Security Overview

Peerfocus takes the security of our systems and our customers’ data very seriously. This document offers a high-level summary of Peerfocus’ security practices and policies.

Systems Security

Hosting/Physical access

The Peerfocus platform is hosted on dedicated servers at Equinix, a SOC 2-certified hosting company. Equinix manages physical access to our servers, and access is limited to Equinix staff. See details of Equinix’s security practices.

Encryption

All data in the Peerfocus platform is encrypted at rest using strong full-disk encryption on our servers. Data in transit is protected with strong encryption, both in usage of the platform and during administrative operations. Backups are encrypted as well, using strong algorithms and keys.

Application Security

Access control

All access to features and data in the Peerfocus platform is subject to role-based accesss control (RBAC). Our customer administrators define roles and assign them to users as desired.

Single Sign-On (SSO)

We support a variety of SSO integration options, including OAuth 2.0. Most of our customers opt to use SSO with their member management system as the identity provider.

Dependencies

Operating system patches are applied on a nightly basis. Application server patches are applied ASAP after their release, typically within one business day. We use Github’s Dependabot to ensure that our application software supply chain is up-to-date and secure.

Confidentiality

Customer administrators declare the confidentiality level of data collected within, or imported into, the platform. Raw confidential data is generally accessible only by high-level administrators and by the user(s) who originally shared that data. When confidential data is used for reporting and benchmarking purposes, strict standards are applied to ensure that only blended and anonymized data is used. We go to great lengths to prevent the possibility of deducing or deanonymizing individual data points.

Data Security

Data custody

Peerfocus platform data custody is primarily in the hands of Equinix, our hosting provider, and Singlebrook, our parent company. Limited data is shared with third parties for analytical and troubleshooting purposes. Our Privacy Policy includes more detailed information on this topic.

Data loss/backups

We implement multiple tiers of data backups, including warm, real-time, on-site backups and multiple off-site locations. Backups are strongly encrypted. The worst (plausible) catastrophic failure scenario would only result in a maximum of one hour of data being lost.

Tenancy

As is common for SaaS platforms, Peerfocus stores customer data in a unified, multi-tenant database and serves customers’ Peerfocus-powered sites from a single set of servers.

Other Policies

Incident handling

Our development team investigates any suspected or reported security incidents within one business day of our learning about them. We perform mitigation measures (including pausing operation of the platform if necessary) as quickly as possible during the course of our investigation. Affected (or potentially affected) customers are notified within 24 hours of the beginning of an investigation and are kept in the loop over time.

For More Information

More details on Peerfocus’s security stance are included in our HECVAT-Lite self-assessment, which is available to current customer administrators within the platform. That document is also available by request for prospective customers. Please contact us if you would like a copy.