PandaDoc stores document data such as metadata, activity, original files, and customer’s data in different locations while also compiling and generating documents when requested. All data in each location is encrypted at rest with AES-256 and sophisticated encryption keys management.
Your document security is a top priority at PandaDoc. Your business documents contain information that only you and your clients need to see, and we intend to keep it that way. Every day we ensure that our security is parallel with industry standards and compliance.
PandaDoc is fully committed to helping healthcare providers protect patients’ healthcare information when sending ePHI via PandaDoc. PandaDoc is compliant with HIPAA and the Privacy Rule, as well as the Administrative Safeguards, Physical Safeguards and Technical Safeguards of the Security Rule.
PandaDoc is SOC 2 Type II certified. We can provide an SSAE 18 SOC 2 report and attestations of compliance, upon request. PandaDoc services are hosted on the Amazon AWS platform and this document details the ways in which we leverage the massive investments that Amazon continues to make in security to the benefit of our customers.
PandaDoc recognizes that protecting privacy requires a holistic security program. We’ve completed extensive research and created a resources page with detailed information explaining what GDPR is and how PandaDoc is compliant.
PandaDoc data centers (handled by Amazon AWS) are state of the art, utilizing innovative architectural and engineering approaches. Amazon has many years of experience in designing, constructing, and operating large-scale data centers. This experience has been applied to the AWS platform and infrastructure.
PandaDoc currently uses third-party Subprocessors to provide various business functions after due diligence to evaluate their defensive posture and executes an agreement requiring each Subprocessor to maintain minimum acceptable security practices.
PandaDoc helps schools facilitate electronic communication between educators, administrators, and school districts and parents and students in full compliance with FERPA (20 U.S.C. § 1232g; 34 CFR Part 99) as to protect the privacy of student education records.
Servers and networking
All servers that run PandaDoc software in production are recent, continuously patched Linux systems. Additional hosted services that we utilize, such as Amazon RDS, S3 and others, are comprehensively hardened AWS infrastructure-as-a-service (IaaS) platforms.
Coding and testing practices
PandaDoc leverages industry standard programming techniques such as having a documented development and quality assurance processes, and also following guidelines such as the OWASP report, to ensure that the applications meet security standards.
We follow the principle of least privilege in how we write software, as well as the level of access employees, are instructed to use in diagnosing and resolving problems in our software and responding to customer support requests.
The production network segments are logically isolated from other Corporate, QA, and Development segments.
Customer payment information
System monitoring and alerting
At PandaDoc, the production application and underlying infrastructure components are monitored 24/7/365 days a year, by dedicated monitoring systems. Critical alerts generated by these systems are sent to 24/7/365 on-call DevOps team members and escalated appropriately to operations management.
Service levels and backups
PandaDoc infrastructure utilizes many layered techniques for increasingly reliable uptime, including the use of auto-scaling, load balancing, task queues, and rolling deployments. We do full daily automated backups of our databases. All backups are encrypted.
Web application security is evaluated by the development team in sync with the application release cycle. This vulnerability testing includes the use of commonly known web application security toolkits and scanners to identify application vulnerabilities before they are released into production.
The PandaDoc web application is multi-tiered into logical segments (front-end, mid-tier, and database), each independently separated from each other in a DMZ configuration. This guarantees maximum protection and independence between layers.
Responsible Vulnerability disclosure
In case you found a vulnerability, please follow Responsible Vulnerability Disclosure Process to report it to our Security team.