Skip to main content
All CollectionsWelcome to Pipeliner
Data Security and Backups
Data Security and Backups

Pipeliner implements and maintains thorough backup and data security practices. This article outlines those practices and procedures.

Updated over 11 months ago

Relationships are the backbone of the world’s most vital industries but managing them is far from a perfect science. Pipeliner is on a mission to revolutionize the underlying tools and processes to better help your business manage its relationships. To do so, we need to make sure your data is secure; protecting it is one of our most important responsibilities.

Pipeliner has designed platforms and applications to meet these requirements as well as exceeded relevant industry security protocols and standards. We’re committed to being transparent about our security practices and helping you understand our approach.

Security Governance

Pipeliner’s Information Security Committee (ISC) is a governing body consisting of cross-functional management representatives at Pipeliner led by Information Security Manager (ISM). The ISC meets on a regular basis to advise, prioritize, and enable the Information Security Program. The risk-driven Information Security Program includes administrative, technical, and physical safeguards to align with applicable requirements, standards, and best practices. Pipeliner maintains a comprehensive suite of information security policies that is regularly reviewed, updated, and approved on a predefined schedule.

Risk management serves as the foundation to Pipeliner’s Information Security Program with a defense in-depth approach. We conduct industry-standard security risk assessments periodically to identify, analyze, monitor, and respond to risk. Our multi-faceted approach also includes using multiple sources of input such as vulnerability assessments and other forms of security review to capture the holistic state of our security posture. Risk treatments are strategically planned and prioritized with key stakeholders to ensure alignment with security and business objectives. Cross-functional collaboration with the ISC is integral in the review and management of information security risk.

People Security

„People are our most important Asset“

Employee Background Checks

Before they join our staff, Pipeliner will verify an individual’s education and previous employment, and perform internal and external reference checks.

Where local labor law or statutory regulations permit, Pipeliner may also conduct criminal, credit, immigration, and security checks. The extent of these background checks is dependent on the desired position. All employees must read, upon being hired, Pipeliner’s Corporate Acceptable Use Policy (AUP) and Code of Use Good Judgment (CUGJ) accepting their security responsibilities.

Security Training for all Employees

All Pipeliner employees and contractors undergo security training as part of the orientation process and receive ongoing security training throughout their careers. During orientation, new employees agree to our Code of Conduct, which highlights our commitment to keep customer information safe and secure.

Depending on their job role, additional training on specific aspects of security may be required. For instance, the information security team instructs new engineers on topics like secure coding practices, product design and automated vulnerability testing tools.

Operational Security

Access Management

For Pipeliner employees, access rights and levels are based on their job function and role, using the concepts of least-privilege and need-to-know to match access privileges to defined responsibilities. All our personnel are required to use multi-factor authentication and strong passwords. Access to production infrastructure is strictly controlled by using VPN. Employee access to both corporate and production resources is subject to regular review.

For our customers, Pipeliner supports built-in login or SAML 2.0 for single sign on with multi factor authentication. Customers are empowered to create and manage users of their subscriptions and assign the privileges that are appropriate for their accounts and limit access to their data features. Access attempts are logged for review.

Vulnerability Management

We administrate a vulnerability management process that involves scans for security threats using commercially available tools, quality assurance processes, software security reviews. Once a vulnerability requiring remediation has been identified, it is logged, prioritized according to severity, and assigned an owner. The owner then tracks the issue and follows up frequently until they can verify that the issue has been remediated.

Malware Prevention

An effective malware attack can lead to account compromise, data theft, and possibly additional access to a network. Pipeliner takes these threats to its networks and its customers very seriously and uses a variety of methods to prevent, detect and eradicate malware.

Monitoring and Alerting

Pipeliner heavily invests in the automation of monitoring, alerting and response capabilities so that potential issues are continually addressed—in addition to automation of our build procedures. Engineers and administrators are alerted to anomaly occurrence—particularly application attacks, error rates, abuse scenarios.

Automatic responses and alerts to appropriate teams are triggered by these and other anomalies so that investigation and correction can occur. The occurrence of malicious or unexpected activities causes automated systems to bring in the right people to ensure the rapid addressing of the issue. There are also numerous automated triggers designed into the system so that unforeseen situations are immediately responded to.

Functions, traffic blocking, process termination and quarantine are activated at predefined thresholds so that protection of the Pipeliner platform against a broad variety of undesirable situations is assured.

Incident Management

We have a rigorous incident management process for security events that may affect the confidentiality, integrity, or availability of systems or data. The Operations teams within Pipeliner provide 24x7x365 rapid response to all privacy and security events. Pipeliner’s rapid incident response program is repeatable and responsive. If an incident occurs, the security team logs and prioritizes it according to its severity. Events that directly impact customers are assigned the highest priority. This process specifies courses of action, procedures for notification, escalation, mitigation, and documentation.

All security-related incidents, either proven or suspected are reviewed by our Information Security Manager. Depending on the nature of the incident, affected customers are coordinated with using the most appropriate means.

Data Center Security

Pipeliner uses Amazon Web Service (AWS) in USA, Canada, Australia and Europe regions for our cloud infrastructure giving flexibility for our customers to choose a region of their choice. We do not move customer data between regions meaning a customer selecting USA will have their data stored and processed in the USA.

AWS’s data centers physical security features a layered security model, including safeguards like custom-designed electronic access cards, alarms, vehicle access barriers, perimeter fencing, metal detectors, and biometrics, and the data center floor features laser beam intrusion detection. Data centers are monitored 24/7 by high-resolution interior and exterior cameras that can detect and track intruders. Access logs, activity records, and camera footage are available in case an incident occurs. Data centers are also routinely patrolled by experienced security guards who have undergone rigorous background checks and training.

All hardware is tracked and disposed of in a secured manner. To keep things running 24/7 and ensure uninterrupted services, data centers feature redundant power systems and environmental controls.

Encrypting data in transit and at rest

Pipeliner customers’ data and our own data is encrypted when it’s on a disk using AES-256bit encryption. Data in transit over the Internet, or traveling between data centers is encrypted using SSL/ TLS 1.2 or higher. Only standardized encryption protocols and algorithms are used. Passwords are stored securely using a one way hash.

Pipeliner security manages encryption keys for both at-rest and in-transit encryption. Our content delivery partner manages TLS private keys for in-transit encryption. A hardened Key Management System (KMS) stores keys for volume and field-level encryption. Rotation of keys depends upon the sensitivity of encrypted data. In general, TLS certificates undergo annual renewal. At this time, Pipeliner is unable to use customer-supplied encryption keys.

Recovery and highly available solution

Pipeliner designs the components of our platform to be highly redundant. Customer data is replicated synchronously in real-time over multiple geographically distributed data centers to minimize the effects of regional disruptions such as natural disasters and local outages. In the event of hardware, software, or network failure, automatic failover allows our customers to continue working in most cases without interruption. Our highly redundant design has allowed us to achieve an uptime upward of 99.95% for our service over the last years. Our production servers run stripped-down and hardened operating systems. Server resources are dynamically allocated, allowing for flexibility in growth and the ability to adapt quickly and efficiently, adding or reallocating resources based on customer demand.

Additionally, backup strategies are in place running on a regular basis using established frequencies and schedules. Thirty five days’ worth of backups are kept for any database, in a way that ensures point-in-time restoration can be easily performed. Backups are encrypted and monitored so that successful execution is assured. In the event of any exceptions, alerts are generated. Any failure alerts are escalated, investigated and resolved. Data is daily backed up to its local region. Periodic testing is carried out for successful recoverability.

Data Security

Data segregation

Customer data is logically separated using an unique key in our databases preventing data commingling. If customers prefer more stringent separation we could also set up isolated databases. We maintain separate production, staging and development environments and no customer production data is used in lower environments.

Employee access to customer data

No customer data persists on employee laptops. We apply the principle of least privilege in all operations to ensure confidentiality and integrity of customer data. All access to systems and customer data within the production network is limited to those employees with a specific business need. A best effort is made to troubleshoot issues without accessing customer data; however, if such access is necessary, such access is enabled based on customer request for a predefined time frame. When the time limit is reached, account access is revoked. Upon termination of work at Pipeliner, all access to Pipeliner systems is immediately revoked.

Data Retention and Destruction

Data retention policies are in place to make sure we retain data only up to 35 days post cancellation or termination of service. Thereafter, data will be securely deleted. Customers also can request data deletions and we would process the same day.

Audit trails

All actions taken to make changes to the infrastructure or to access customer data for specific business needs are logged for auditing purposes. In order to protect end user privacy and security, only a small number of senior engineers on the infrastructure team have direct access to production servers and databases.

Employee authentication

All access to the production servers and data is protected using network isolation and strong authentication mechanisms. A combination of strong passwords, passphrase-protected SSH keys, a Virtual Private Network (VPN), and two-factor authentication is used to shield mission critical systems.

Application Security

Secure Software Development Lifecycle

Standard best-practices are used throughout our software development cycle from design to implementation, testing, and deployment. All code is checked into a permanent version-controlled repository. Code changes are always subject to peer review and continuous integration testing to screen for potential security issues. All changes released into production are logged and archived, and alerts are sent to the engineering team automatically. Access to Pipeliner source code repositories requires strong credentials and two-factor authentication.

Secure by design

All features are reviewed by a team of senior engineers as soon as they are conceived. Members of the Pipeliner team have substantial experience working with and building secure technology systems. We believe in secure by design, hence we plan all functionalities with security in mind to protect the platform against security threats and privacy abuses. We leverage modern browser protections, such as Content Security Policy (CSP) and security HTTP headers to prevent Cross-Site Scripting (XSS), Clickjacking and other code injection attacks resulting from the execution of malicious content in the trusted web page context.

Security testing

Once features are implemented, we perform internal security testing to verify correctness and resilience against attacks. We follow the leading Open Web Application Security Project (OWASP) Testing Guide methodology for our security testing efforts. Discovered vulnerabilities are promptly prioritized and mitigated. In addition, we regularly engage top-tier third-party security companies to independently verify our applications.

Release Management

A rapidly advancing feature set is one of Pipeliner’s greatest advantages. Our products are constantly optimized through a delivery approach to software development that is modern and continuous. Hundreds of times daily, new code is proposed, approved, merged and deployed. Seamless updates are featured by Pipeliner, and because it is an SaaS application, minimum downtime is associated with releases. In-app messages and/or product update posts are used to communicate major feature changes.

Network Security

Web Application Firewall (WAF) is in place allowing only explicitly authorized ingress traffic.

Regulatory Compliance & Privacy

Pipeliner customers have varying regulatory compliance needs. Our clients operate across regulated industries. Our ISC team continuously monitors and responds to changes.

In Europe, Pipelinersales is compliant with GDPR.

Customer data privacy is a primary consideration at Pipeliner. As discussed on our privacy policy, personal data is never sold to third parties. Protections described in this document, as well as other designed and implemented protections, ensure that data remains unaltered and private. Customer needs and privacy considerations guide the design and building of Pipeliner products. Best practices, customers’ and their contacts’ needs, as well as regulatory requirements, are incorporated into our privacy program.

Third Party Vendor Management

We rely on several third-party vendors to deliver our service. Prior to onboarding third-party suppliers, Pipeliner conducts an assessment of the security and privacy practices of third-party suppliers to ensure they provide a level of security and privacy appropriate to their access to data and the scope of the services they are engaged to provide.

Once Pipeliner has assessed the risks presented by the third-party supplier, the supplier is required to enter into appropriate security, confidentiality, and privacy contract terms. A list of sub-processors is all maintained within our Global Terms and Services.

Certifications (EN ISO 9001 & ISO/IEC 27001)

ISO 9001:2015

ISO/IEC 27001:2013

Pipeliner CRM is HIPAA Compliant

The Health Insurance Portability and Accountability Act (HIPAA) is designed to help protect people’s healthcare data. Organizations such as hospitals, doctors’ offices, health plans, or companies dealing with protected health information (PHI) are required to be HIPAA-compliant. This may also extend to companies that work with these businesses and come into contact with PHI on their behalf.

Contact Us For More Details › info@pipelinersales.com

FAQ

Data Security

How do you store customer data?

A multi-tenant, highly scalable SaaS solution is provided by Pipeliner. Access to authorized content is exclusively restricted by the Pipeliner user interface and APIs. There is no risk of data pollution or cross-subscription access. Incorporated into the design architecture are authorization rules which are continuously validated. In addition, application authentication and associated changes are logged.

Do you have separate environments for development, staging and production?

Yes, we have separate instances for development, staging and production with access controls and network level segmentation. No production data is used in lower environments.

Encryption

Do you encrypt data in transit and data at rest?

Yes. Pipeliner product sensitive interactions (for example authenticated sessions, API calls, etc.), are encrypted in transit with Transport Layer Security (TLS) version 1.2 or 1.3, and with 2,048-bit or better keys. TLS is also a default for any customers hosting websites on the Pipeliner platform.

Pipeliner leverages several technologies for encryption of at-rest data. AES-256 encryption is utilized to store platform data. User passwords are encrypted at rest and are hashed following industry best practices. Additional levels of both at-rest and in-transit encryption are utilized with certain email features.

How do you manage encryption keys?

Pipeliner security manages encryption keys for both at-rest and in-transit encryption.

Can customers provide our own encryption key?

At this time, Pipeliner is unable to use customer-supplied encryption keys.

Access Controls

Do you support multi factor authentication?

Yes. Pipeliner internal systems require multi factor authentication. Pipeliner administrators can configure Pipeliner subscriptions so that all users have two-factor authentication enabled.

What authentication methods you support?

Pipeliner users can be allowed to log in to their Pipeliner accounts using the built-in Pipeliner login, or Single Sign On (SSO). Default password policy cannot be changed by Pipeliner’s built-in login users. Advanced SAML-based SSO integrated with any SAML-based IDP is available at enterprise tier level with any hub.

Any customer utilizing an SSO provider can set up SSO-based login for their users, and instructions for doing so are available in the Pipeliner Knowledge Base. Users of SSO can configure a password policy with their SSO provider. Pipeliner customers who use the built-in login are encouraged to set up two-factor authentication for their Pipeliner accounts.

How do you manage access?

Granular authorization rules are allowed within Pipeliner. Customers are empowered to create and manage users of their subscriptions. Appropriate privileges to user accounts can be assigned, and access to data features can be limited.

Customers are empowered to create and manage users of their portals and assign the privileges that are appropriate for their accounts and limit access to their data features.

For Pipeliner employees, access rights and levels are based on their job function and role, using the concepts of least-privilege and need-to-know to match access privileges to defined responsibilities. All our personnel are required to use multi-factor authentication and strong passwords. Access to production infrastructure is strictly controlled by using a VPN. Employee access to both corporate and production resources is subject to regular review.

How do you control production system access?

Pipeliner system access follows the principle of least privilege, and is strictly controlled. A role-based access control (RBAC) model is used for granting access to Pipeliner employees. Day-to-day access is limited to only those employees whose jobs require it.

A best effort is made to troubleshoot issues without accessing customer data; however, if such access is necessary, such access is enabled based on customer request for a predefined time frame.When the time limit is reached, account access is revoked. Direct network connections to product infrastructure devices is prohibited for SSH or similar protocols. User-unique SSH keys and token-based two-factor authentication is used for server-level authentication. Employee access to both corporate and production resources is subject to regular review.

Disaster Recovery and Backups

Do you have a Disaster Recovery Plan (DRP)?

A disaster recovery plan is maintained by Pipeliner, and is tested annually.

What is your backup strategy?

Backups are performed on a regular basis using established frequencies and schedules. Thirty five days’ worth of backups are kept for any database, in a way that ensures point-in-time restoration can be easily performed.

Backups are monitored so that successful execution is assured. In the event of any exceptions, alerts are generated. Any failure alerts are escalated, investigated and resolved. Data is daily backed up to its local region. Periodically, backups are copied to separate AWS environment within the region so that recovery can occur in the event of a primary site outage. For replication failures, monitoring and alerting is in place and is triaged accordingly. Production data sets are stored on a highly available file storage facility, such as Amazon’s S3.

How do you protect backups?

Backups are protected, by default, through access control restrictions on the Pipeliner product infrastructure networks, and access control lists (ACLs) on file systems storing backup files. Backups adhere to data retention requirements and are deleted once no longer required.

Do you provide a customer backup option?

Yes. Some customers may additionally prefer to back up their data, and so Pipeliner provides methods for doing so. Your Pipeliner app contains export features, and the Pipeliner public API library may be utilized for data synchronization with other systems. For details about data backup, please refer to our knowledge base article on exporting your content.

Hosting

Where is Pipeliner infrastructure hosted?

Product infrastructure for Pipeliner resides in the following locations:

  • North America › Toronto, Canada

  • North America › Virginia, USA

  • Europe › Frankfurt, Germany

  • APAC › Sydney, Australia

Can customers select their preferred hosting region?

Yes, customers have the flexibility to select their preferred region from any one of the AWS regions Pipeliner use. Your CRM data will reside only in the region you’ve selected. EXAMPLE: If you are a customer from US, your data stays in US or if you are a customer in Europe, your data stays in Europe.

Certifications

What security certifications Pipeliner have?

We’re ISO 9001:2015 and ISO/IEC 27001:2013 certified.

Application Security

What are your application development and testing practices?

Standard best-practices are used throughout our software development cycle from design to implementation, testing, and deployment. All code is checked into a permanent version-controlled repository. Code changes are always subject to peer review and continuous integration testing to screen for potential security issues. All changes released into production are logged and archived, and alerts are sent to the engineering team automatically. Access to Pipeliner source code repositories requires strong credentials and two-factor authentication.

Once features are implemented, we perform internal security testing to verify correctness and resilience against attacks. We follow the leading Open Web Application Security Project (OWASP) Testing Guide methodology for our security testing efforts. Discovered vulnerabilities are promptly prioritized and mitigated.

What's your release management practices?

A rapidly advancing feature set is one of Pipeliner’s greatest advantages. Our products are constantly optimized through a delivery approach to software development that is modern and continuous. Hundreds of times daily, new code is proposed, approved, merged and deployed. Prior to deployment, testing (where applicable), code reviews and merge approval are performed.

HR Security

What are your hiring practices?

Before employment, Pipeliner will verify an individual’s education and previous employment, and perform internal and external reference checks. Where local labor law or statutory regulations permit, Pipeliner may also conduct criminal, credit, immigration, and security checks. The extent of these background checks is dependent on the desired position. All employees must read, upon being hired, Pipeliner’s Corporate Acceptable Use Policy (AUP) and Code of Use Good Judgement (CUGJ) accepting their security responsibilities.

Vulnerability Management

How do you approach vulnerability remediation?

Once a vulnerability requiring remediation has been identified, it is logged, prioritized according to severity, and assigned an owner. The owner then tracks the issue and follows up frequently until they can verify that the issue has been remediated.

How often do you scan your network?

We administrate a vulnerability management process that involves scans for security threats using a combination of commercially available tools, quality assurance processes, software security reviews and external audits.

Incident Management

Do you have an Incident Management Plan?

Yes. We have a comprehensive Incident Management Plan in place reviewed annually.

Could you describe your incident management practices?

We have a rigorous incident management process for security events that may affect the confidentiality, integrity, or availability of systems or data. The Operations teams within Pipeliner provide 24x7x365 rapid response to all privacy and security events. Pipeliner’s rapid incident response program is repeatable and responsive. If an incident occurs, the security team logs and prioritizes it according to its severity.

Events that directly impact customers are assigned the highest priority. This process specifies courses of action, procedures for notification, escalation, mitigation, and documentation. All security-related incidents, either proven or suspected are reviewed by our Information Security Manager. Depending on the nature of the incident, affected customers are coordinated with using the most appropriate means.

As part of incident management, would you notify customers?

Depending on the nature of the incident, affected customers are notified using the most appropriate means. This would normally be within 48 hours after identifying a true incident.

Did this answer your question?