Pendo
- Websitehttps://www.pendo.io
- Trust Centerhttps://pendo.trust.page
- Compliance
- CCPA
Please refer to this page to learn about California Resident Rights.
- CSA STAR - Level 1
Pendo is a corporate member of the Cloud Security Alliance (CSA) and is part of CSA's Trusted Cloud Provider program. Pendo maintains a copy of its CSA Consensus Assessment Initiative Questionnaire (CAIQ) in the CSA Star Registry
5 more topics
- Product Security
- Audit Logs
Pendo logs and stores every change, every action and every event, including the deletion of data, for easy auditing and root cause analysis.
- Multi-Factor Authentication
Pendo customers can choose to use multi-factor authentication for their access to Pendo's service by either using SAML to integrate with their own identity management system, or by using Google SSO.
Also note that Pendo employees use multi-factor authentication for access to all systems containing customer and other sensitive data.
3 more topics
- Data Security
- Data Encrypted At-Rest
All data hosted by Pendo is encrypted. Pendo uses industry-accepted encryption products to protect data at rest, with 256-bit AES encryption.
- Data Encrypted In-Transit
TLS 1.2/1.3, and HTTPS are used to protect data in transit.
- Privacy
- Data Retention Policy
By default, we retain Personal Data about you for 7 years as long as you have an open account with us or as otherwise necessary to provide you with our Services. In some cases we retain Personal Data for longer, if doing so is necessary to comply with our legal obligations, resolve disputes or collect fees owed, or is otherwise permitted or required by applicable law, rule or regulation. We may further retain information in an anonymous or aggregated form where that information would not identify you personally.
3 more topics
- Incident Management & Response
- Data Breach Notification
- Incident Response Plan (IRP)
Policies and procedures for operational and incident response management require incidents to be logged and reviewed with appropriate action (e.g. system changes) taken if necessary.
A formal incident response plan and standard incident reporting form are documented to guide employees in the procedures to report security failures and incidents. The incident response plan enforces a process of resolving and escalating reported events. Its provisions include consideration of needs to inform internal and external users of incidents and advising of corrective actions to be taken on their part as well as a “post mortem” review requirement.
- Availability & Reliability
- Auto Scaling
Pendo is designed for uninterrupted uptime and enterprise scale, processing millions of events per hour and billions per day, with no degradation of performance.
- Service Monitoring
Pendo utilizes tools that measure processing queues to verify the timeliness of processing incoming data while monitoring real-time results. Data lost during processing is detected, and automatically creates an alert to the Engineering team. Alerts are addressed by the Engineering team. Upon occurrence of processing errors within Pendo’s application, the change management process is followed with a change ticket initiated and the error investigated and resolved.
1 more topic
- Organizational Security
- Confidentiality Agreements
- Employee Background Checks
Members of the Pendo workforce that may have access to data that customers submit to Pendo's services (e.g., operations engineers) are background checked as permitted by applicable law and sign confidentiality agreements.
6 more topics
- Business Continuity
- Business Continuity Plan
Pendo maintains a written Business Continuity Plan that documents the organization’s processes for triaging, remediating, and recovering from catastrophic incidents or disasters that may affect critical business processes.
- Data Backups
Pendo services are deployed into multiple physically separate zones within Google Cloud Platform (GCP) regions. Data is replicated in near real time across multiple zones. Any zone can fail and the service continue to operate normally.
In addition, critical settings and customer subscription configurations are backed up on at least a daily basis. Backup system settings are reviewed and monitored on a weekly basis to ensure this is operating effectively.
- Infrastructure
- Multi-Tenant Architecture
Data submitted to Pendo and Pendo’s application are processed and stored in a secure, multi-tenant environment. Logical segmentation techniques, such as having separate namespaces for each customer, are used to prevent co-mingling of customer data.
- ISO 27001 - Data Center
3 more topics
- Threat Management
- Penetration Testing
On at least an annual basis, Pendo undergoes third-party penetration testing using well established consulting firms. Management addresses all vulnerabilities identified within defined timeframes based on severity level, which is determined using the Common Vulnerability Scoring System (CVSS). A summary of the annual penetration test report can be provided under NDA.
- Vulnerability Scanning
On at least a weekly basis, Pendo executes vulnerability scan to detect vulnerabilities in Pendo’s application. Dynamic and Static Application Security Testing (DAST and SAST) tools are used to conduct these scans.
2 more topics
- Subprocessors
Sign up to view Pendo's Subprocessors
Sign up to see the rest of Pendo's posture and unlock unlimited access.
Unlimited access to the directory allows you to review and compare thousands of security postures sourced from around the web.