Keys

Organization performs routine access control reviews for information systems. 

Perfoms Access Control Reviews

Organization routinely applies latest security patches to information systems. 

Performs Regular Security Updates

Organization monitors systems and networks for malicious activity or policy violations.

Host and/or Network Intrusion Detection

Encrypts Data At-rest

Organization requires all workforce members execute a confidentiality agreement prior to accessing organizational information systems.

Requires Confidentiality Agreement With Workforce Members

Organization prohibits workforce members from accessing organizational information or information systems from personal devices.

Prohibits Bring Your Own Device

Organization routinely performs penetration testing

Performs Routine Penetration Testing

Organization prohibits use of insecure encryption protocols such as SSL and TSL 1.0.

Strong TLS Protocols Required

Organization reviews the Business Continuity Plan and performs technical or tabletop testing exercises on a routine basis.

Conducts Business Continuity Training & Testing

Organization deploys information systems across multiple physical locations (e.g. Availability Zones on AWS)

Distrubution of Systems

Employee workstations used to store or access non-public information have full disk encryption enabled

Full Disk Encryption of Employee Workstations

Organization requires all workforce members complete Anti-phishing Training on a routine basis.

Anti-phishing Simulation and Training

Organization has created an Incident Response Plan designed to reduce the negative impacts resulting from a security or privacy incident.

Incident Response Plan

Organization has completed an audit or certification process for one or more of the following audit frameworks: ISO 27001:2013, HITRUST, SOC 2 TYPE II, FedRAMP, NIST 800-171)

Holds Audit Report or Certification from Major Audit Framework

Organization reviews common vulnerability databases and mailing lists on a routine basis.

Subscribes to Vulnerability Mailing Lists

Organization prohibits workfroce members from creating local copies of production data.

Forbids Local Download of Production Customer Data

Organization publicly shares software release notes for major product updates.

Publicly Available Release Notes

Organization publicly discloses data collection and processing methods to data subjects.

Public Privacy Policy

Organization performs routine backups of databases and other data stores. 

Automated, Distributed Backups

Organization requires access and access controls to abide by the principles of Deny-by-default, Need-to-know, and Least Privilege. 

Requires Strong, Role-Based Access Control Principles

Organization has implemented a risk management program in order to identify risks and treatment opportunities.

Risk Assessment and Treatment Program

Organization requires all non-trivial code changes be reviewed and approved prior to merge.

Requires Code Review Before Merge

Organization implements DDos avoidance/protection techniques such as network isolation, DNS Amplification or application load balancers on AWS.

DDos Avoidance and Protection

Workforce members are required to use a password manager such as 1Password for managing account credentials.

Requires Password Manager for Workforce Members

Organization audits security configuration of all workforce phones and tables used to access organizational information or information systems.

Enforces Strong Mobile Device Security Configuration MDM

Organization encourages responsible disclosure of suspected vulnerabilities and awards researchers a cash bonus for reporting vulnerabilities.

Responsible Disclosure/Bug Bounty Program

Organization publicly discloses Government Request activity.

Government Requests Transparency

Organization has commited to service uptime greater than 99%.

99+% Uptime Service Level Agreement

Organization prohibits use of shared accounts for systems that maintain sensitive data.

Restricts Shared Accounts

Organization''s sytem development procedures ensure strong password and authentication requirements. 

Requires Strong Password and Authentication Requirements

Organization requires all non-trivial code changes to be unit and/or acceptance tested. 

Automated Testing

Organization routinely performs internal audits in order to ensure effective operation of their compliance and security pgoram.  

Routine Internal Audits

Organization only uses encryption technologies based on standard algorithms approved in FIPS 140-2.  

Requires Strong Encryption Algorithms

Organization utilizes strong encryption methods for transfer of any non-public information outside of the organizations'' network.

Encrypts Data In Transit

Organization reviews the Incident Response Plan and performs functional or tabletop testing exercises on a routine basis.

Conducts Incident Response Training & Testing

Organization routinely performs host and/or network vulnerability scans.

Performs Automated Host/Network Vulnerability Scans

Services deployed by organization support Multifactor Authentication (MFA), a security system that requires more than one method of authentication.

Supports MFA

Organization publicly shares system status updates & availability incidents. 

Publicly Available Status Page

Organization performs professional-reference and criminal background screens on all prospective employees and contractors that require access to non-public data. 

Performs Due Diligence in Hiring Workforce Members

Organization prohibits attempts to interfere with reporting of security or policy incidents

Prohibits Retaliation Against Whistleblowers

Organization routinely performs web application vulnerability scans.

Performs Automated Application Vulnerability Scans

Services deployed by organization support Single Sign-On (SSO) from providers such as Okta or OneLogin.

Supports SSO

Organization has created a Business Continuity Plan designed to reduce disruptions in uptime as a result of an incident. 

Business Continuity Plan

Organization requires all workforce members complete Privacy and Security Awareness Training on a routine basis.

Security & Privacy Training

Organization audits security configuration of all laptops and workstations used to access organizational information or information systems. 

Enforces Strong Workstation Security Configuration by MDM

Organization maintains host-level and application-level event logs.

Host and Application Audit Logging

Organization is not the subject of any Privacy violation investigations. 

Investigations for Privacy Violations

FedRAMP simplifies security for the digital age by providing a standardized approach to security for the cloud.

FedRAMP

SOC 2 Type 1

ISO 27001

SOC 1 Type 2

GDPR

HITRUST

HIPAA

SOC 3

SOC 2 Type 2

FISMA

SOC 1 Type 1

EU-US Privacy Shield

Swiss-US Privacy Shield

Cloud Security Alliance

CCPA

Pendo provides software product managers and teams with a powerful integrated platform to better understand and improve the product experience. Without requiring any engineering resources, organizations can use Pendo to extend their product to capture ...

Pendo.io

PRIVACY SHIELD

Pendo complies with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Frameworks (Privacy Shield) as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union, the United Kingdom and/or Switzerland, as applicable to the United States in reliance on Privacy Shield. Pendo has certified to the Department of Commerce that it adheres to the Privacy Shield Principles with respect to such information. If there is any conflict between the terms in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov/ .

Pendo remains responsible for any of your Personal Data that is shared under the onward transfer principle with third parties for external processing on our behalf, as described in the “DOES PENDO SHARE MY PERSONAL INFORMATION?” section below.

In compliance with the Principles, Pendo commits to resolve complaints about our collection or use of your personal information. If you are a resident of the European Union or Switzerland with inquiries or complaints regarding your personal data within the scope of Privacy Shield, you should contact Pendo’s Data Protection/Compliance Officer at [email protected] Under Privacy Shield, organizations must respond to individuals within 45 days of receiving a complaint. Pendo will endeavor to respond to your inquiry promptly.

If we are unable to resolve any complaint related to Privacy Shield or if we fail to acknowledge your complaint in a timely fashion you may refer a complaint to your local data protection authority. Pendo has committed to cooperate with the panel established by the EU data protection authorities and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved Privacy Shield complaints concerning data transferred from the EU or Switzerland. We will work with them to address complaints and provide appropriate recourse free of charge to you. In certain circumstances, Privacy Shield provides the right to invoke binding arbitration to resolve complaints not resolved by other means, as described in Annex I to the Principles.

Pendo’s Privacy Shield compliance is subject to the investigatory and enforcement powers of the Federal Trade Commission. We may be required to disclose Personal Data that we handle under the Privacy Shield in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

PRIVACY SHIELD

Pendo complies with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Frameworks (Privacy Shield) as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union, the United Kingdom and/or Switzerland, as applicable to the United States in reliance on Privacy Shield. Pendo has certified to the Department of Commerce that it adheres to the Privacy Shield Principles with respect to such information. If there is any conflict between the terms in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov/ .

Pendo remains responsible for any of your Personal Data that is shared under the onward transfer principle with third parties for external processing on our behalf, as described in the “DOES PENDO SHARE MY PERSONAL INFORMATION?” section below.

In compliance with the Principles, Pendo commits to resolve complaints about our collection or use of your personal information. If you are a resident of the European Union or Switzerland with inquiries or complaints regarding your personal data within the scope of Privacy Shield, you should contact Pendo’s Data Protection/Compliance Officer at [email protected] Under Privacy Shield, organizations must respond to individuals within 45 days of receiving a complaint. Pendo will endeavor to respond to your inquiry promptly.

If we are unable to resolve any complaint related to Privacy Shield or if we fail to acknowledge your complaint in a timely fashion you may refer a complaint to your local data protection authority. Pendo has committed to cooperate with the panel established by the EU data protection authorities and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved Privacy Shield complaints concerning data transferred from the EU or Switzerland. We will work with them to address complaints and provide appropriate recourse free of charge to you. In certain circumstances, Privacy Shield provides the right to invoke binding arbitration to resolve complaints not resolved by other means, as described in Annex I to the Principles.

Pendo’s Privacy Shield compliance is subject to the investigatory and enforcement powers of the Federal Trade Commission. We may be required to disclose Personal Data that we handle under the Privacy Shield in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

FREQUENTLY ASKED QUESTIONS
 * Where does Pendo store data? 
 Data submitted to Pendo, and Pendo’s application are hosted and stored in a secure, multi-tenant environment provided by Google’s Cloud Platform. Data is stored for each customer using separate Google AppEngine namespaces, and a variety of techniques for logical separation, to ensure that no data is co-mingled. Currently, the Google physical architecture that hosts Pendo is located in the United States.
 
 * Is the data encrypted? 
 All data hosted by Pendo is encrypted. Pendo uses industry-accepted encryption products to protect data at rest, with 256 bit AES encryption. All data transfers within the data center are secured by SSL. All of the Customer Data collected by Pendo is transmitted over SSL if the customer application is accessed via SSL.
 
 * Does Pendo collect any personally identifying 
 information? 
 The only identifying information that Pendo requires is a unique user ID for your end users. All other information is optional (but will provide for richer analysis and segmentation). Pendo does not collect any user-entered form field text in your application. You should avoid sending any of the following types of sensitive personal information to Pendo: government-issued identification numbers; specific financial information (such as credit or debit card numbers, any related security codes or passwords, and bank account numbers); information related to an individual’s physical or mental health; and information related to the provision or payment of health care.
 
 * How long does Pendo store customer information? 
 Pendo retains all customer data as long as you are an active subscriber. All data will be removed from Pendo starting 90 days after a subscription is cancelled. Pendo customers can request that specific records in their data be removed based on the request of an individual who is the subject of that data. Specific record removal may incur additional charges depending on your plan level.
 
 * Does Pendo support single sign on and/or 2-factor authentication? 
 You are in control of and responsible for user authentication. Access to Pendo requires an email address and password combination. We encourage you to use strong passwords. Alternatively, depending on your plan level, you can choose SAML for single sign-on or Google-based logins. Administrators can disable password-based logins, and require authentication through Google. Authentication through Google supports two factor authentication, as do many SAML implementations.
 
 * Is Pendo SOC 2 compliant? 
 Pendo has completed a SOC 2 Type 2 audit that included all five Trust Services Principles: Security, Availability, Processing Integrity, Confidentiality, and Privacy with no exceptions in related controls. In addition, Google AppEngine is SOC 2, SOC 3, ISO 27001, FISMA, and PCI compliant.
 
 * Is Pendo GDPR Compliant? 
 While there is no 3rd-party verified certification for GDPR compliance, Pendo is committed to acting in accordance with the GDPR regulations for all of our users - not just those in the EU. We are partnering with our customers to ensure the privacy and security of their and their customer’s data, and have implemented a number of data acquisition, access, and retention policy changes. See this article for additional detail about our GDPR support.
 
 * Does Pendo conduct security audits? 
 Pendo undergoes third-party penetration testing on an annual basis.
 
 * Will Pendo slow down my application? 
 Pendo is designed to minimize the impact on your application. The client-side agent is only about 50 Kb and loads asynchronously. Data transmissions are queued and sent to the server every 2 minutes. Data is compressed before sending so that each transmission is less than 2 Kb.
 
 * How is the client agent distributed? 
 The JavaScript code is hosted and deployed in Amazon’s Cloudfront Content Distribution Network (CDN), with an extremely broad network of servers and edge caching to ensure rapid loading times. Amazon service level agreements guarantee 99.9% uptime for the agent delivery.
 
 * How will guides and walk-throughs affect my application? 
 Guides load with the Pendo agent. They will not be displayed until the current page is finished loading. The typical response time for guides is sub-second with guides almost always delivered in less than half a second.

FREQUENTLY ASKED QUESTIONS
 * Where does Pendo store data? 
 Data submitted to Pendo, and Pendo’s application are hosted and stored in a secure, multi-tenant environment provided by Google’s Cloud Platform. Data is stored for each customer using separate Google AppEngine namespaces, and a variety of techniques for logical separation, to ensure that no data is co-mingled. Currently, the Google physical architecture that hosts Pendo is located in the United States.
 
 * Is the data encrypted? 
 All data hosted by Pendo is encrypted. Pendo uses industry-accepted encryption products to protect data at rest, with 256 bit AES encryption. All data transfers within the data center are secured by SSL. All of the Customer Data collected by Pendo is transmitted over SSL if the customer application is accessed via SSL.
 
 * Does Pendo collect any personally identifying 
 information? 
 The only identifying information that Pendo requires is a unique user ID for your end users. All other information is optional (but will provide for richer analysis and segmentation). Pendo does not collect any user-entered form field text in your application. You should avoid sending any of the following types of sensitive personal information to Pendo: government-issued identification numbers; specific financial information (such as credit or debit card numbers, any related security codes or passwords, and bank account numbers); information related to an individual’s physical or mental health; and information related to the provision or payment of health care.
 
 * How long does Pendo store customer information? 
 Pendo retains all customer data as long as you are an active subscriber. All data will be removed from Pendo starting 90 days after a subscription is cancelled. Pendo customers can request that specific records in their data be removed based on the request of an individual who is the subject of that data. Specific record removal may incur additional charges depending on your plan level.
 
 * Does Pendo support single sign on and/or 2-factor authentication? 
 You are in control of and responsible for user authentication. Access to Pendo requires an email address and password combination. We encourage you to use strong passwords. Alternatively, depending on your plan level, you can choose SAML for single sign-on or Google-based logins. Administrators can disable password-based logins, and require authentication through Google. Authentication through Google supports two factor authentication, as do many SAML implementations.
 
 * Is Pendo SOC 2 compliant? 
 Pendo has completed a SOC 2 Type 2 audit that included all five Trust Services Principles: Security, Availability, Processing Integrity, Confidentiality, and Privacy with no exceptions in related controls. In addition, Google AppEngine is SOC 2, SOC 3, ISO 27001, FISMA, and PCI compliant.
 
 * Is Pendo GDPR Compliant? 
 While there is no 3rd-party verified certification for GDPR compliance, Pendo is committed to acting in accordance with the GDPR regulations for all of our users - not just those in the EU. We are partnering with our customers to ensure the privacy and security of their and their customer’s data, and have implemented a number of data acquisition, access, and retention policy changes. See this article for additional detail about our GDPR support.
 
 * Does Pendo conduct security audits? 
 Pendo undergoes third-party penetration testing on an annual basis.
 
 * Will Pendo slow down my application? 
 Pendo is designed to minimize the impact on your application. The client-side agent is only about 50 Kb and loads asynchronously. Data transmissions are queued and sent to the server every 2 minutes. Data is compressed before sending so that each transmission is less than 2 Kb.
 
 * How is the client agent distributed? 
 The JavaScript code is hosted and deployed in Amazon’s Cloudfront Content Distribution Network (CDN), with an extremely broad network of servers and edge caching to ensure rapid loading times. Amazon service level agreements guarantee 99.9% uptime for the agent delivery.
 
 * How will guides and walk-throughs affect my application? 
 Guides load with the Pendo agent. They will not be displayed until the current page is finished loading. The typical response time for guides is sub-second with guides almost always delivered in less than half a second.

PROTECT YOUR CUSTOMERS’ PRIVACY AND REDUCE SECURITY RISK

Pendo invests heavily in security certifications, third-party audits, and dedicated data protection officer (DPO) and chief information security officers (CISO) to ensure the integrity and privacy of your data.

Certifications and support
SOC 2 Type 1 and Type 2, EU/US Privacy Shield, GDPR, HIPAA

DPO and CISO
Security policies are defined and managed at the executive level.

Encryption and access controls
All customer data is protected in Google Cloud Platform using industry best practices.
 Trust & security at Pendo 

ACHIEVE YOUR GOALS WITH DEDICATED SERVICES AND SUPPORT

Pendo offers onboarding specific to your objectives. Professional services ensures you’ve implemented effectively, your data sources are well integrated, and your team is trained on best practices for creating guides and hitting goals. And our success team is always focused on meeting your needs, no matter how complex.

“96% of Pendo customers see ROI in the first 12-18 months with 70% seeing ROI in the first 6-9 months”

Validated Source: TechValidate
 
Insights - Analytics to understand what users are doing across the journey
 
Sentiment - Surveys to capture how users feel about their experience
 
Guidance - Onboarding and messaging to drive readiness and utilization
 
Feedback - Demand intelligence to discover what segments want next
 
Roadmap - Product planning to set, track, and communicate priorities
 
Want to learn more? Get in touch today!
 Get a Demo 
By continuing to use the site, you agree to the use of cookies. more information Accept

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

 Close

PROTECT YOUR CUSTOMERS’ PRIVACY AND REDUCE SECURITY RISK

Pendo invests heavily in security certifications, third-party audits, and dedicated data protection officer (DPO) and chief information security officers (CISO) to ensure the integrity and privacy of your data.

Certifications and support
SOC 2 Type 1 and Type 2, EU/US Privacy Shield, GDPR, HIPAA

DPO and CISO
Security policies are defined and managed at the executive level.

Encryption and access controls
All customer data is protected in Google Cloud Platform using industry best practices.
 Trust & security at Pendo 

ACHIEVE YOUR GOALS WITH DEDICATED SERVICES AND SUPPORT

Pendo offers onboarding specific to your objectives. Professional services ensures you’ve implemented effectively, your data sources are well integrated, and your team is trained on best practices for creating guides and hitting goals. And our success team is always focused on meeting your needs, no matter how complex.

“96% of Pendo customers see ROI in the first 12-18 months with 70% seeing ROI in the first 6-9 months”

Validated Source: TechValidate
 
Insights - Analytics to understand what users are doing across the journey
 
Sentiment - Surveys to capture how users feel about their experience
 
Guidance - Onboarding and messaging to drive readiness and utilization
 
Feedback - Demand intelligence to discover what segments want next
 
Roadmap - Product planning to set, track, and communicate priorities
 
Want to learn more? Get in touch today!
 Get a Demo 
By continuing to use the site, you agree to the use of cookies. more information Accept

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

 Close

website

tags

Last Updated

Pendo.io

Summary

EU-US Privacy Shield

Swiss-US Privacy Shield

GDPR

SOC 2 Type 2

HIPAA

SOC 2 Type 1

EU-US Privacy Shield

EU-US Privacy Shield

Swiss-US Privacy Shield

Swiss-US Privacy Shield

SOC 2 Type 2

SOC 2 Type 2

HIPAA

HIPAA

SOC 2 Type 1

SOC 2 Type 1