Our approach to information security
PlusPlus maintains administrative, technical, and physical controls as part of a documented and certified information security program under ISO 27001 and SOC2 Type 2 or similar established industry standards. PlusPlus regularly reviews controls to assess compliance with applicable law and sufficiency in light of the (a) size and nature of PlusPlus business; (b) resources available to PlusPlus; (c) nature of the information that PlusPlus stores; and (d) need for security, confidentiality and privacy for such information.
PlusPlus information security program is governed by PlusPlus Security Council under the leadership of the Information Security Department, which is responsible for overseeing and enforcing security training; physical and environmental security controls; systems access controls; security incident procedures; contingency planning and business continuity; audit controls; data integrity protections; systems testing and monitoring; and procedures for secure data destruction. PlusPlus information security program includes the following sections:
Security Training and Software Coding Standards
PlusPlus employees and contractors participate in annual security awareness training and agree to comply with published security policies. PlusPlus regularly conducts mandatory secure development training for all developers. In addition, PlusPlus has adopted secure coding standards, developed in accordance with the OWASP Top 10 and SANS guidelines, which define the security principles, standards, guidelines, and best practices for secure code development.
Physical and Environmental Security Controls
PlusPlus limits access to PlusPlus facilities to authorized and badged individuals. PlusPlus policies require that visitors are registered, recorded, and accompanied at all times. PlusPlus’ Cloud Application Platform comes with its own Environmental Safeguards, including physical security, fire detection and suppression, power backup, and climate and temperature controls.
Access to PlusPlus systems is further restricted to individuals with a legitimate business need and appropriate approval(s). PlusPlus requires that all access rights be assigned based on the “least privilege” principle and removed when no longer necessary. PlusPlus physical security controls include, but are not limited to logging and monitoring unauthorized access attempts to facilities.
Systems Access Controls
PlusPlus limits access to PlusPlus information systems to named and authorized individuals with a legitimate business need and appropriate approval(s). PlusPlus requires a two-factor (also known as, two-step and multi-factor) authentication safeguard for all privileged administration of its platform, systems, or any of the underlying infrastructure. PlusPlus default configuration limits individual customer access to specific customer-approved SSO domains, and PlusPlus recommends to its customers that they use the same default limitations.
Security Incident Procedures
PlusPlus security incident response plan includes procedures to be followed in the event of a security breach of applications or systems that access, process, store, communicate, or transmit customer data. PlusPlus incident response plan includes the following procedures:
- Respond. Assemble internal incident response team.
- Validate. Qualify the existence of security event(s).
- Scope. Assess impact.
- Contain. Limit impact and the potential damage and preserve evidence.
- Report. Determine if regulatory or contractual reporting requirements exist based on the nature of the incident and perform appropriate notifications.
- Recover. Restore normal service and analyze the incident for potential legal action.
- Improve. Perform root cause analysis, determine lessons learned and implement strategic remediation.
PlusPlus provides appropriate communications to affected customers in the event of a security incident compromising such customer’s data.
Contingency Planning and Business Continuity
PlusPlus maintains policies and procedures for responding to emergency situations (e.g., fire, vandalism, system failure, and natural disaster) that could damage or otherwise compromise customer data. Such procedures include, but are not limited to:
- Continuously backing up production file systems and databases.
- Employing a formal business continuity and disaster recovery plan, including:
- Periodic disaster recovery testing for SaaS services.
- Contingency plans for each key business function, including customer support, operations, and administrative functions, to continue critical business and service activities through certain emergency situations
- Crisis communication plans to provide appropriate communications to affected parties.
- Maintaining a formal process to evaluate PlusPlus contingency planning and business continuity policies.
PlusPlus maintains the hardware, software, and procedural mechanisms to record and examine activity in information systems that contain or use electronic information, including appropriate audit tail logs and reports concerning these security requirements.
These controls are designed to provide deep insights into:
- Modification, addition, or removal of key system components
- Unauthorized modifications of data and configurations
- Breadth of attack impact and the point of source
Data Security Controls
PlusPlus maintains policies and procedures to ensure the confidentiality, integrity, and availability of customer data.
PlusPlus requires that all access rights to customer data be assigned based on the “least privilege” principle and removed when no longer necessary.
Customer data in the PlusPlus cloud is firewalled on a secured, DDoS-protected network; safeguarded by industry-standard SSL/TLS encryption in transit and at rest; and fortified using industry-standard network intrusion detection and/or network intrusion prevention systems. This helps ensure that access to data is always available and that all data is consistent, trustworthy, and accurate.
PlusPlus cloud provider utilizes malware detection systems, which include mathematical threat prediction models intended to help prevent the execution of predicted, novel, or targeted malicious threats.
Testing and Monitoring
PlusPlus regularly tests key controls, systems, and procedures of its information security program to validate that they are properly implemented and effective in addressing the threats and risks identified. Internal audits are conducted on an ongoing basis and independent third-party audits are conducted annually and more frequently as needed, based on the results of periodic risk assessments and continuous monitoring of the threat landscape.
PlusPlus monitors its systems, logs, and events, including by:
- Reviewing changes affecting systems handling authentication, authorization, and auditing.
- Reviewing privileged access to PlusPlus production systems.
- Engaging third parties to perform network vulnerability assessments and penetration testing on a regular basis.
Furthermore, PlusPlus leverages Cloudflare for proactive risk identification, real-time attack blocking, and web-application firewalling of all access to its systems.
Other than in exceptional circumstances, PlusPlus purges all customer data upon verification that the relevant contract has been validly terminated and the relevant customer data is no longer required.
PlusPlus standards for secure destruction of data are based upon guidance from NIST Special Publication 800-88, Revision 1 (2014): Guidelines for Media Sanitization or similar industry standards established in the future.
Customer trust and confidence are critical to PlusPlus and its customers’ continued success. Both providers and consumers of SaaS services must understand that security is a shared responsibility. As a SaaS provider, PlusPlus is responsible for secure delivery of PlusPlus SaaS services, which include the underlying infrastructure required to deliver such services. As a SaaS consumer, the customer is responsible for data provided to PlusPlus and non-PlusPlus services that are integrated with PlusPlus services.
Appendix: Security Roadmap
PlusPlus considers safeguarding of our customers data our top priority, and, as outlined in this document, has implemented various measures and controls to proactively reduce security risks. That said, the company also recognizes that our customers and stakeholders often need us to demonstrate provable security, in order for them to further reduce their exposure and satisfy their compliance requirements. As a result, PlusPlus has kicked off an initiative to acquire and maintain independent validation of our security posture.
The timeline for this effort is expected to be as follows:
- Select a compliance preparation and automation platform vendor. The shortlist includes: Drata, Vanta, and Laika. Target: October 31, 2021.
- Get audit-ready. Target: December 31, 2021.
- Review and update (as needed) all existing information security policies and procedures.
- Integrate with our hosting, backoffice, and HRIS infrastructure for real-time monitoring and evidence collection.
- Create a single real-time dashboard of our security posture and audit readiness.
- Get a detailed risk assessment, determine any necessary remediations, and implement necessary changes and controls.
- Implement automated daily tests of our security controls.
- Select a CPA firm for SOC2 audit. Target: January 30, 2021.
- Get SOC 2 Type 1 attestation report from a CPA firm. Target: March 31, 2022
- Get SOC 2 Type 2 attestation report from a CPA firm. Target: September-December 31, 2022
- Consider establishing a program for ongoing penetration testing / vulnerability assessment from independent 3rd party security researchers (e.g. Inspectiv). Target December 31, 2022.