ActiveProspect Security
We know that the security and availability of your business data is extremely important. We proactively monitor our IT environment, systems and continuously evaluate our security practices, taking reasonable steps to maintain this trust and our security position.
Need to report a security vulnerability?
Please see our Responsible Disclosure policy below.
Security Overview
SUMMARY
ActiveProspect has achieved Service Organization Control (SOC) 2 Type II compliance for our SaaS platform solutions. The SOC 2 Type II report is an independent and detailed audit review measuring the operating effectiveness of ActiveProspect’s internal controls around the AICPA’s trust services criteria for security and service availability of our platform solutions.
If you have any questions please contact [email protected]
SYSTEM SECURITY
Our systems are located on a private, isolated network, with only customer-required services exposed to the public Internet. We patch our systems on an ongoing basis to defend against current exploits. Servers are monitored by an intrusion detection system, and defended from web attacks by a web application firewall. Regular third-party penetration testing and ongoing automated vulnerability testing are performed on our systems.
AVAILABILITY
Customers rely on the ActiveProspect platform 24/7/365. Since we launched LeadConduit in 2004, high availability has been a top priority. Our infrastructure is designed to scale with customer demand and our team monitors performance around the clock. Because we stand behind our track record, the uptime of our platform is published online and available to the public at status.activeprospect.com.
DATA SECURITY
Keeping customer data safe is a top priority at ActiveProspect. We work hard to protect our customers from the latest threats. Data is encrypted in transit and at rest. Our API endpoints require at least TLS 1.2 and a secure cipher. Our systems reside in a SOC 2 compliant datacenter. Access is restricted to properly credentialed datacenter employees.
EMPLOYEE ACCESS
Our employees may occasionally need access to accounts for support or troubleshooting purposes. ActiveProspect employees have undergone background checks before being granted internal access to our systems. Access is granted using the principle of least privilege. All employees are required to use strong passwords, which are reset every 90 days, and MFA in order to gain access to our applications.
CREDIT CARD SECURITY
We do not store credit card information on our systems. When you enter a credit card number for payment, it is transmitted directly from your browser to our payment processor’s systems who store your data on their PCI compliant infrastructure.
RESPONSIBLE DISCLOSURE OF SECURITY VULNERABILITIES
We appreciate those in the information security community who reach out to us and disclose potential vulnerabilities they have found in a responsible manner. Please send urgent or sensitive reports directly to [email protected]. Use our public key to keep your information safe and please provide us with a secure way to respond. Our security office and select software development team members monitor that email address, and we work to acknowledge your message as quickly as possible, typically within eight hours (and no longer than 72 hours). We’ll work with you to make sure that we understand the scope of the issue, and that we fully address your concern. Please act in good faith towards our users’ privacy and data during your disclosure. We won’t take legal action against you or administrative action against your account if you act accordingly. White hat researchers are always appreciated. We’ll gladly give appropriate credit for responsible disclosure of significant vulnerabilities.
THANKS!
Special thanks to the following individuals, who have responsibly disclosed vulnerabilities in the past:
- Tejash Patel | @Tejash1991
- Anand Prakash | @sehacure
- Kamil Sevi | @kamilsevi
- Muhammad Waqar | @MuhammadWaqar_9
- Ehraz Ahmed | @ehrazofficial | https://ehraz.co
- Jay Turla | @shipcod3 | Blog
- Jose Pino | @Fr4phc0r3
- Sahil Saif | @bewithsahilsaif
- Ishan Anand | Zero-Access
- Vikas Anil Sharma | Vikzzzzzz
- Vinod Tiwari | @war_crack
- Shivam Kumar Agarwal | @netanalysts
- Nithish Varghese | @nithish.varghese
- Ala Arfaoui | Ala Arfaoui
- Sarwar Jahan M | @sarwarjahanm
- Guilherme Scombatti | [email protected]
- Harry M. Gertos | @GertyBoy27
- Ketankumar B. Godhani | @KBGodhani
- Alexander Sidukov | @cyberopus
- Rasi Afeef
- Vismit Sudhir Rakhecha | LinkedIn
- Shivam Kamboj Dattana | @sechunt3r
- Pal Patel | LinkedIn
- Vasim Shaikh | LinkedIn
- Aayush Babbar | http://aayushbabbar.com
- M.Harsha Vardhan | FB
- Gamiel Xavier V. Manbiotan | @GamielManbiotan
- Mobeen Tariq | FB
- Huzaifa Tahir
- Adam Baldwin | @adam_baldwin
- Sanjay Singh Jhala | @NotHumanNinja
- Ishwar Prasad Bhat | FB
- Sadik Shaikh | https://www.extremehacking.org
- Havoc Guhan | FB
- Shwetabh Suman | @Shwetabhsuman11 | FB
- Nikhil Sahoo | FB | LinkedIn
- Ipsita Subhadarshan Sahoo | FB | LinkedIn
- Siva Krishna Samireddi | FB
- Pethuraj M | https://www.pethuraj.in
- Ashish Kunwar | @D0rkerDevil
- Prashant Jadon | LinkedIn
- Pritam Mukherjee | LinkedIn
- MD Ridoy Khan | LinkedIn
- Farhan Islam Shafin | @shafinxcvi
- Jaya Lakshmi | LinkedIn
- Vitesh Walunj
- Mohan Kumar | LinkedIn
- Chirag Agrawal | LinkedIn
- Hasibul Hasan Rifat | @rifatsec
- Jayalakshmi | LinkedIn
- Mohan Kumar N | LinkedIn
- Chirag Agrawal | LinkedIn
- Subhamoy Guha | LinkedIn
- Muzammil Salim | LinkedIn