Data Security
& Privacy

Get Resource

Get Resource

Visit page

Please speak with a Poppulo representative for this documentation.

Please speak with a Poppulo representative for this documentation.

Please speak with a Poppulo representative for this documentation.

Please speak with a Poppulo representative for this documentation.

Please speak with a Poppulo representative for this documentation.

Poppulo hosts data at co-located data centers as well as AWS and Azure data centers depending upon the solution. These datacenters have been certified in ISO27001, and/or are SSAE16 (SOC 1 & 2) compliant. Learn more about AWS physical controls here and about Azure physical controls here.

Data center security includes onsite 24/7 security staff and monitoring, fencing, badge requirements, and other physical security measures. Learn more about AWS physical controls here and about Azure physical controls here.

Poppulo leverages datacenters in the NA(North America), EMEA(Europe, the Middle East and Africa), and AP(Asia Pacific) regions. Data is not replicated between regions and data storage is isolated to a given jurisdiction based on customer preferences. More information can be found in the Trust portal here(Whistic).

Security reviews are conducted on all vendors with any access to our service or systems data to minimize security risk.

Poppulo has a dedicated security team ensuring security risk is minimized across the organization.

Poppulo's networks are protected through the use of AWS security services, advanced firewalls, load balancers, regular audits of all services, and network intelligence technolgies that monitor network traffic for malicious traffic.

Poppulo's networks consist of multiple zones in which different levels of security apply. All traffic between zones is encrypted and each zone has appropriate controls applied commensurate with the type of data processed and risk. Network monitoring and access controls apply to all zones.

Poppulo scans internally and externally for network vulnerabilities through the use of network scanning tools for expedient discovery of vulnerable and non-compliant systems in our networks.

As an addition to Poppulo's regular vulnerability scanning, we employ an industy recognized security vendor to conduct a penetration test of our networks annually.

A Security Incident Event Management (SIEM) system is utilized to gather comprehensive logs from production network resources and hosts. These logs are consolidated in one platform for advanced analysis and threat notification/response.

Poppulo leverages IDS/IPS internally in addition to host based protections through our datacenter environments. This includes 24/7 Endpoint Detection and Response (EDR).

Poppulo follows industry best practices including OWASP top 10 in keeping our security controls up to date. Security professionals stay current with possible threats to our environment through research, threat notifications, and provided training.

Poppulo leverages automated defenses as well as load balancers and AWS scaling and protection tools to mitigate DDoS attacks.

Access to Poppulo environments is managed through the principles of least privilege and need-to-know. Remote access to Poppulo networks requires multi factor authentication. Access is monitored and controlled by the appropriate resource owners, with audits conducted at regular intervals.

Poppulo deploys robust monitoring and logging practices for our environment. In the event that an alert is generated for a potential/acutal incident, the incident response team consisting of members from the cloud, network, and security teams is mustered immediately to assess the alert.

Poppulo encrypts all data in transit using TLS 1.2 (or higher) over HTTPS by default. This includes exncryption of emails to ensure the mitigation of Man in the Middle attacks. Exceptions may include Legacy services such as older versions of digital signage software.

Poppulo encrypts all data at rest using AES 256 by default.

Poppulo mantains several system-status websites that can be reviewed for system availability, scheduled maintenance, and service incident history.

www.poppulo.com/status
http://stats.pingdom.com/s8rlafb4kmnh

Poppulo employs rendundant networks and load balancers to ensure there is not a single point of failure. A robust Disaster Recovery Policy is also in place ensuring high availability.

Poppulo has a robust disaster recovery program that ensures recovery of services from disruptions such as hardware failure, natural disasters, and other unforseen catastrophes.

Poppulo commits to a Recovery Time Objective of 4 hours and a Recovery Point Objective of 24 hours.

Poppulo employs an SDLC that ensures trainging is completed for development team members in particular (including secure coding practices, OWASP Top 10 risk awareness, code security/quality expectations, etc.).

Poppulo utilizes modern open source frameworks to develop our software, with security controls built into the development cycle to ensure we protect our software against application threats such as the ones listed in OWASP top 10, and more.

Poppulo has a dedicated team that utilizes both peer review and automated checks to ensure code quality.

Production, Corporate, Staging and Development environments are kept separate on their own networks to prevent unauthorized access and unintended comingling of systems.

Poppulo employs third-party security tooling to run Dynamic Application Security Testing (DAST) which includes tactics such as OWASP top 10 and other tactics such as Cross-site request forgery (CSRF).

Poppulo employs third-party security tooling to run Static Application Security Testing (SAST) is supported using both manual and autmated methods.

in addition to continuous SAST, DAST, and SCA scanning, Poppulo employs an industry recognized third-party to conduct automated and manual pentests against the application annually.

Poppulo utilizes a third-party tool to conduct SCA scanning of all software components during development.

Poppulo supports integration with customer SAML2.0-based SSO or Okta integration, based on the utilized product.

Poppulo supports Yubikey MFA in the absence of SSO.

Poppulo applications allow customers to manage robust role-based access controls (RBAC) for the users within their instance of the application. Examples of roles within the email application include administrator (User with the highest level of authorization in application), and Subscriber (User that views content that has been created in the application).

Digital signage role axamples include: Administrators - Grants view, add, edit, and delete privileges to Content Manager,

Author - Grants view, add, edit, and delete privileges in areas to which they have been given access.

Contributor - Grants view, add, and edit privileges in areas to which they have been given access

Viewer - Has view-only access to areas to which they have been given access.

Poppulo scans all uploads to the email and feeds application for malware and other malicious data.

Poppulo supports IP whitelisting for further access control to customer accounts.

In order to facilitate the delivery of emails, Poppulo supports the configuration of DMARC policies including DKIM and SPF.