Security, Trust and Privacy @ Planbox
Built on a Foundation of Trust.
At Planbox, trust is woven into the fabric of everything we do. To keep your data safe and private, we deploy industry-leading safeguards and continuously monitor our systems, so you can rest easy knowing your most sensitive data is protected 24/7 in the cloud.
Features
Data encryption in transit and at rest
Encrypted full backup every 24 hours
Full data privacy and GDPR protection
Multi-layered security approach
Daily vulnerability scans and regular penetration tests
Enterprise, social and native Identity Management
Compliance with industry standards and regulations
SAML 2.0 SSO for Enterprise customers
We work to keep Planbox available 100% of the time
Security
More than a million active users and hundreds of companies in 120+ countries use Planbox to generate, manage and develop new ideas and creative solutions. These businesses trust Planbox to reliably store their content and files and provide secure access to their company data.
Data is transmitted to and from our servers over HTTPS and is encrypted in transit (TLS) using 256 bit AES (or higher) encryption algorithms,. All communications use SSL (Secure Sockets Layer) encryption and all data is stored in a SOC 1 Type II, SOC 2 Type I, and ISO 27001 certified data centers. Your data is stored and encrypted at rest using AES 256-bit encryption.
System Security
In the context of data privacy and GDPR, our customers serve as the data controller while Planbox is the data processor. This means you have full control of any of your data that resides on our servers.
Planbox can establish a Single-Sign-On (SSO using SAML 2.0) access scheme that will allow you to use the login information in your own directory. Planbox can also authenticate users in other ways including Planbox authentication portal, social login, and via invitation codes. Password management (also configurable) is based on your best-practice requirements and can be set to match your policies.
Because you control the data, you can perform the following security related tasks without relying on us:
- Adding and removing users
- Creating, modifying and assigning security roles
- Configuring workflows and business rules
- Reviewing application activity audit logs and historical data
Organizational Security
Data Processing
Security begins on the first day. All Planbox employees and service providers receive security, privacy, and compliance training the moment they start. Security and data protection is everybody’s responsibility at Planbox.
This commitment to security extends to our executive committee. The Planbox Security Council, a cross-functional group of senior team members spanning the enterprise, oversees our security programs, embraces a standards-driven enterprise-wide security management approach, and ensures that security awareness and initiatives permeate throughout our organization.
Information Security Officer
Planbox employs an Information Security Officer who is responsible for advising the Company on all security matters, managing the overall strategic security program, performing security reviews, and ensuring non-public client and company data is adequately protected.
Staff
All staff have a responsibility to ensure the data they are exposed to is protected to the best of their abilities. The onboarding process also ensures staff are trained on the applicable security policies that they need to adhere to upon joining (and on an annual basis) and are required to give their written agreement that they understand them and will abide by them.
A key part of Information Security is the education of staff in relation to Information Security training to ensure all staff are fully aware of their responsibilities. Information Security Awareness training is performed for all staff at the time of hire and annually. A confirmation of completion and understanding is also recorded. A strong and documented starters and leavers process ensures system access is deleted in a timely manner and all assets are returned.
Operational Security
Physical Security
Planbox applications are hosted on Microsoft Azure and Amazon Web Services, in state-of-the-art regional data centers designed to protect mission-critical systems with fully redundant subsystems and compartmentalized security zones. Our cloud data centers in the US, UK, EU, and Canada adhere to the strictest physical security measures including, but not limited to, the following:
- Multiple layers of authentication for server area access
- Two-factor biometric authentication for critical areas
- Camera surveillance systems at key internal and external entry points
- 24/7 monitoring by security personnel
- All physical access to the data centers is highly restricted and stringently regulated.
Network Security
Our networks are protected by powerful firewalls configured to follow industry best practices for network ingress/egress security. Planbox has established detailed operating procedures, security policies, and processes designed to:
- Ensure safety of all Planbox personnel, suppliers, partners and customers
- Control quality and maintain integrity of all Planbox information systems and services
- Provide continuous availability and optimized performance
We also implement intrusion detection / prevention systems to protect our service and a monitoring system that analyzes all activities on servers and triggers notifications to our engineers to quickly assess and respond to any service disruption issues or other events.
Vulnerability Assessment
Planbox also invests in penetration testing by an independent third party to ensure the integrity of its online defenses. Built in validation for web vulnerabilities: All Planbox web controls have built-in validation for key web vulnerabilities such as cross site scripting (XSS), redirection attacks, and SQL Injection.
Application Security
Planbox has implemented multiple layers of security to control how data is viewed and accessed across all Planbox applications.
We have created clear, repeatable processes to help ensure that our development teams build security into our products and services. As part of our development lifecycle, every feature and system update includes an in-depth security risk assessment. In addition, both static and dynamic source code reviews and analysis are performed to ensure enterprise security is factored in any product updates. Any issues identified during our code vulnerability scans are flagged to the development team for further review and mitigation. The development process is further reinforced by ensuring software developers are trained in the development of secure applications.
Role-based and Data Security
Planbox provides a data-based and role-based data security and user access model. Each user has object level (query/insert/delete/modify) rights. The security access manager validates every access request sent with the user’s rights making it impossible to gain access to unauthorized objects and/or perform unauthorized actions. Security profiles can be assigned to groups or specific users and copied as required. Planbox also supports relationship-based security allowing for custom permissions on objects users own or are assigned to.
Audit Trail
Planbox audit trail gives administrators full transparency on all user activity by any participant. The system records logins, system access, the history of a workflow entry, comments, rating, and status changes including detailed information about who made the change, date and timestamp, and the location from which the changes were made.
Privacy
Data privacy regulations are complex, vary from region to region even country to country, and impose strict restrictions and obligations on your organization. When choosing an innovation management platform, businesses should select one that can comply with their data protection requirements and protect the privacy of their data. With Planbox, you have total control on the innovation management system’s privacy functionality and practices that enable you to meet your privacy obligations.
Additionally, we provide our customers’ compliance and legal teams with the necessary resources and information to help them understand and validate the privacy and compliance requirements for their organization, as well as show how Planbox can help ensure they achieve their compliance objectives.
Privacy Program
Planbox invests heavily in technology, systems and practices to actively protect your data. The Planbox privacy program is founded on strict policies and procedures regarding access, use, disclosure, and transfer of customer data. The core of our privacy program is that Planbox employees do not access, use, disclose, or transfer customer data unless it is in compliance with strict set of processes and agreements or at the official direction of the customer.
Only Planbox employees who have a valid business reason are granted temporary access to production systems. Planbox practices a policy of minimum rights in regards to application access. A formal user registration and de-registration procedure is in place for granting and revoking access to all information systems and services. Access to customer data is controlled by two-factor authentication and end-to end encryption. This gives the user access to a Secure Management Console (SMC) where client data can be accessed but cannot be downloaded onto the user’s computer or any other type of removable media device.
Our internal administration process ensures once the Security team is notified that a user has transferred departments, changed job responsibilities, resigned, taken leave of absence or terminated, prompt action is taken to arrange for the user’s application access to be deleted or amended accordingly. Due to the very portable nature of laptops and smartphones ,security controls over the data they contain must necessarily be stronger than that of desktop computers. Planbox has a strong Mobile Computing Policy to mitigate possible data loss that sets out requirements for users including: the physical security of devices in and out of the office, transportation, and the secure viewing of data.
Intellectual Property Protection
The development of a successful innovation management program hinges on the ability to successfully navigate the challenges of intellectual property conception, development and protection. Planbox provides a streamlined configurable system-wide or community-specific Intellectual Property Protection feature that protects both your organization and those who submit ideas. With Planbox, you create a secure collaborative workspace for internal resources and external innovators based on mutual trust and confidence that encourages everyone to participate, share their insights and develop innovative concepts.
Compliance
Planbox cloud infrastructure where all customer data is managed and stored is hosted on Microsoft Azure and Amazon Web Services. These cloud service platforms meet a broad set of international and industry-specific compliance standards, such as General Data Protection Regulation (GDPR), ISO 27001, HIPAA, FedRAMP, SOC 1 and SOC 2. Rigorous third-party audits verify Azure’s and Amazon Web Services’ adherence to the strict security controls these standards mandate.
Planbox has also implemented the following internal controls to support and service its customers:
Trust Services Principles
Data and Privacy Support
Security Trust Assurance & Risk
Cyber Essentials Plus
Security and Data Protection
Information Security Certification