We take security and privacy seriously
Information Security Policy
Information Pave Collects
- Information you give us from your API access from ATS (e.g. Lever), HRIS (e.g. BambooHR), and other systems you explicitly grant Pave access to including Confluence/Atlassian. Note that Pave does not explicitly collect any specific information from users in the Pave product.
- Information we get from your use of our Services. We may collect information about the Services that you use and how you use them, like when you visit our website, this information includes: 1) Device Information – we may collection device specific information (such as your hardware model, operating system version, unique device identifiers, and mobile network information including phone number). We may associate your device identifiers with your account. 2) Log information – when you use our Services or view content that we provide, we may automatically collect and store certain information in server logs. This may include details of how you used our Services, such as Internet protocol address, and device event information such as crashes or other system activity.
- In general, Pave's policies are oriented towards US-based customers.
Sharing of Personal Information
Pave does not share your personal information with third parties other than as follows:
- When you give us your explicit consent to do so, including if we notify you through the Service that the information you provide will be shared in a particular manner and you provide such information.
- Customers of Pave's real-time benchmarking portal agree to allow Pave to anonymize the customer's data and provide it to other Pave customers in a manner that is fully aggregated and cannot be associated with a given company or individual at a company.
- With third party vendors, consultants and service providers who perform functions on our behalf, but we limit their use of the information as is reasonably necessary to carry out their work.
- When we believe in good faith that we are lawfully authorized or required to do so or that doing so is reasonably necessary or appropriate to comply with laws or respond to lawful requests, legal process or legal authorities.
- In extraordinary circumstances, such as to respond to an emergency or for reasons of national security, an urgent matter of public or individual safety or other issues of dire importance.
- In connection with, or during negotiations of, a merger, consolidation, sale of our corporate assets or equity, financing, acquisition, corporate reorganization, strategic alliance or in any other similar situation where personal information may be transferred as one of our business assets.
Third Party Links
Access to Customer Data
Pave limits its personnel’s access to Customer Data as follows:
- Requires unique user access authorization through secure logins and passwords that include the following password guidelines:
1) Users select their own passwords, to strictly avoid ever storing a password in plain text
2) Password requirements prevent weak passwords from being selected, both through dictionary exclusions (e.g. weak password blacklist) and complexity requirements
3) Password requirements enforce a minimum length of at least 8 characters
4) Passwords have a long maximum length of 64 characters
5) The authentication mechanism rate limit to mitigate the risk for any brute force attacks. If requested, we will happily provide the source code to verify these constraints.
- Limits the Customer Data available to Pave personnel on a “least privilege” principle;
- Restricts access to Pave's production environment by Pave personnel on the basis of business need; and
- Encrypts user security credentials for production access including login information. Read more here to learn how P chosen authentication method uses an internally modified version of scrypt to hash account passwords.
- Note that 100% of all customer data is stored entirely within Google Cloud infrastructure.
- Pave implements End-to-End Transport Layer Security (TLS) across the platform. To learn more about Google Cloud’s end-to-end encryption standards, read this page. Cloud Firestore automatically encrypts all data before it is written to disk.
- Pave creates an audit trail for each login for every single user (i.e., a record of employee login attempts onto the Pave platform).
- If the Customer requests this audit trail at any time, Pave will happily give this information to the Customer.
- Pave logically separates each of its customers’ data and maintains measures designed to prevent Customer Data from being exposed to or accessed by other customers.
Network Security, Physical Security and Environmental Controls
- Pave uses a variety of techniques designed to detect and/or prevent unauthorized access to systems processing Customer Data, including industry-standard firewalls. You can learn more about Pave's chosen firewall at https://www.sophos.com/en-us.aspx.
- Pave monitors privileged access to applications that process Customer Data, including cloud services. For every single request of Customer Data, Pave keeps an audit trail. Pave will happily share this audit trail with The Customer if requested.
- The Service operates 100% on Google Cloud and is protected by Google’s security and environmental controls. Detailed information about Google Cloud security is available at https://cloud.google.com/security. For Google Cloud SOC2 Reports, please see this page.
- Customer Data stored within Google Cloud is encrypted at all times. Google does not have access to unencrypted Customer Data at any time.
Independent Security Assessments
Pave periodically assesses the security of its systems and the Service as follows:
- Annual detailed security and vulnerability assessments of the Service conducted by independent third-party security experts that include a thorough code analysis and a comprehensive security audit.
- Bi-annual penetration testing of Pave systems and applications to test for exploits including, but not limited to, XSS, SQL injection, access controls, and CSRF.
- Daily vulnerability scanning through https://cloud.google.com/security-scanner
- Code Review of any new code added to the Service.
If Pave becomes aware of unauthorized access or disclosure of Customer Data under its control (a “Breach”), Pave will:
- Take reasonable measures to mitigate the harmful effects of the Breach and prevent further unauthorized access or disclosure.
- Upon confirmation of the Breach, notify Customer in writing of the Breach without undue delay. Notwithstanding the foregoing, Pave is not required to make such notice to the extent prohibited by Laws, and Pave may delay such notice as requested by law enforcement and/or in light of Pave's legitimate needs to investigate or remediate the matter before providing notice. 1) The extent to which Customer Data has been, or is reasonably believed to have been, used, accessed, acquired or disclosed during the Breach; 2) A description of what happened, including the date of the Breach and the date of discovery of the Breach, if known; 3) The scope of the Breach, to the extent known; and 4) A description of Pave's response to the Breach, including steps Pave has taken to mitigate the harm caused by the Breach.
- Pave provides training for its personnel who are involved in the processing of the Customer Data to ensure they do not collect, process or use Customer Data without authorization and that they keep Customer Data confidential, including following the termination of any role involving the Customer Data.
- Pave conducts routine and random monitoring of employee systems activity.
- Upon employee termination, whether voluntary or involuntary, Pave immediately disables all access to critical and noncritical systems, including Pave's physical facilities.
Changes to Pave's Information Security Policy
As the need arises, Pave may change its Policy at any time. We will provide notice of changes to our Policy by indicating on the Policy the date it was last updated and making the updated Policy available through our website. Your use of the Service or Software following the posting of the updated Policy constitutes your consent to all changes. We encourage you to review this Policy whenever you access or use our Service or Software to make sure you understand how personal information we collect may be used or disclosed.
De-Identified and Aggregated Data Policy
De-identification of Data
Records from the Customer’s data systems including ATS (e.g. Lever), HRIS (e.g. BambooHR), and others (such as Confluence) are completely de-identified from the individual and company before being distributed as part of the compensation benchmarking product.
Sale of Data
Pave strictly does not sell any individual Customer Data to another customer. If this changes in the future, Pave will require explicit approval of a Policy update from the Customer, and that Customer’s data will be de-identified before being sold to any other company.
Responsible Disclosure Policy
Data security is a top priority for Pave, and Pave believes that working with skilled security researchers can identify weaknesses in any technology. If you believe you’ve found a security vulnerability in Pave's service, please notify us; we will work with you to resolve the issue promptly.
- If you believe you’ve discovered a potential vulnerability, please let us know by emailing us at firstname.lastname@example.org. We will acknowledge your email within 24 hours.
- Provide us with a reasonable amount of time to resolve the issue before disclosing it to the public or a third party. We aim to resolve critical issues within one week of disclosure.
- Make a good faith effort to avoid violating privacy, destroying data, or interrupting or degrading the Pave service. Please only interact with accounts you own or for which you have explicit permission from the account holder.
While researching, we’d like you to refrain from:
- Distributed Denial of Service (DDoS)
- Social engineering or phishing of Pave employees or contractors
- Any attacks against Pave's physical property or data centers
Thank you for helping to keep Pave and our users safe!
If you have any questions or comments about this Policy or our practices relating to the Service or Software, or if you believe we have not complied with this Policy, please contact us at email@example.com.