Data Security & Privacy for
Internal Communications
and Experiences

Please speak with a Poppulo representative for this documentation.

Please speak with a Poppulo representative for this documentation.

Please speak with a Poppulo representative for this documentation.

Please speak with a Poppulo representative for this documentation.

Please speak with a Poppulo representative for this documentation.

Poppulo hosts data at co-located data centers as well as AWS and Azure data centers depending upon the solution. These datacenters have been certified in ISO27001, and/or are SSAE16 (SOC 1 & 2) compliant. Learn more about AWS physical controls here: https://aws.amazon.com/compliance/data-center/controls/ and about Azure physical controls here: https://learn.microsoft.com/en-us/azure/security/fundamentals/physical-security

Data center security includes onsite 24/7 security staff and monitoring, fencing, badge requirements, and other physical security measures. Learn more about AWS physical controls here: https://aws.amazon.com/compliance/data-center/controls/ and about Azure physical controls here: https://learn.microsoft.com/en-us/azure/security/fundamentals/physical-security

Poppulo leverages datacenters in the NA(North America), EMEA(Europe, the Middle East and Africa), and AP(Asia Pacific) regions. Data is not replicated between regions and data storage is isolated to a given jurisdiction based on customer preferences. More information can be found in the Trust portal here(Whistic).

Security reviews are conducted on all vendors with any access to our service or systems data to minimize security risk.

Poppulo has a dedicated security team ensuring security risk is minimized across the organization.

Poppulo's networks are protected through the use of AWS security services, advanced firewalls, load balancers, regular audits of all services, and network intelligence technologies that monitor network traffic for malicious traffic.

Poppulo's networks consist of multiple zones in which different levels of security apply. All traffic between zones is encrypted and each zone has appropriate controls applied commensurate with the type of data processed and risk. Network monitoring and access controls apply to all zones.

Poppulo scans internally and externally for network vulnerabilities through the use of network scanning tools for expedient discovery of vulnerable and non-compliant systems in our networks.

As an addition to Poppulo's regular vulnerability scanning, we employ an industry recognized security vendor to conduct a penetration test of our networks annually.

A Security Incident Event Management (SIEM) system is utilized to gather comprehensive logs from production network resources and hosts. These logs are consolidated in one platform for advanced analysis and threat notification/response.

Poppulo leverages IDS/IPS internally in addition to host based protections through our datacenter environments. This includes 24/7 Endpoint Detection and Response (EDR).

Poppulo follows industry best practices including OWASP top 10 in keeping our security controls up to date. Security professionals stay current with possible threats to our environment through research, threat notifications, and provided training.

Poppulo leverages automated defenses as well as load balancers and AWS scaling and protection tools to mitigate DDoS attacks.

Access to Poppulo environments is managed through the principles of least privilege and need-to-know. Remote access to Poppulo networks requires multi factor authentication. Access is monitored and controlled by the appropriate resource owners, with audits conducted at regular intervals.

Poppulo deploys robust monitoring and logging practices for our environment. In the event that an alert is generated for a potential/actual incident, the incident response team consisting of members from the cloud, network, and security teams is mustered immediately to assess the alert.

Poppulo encrypts all data in transit using TLS 1.2 (or higher) over HTTPS by default. This includes encryption of emails to ensure the mitigation of Man in the Middle attacks. Exceptions may include Legacy services such as older versions of digital signage software.

Poppulo encrypts all data at rest using AES 256 by default.

Poppulo maintains several system-status websites that can be reviewed for system availability, scheduled maintenance, and service incident history. www.poppulo.com/status http://stats.pingdom.com/s8rlafb4kmnh

Poppulo employs redundant networks and load balancers to ensure there is not a single point of failure. A robust Disaster Recovery Policy is also in place ensuring high availability.

Poppulo has a robust disaster recovery program that ensures recovery of services from disruptions such as hardware failure, natural disasters, and other unforeseen catastrophes.

Poppulo commits to a Recovery Time Objective of 4 hours and a Recovery Point Objective of 24 hours.

Poppulo ensures development team members are trained on secure coding, OWASP Top 10, and code security expectations.

Modern open-source frameworks with built-in security controls protect against OWASP top 10 threats and more.

Dedicated QA teams leverage peer reviews and automation to uphold code quality.

Production, Staging, Development, and Corporate environments are isolated on separate networks to avoid cross-access.

Third-party tools run DAST scans targeting OWASP Top 10 and attacks like CSRF.

SAST is conducted both manually and automatically using third-party tools.

Annual automated and manual penetration tests are performed by recognized vendors.

SCA scanning is conducted on all software components during development using third-party tools.

Supports customer integration with SAML2.0-based SSO or Okta depending on product.

MFA using YubiKey is supported when SSO is not available.

Applications support granular RBAC including Admin, Author, Contributor, and Viewer roles for email and digital signage.

All uploads in the email and feeds apps are scanned for malware.

Supports IP whitelisting for enhanced access control to customer accounts.

Supports configuration of DKIM, SPF, and DMARC policies for email delivery protection.

Poppulo maintains comprehensive InfoSec policies reviewed annually and audited for ISO 27001 and SOC2 compliance. All employees are required to review and agree to these during onboarding and annually.

All employees undergo security awareness training during onboarding and annually. Developers receive quarterly training, and phishing tests and updates are conducted year-round.

Thorough background checks are conducted for all employees in compliance with applicable law to ensure suitability for employment.

Employees must agree to confidentiality terms before accessing sensitive data. Similar terms are included in vendor and customer contracts.