The Security Policy was updated on January 9, 2024 to reflect Predictive Index, LLC's acquisition of Charma, and the rebranding of Charma to PI Perform.
Effective Date: December 5, 2023
Please see here for The Predictive Index's complete Security Policy.
Predictive Index (PI) is committed to the security of customer information. PI has a dedicated security team for protecting customer information, and the team accomplishes this through its mission of creating and nurturing a culture of security. The team leadership brings a wealth of experience from critical infrastructure, defense, and high technology sectors, and has drawn from this to build highly effective security and privacy programs.
Auditing and Compliance
After months of hard work and rigorous testing, the Predictive Index officially received ISO-27001 verification on 01/31/2022. ISO-27001 is a widely-recognized, international standard for data security in information technology. Certification requires annual inspections and will remain valid until 01/30/2025.
On top of our certification, we also perform 3rd party penetration tests annually, and frequent internal audits and security assessments. For critical services, we utilize vendors that have strong security track records, such as Microsoft Azure for product hosting and Auth0 for identity and access management.
Data Center Security
Our product environment is in Microsoft Azure. We mainly utilize the Azure Platform as a Service (PaaS) offerings for our product. Utilizing PaaS and not traditional VMs significantly reduces our threat surface. We extensively leverage Azure’s advanced security features such as Identity Protection to secure our product infrastructure.
We have strict access controls in the production environment, based on the principles of Need to Know and Least Privilege. Only The Predictive Index employees who have the need to access the production environment for legitimate purposes such as deploying and troubleshooting the application have access. They receive the least privileges they need to accomplish their legitimate purpose.
We have established a cross-departmental Azure Governance Team that owns the roadmap of our Azure infrastructure and ensures that security is built in at the architecture level.
System and Network Security
We maintain an accurate inventory of our systems and perform full lifecycle management, including performing timely patching and decommissioning systems that are near the end of their support period.
We have an effective Vulnerability Management program that includes frequent scanning and agent-based collection of security data from the network and the endpoints. This network and endpoint data is automatically correlated against threat information to identify and prioritize vulnerability based on risk. This is reviewed at least weekly and new issues are remediated expeditiously, in a timeframe proportional to the severity of the issue.
We have strong encryption for the data at rest (while it is stored) and in transit (while it is being transmitted). Our production assets only allow TLS 1.2 or above.
The access to the stored customer data is on a Need to Know basis. Typical personnel who are authorized to access are Customer Support and Engineering Developers while troubleshooting issues and DevOps personnel for deploying services.
We have strong security controls in the product, including Role-Based Access Control (RBAC) , Data Segregation, Data Anonymization, and Login Attack Protection.
PI application’s RBAC has six different user roles, helping ensure that our customers have the ability to provide their users the right level of access. The PI RBAC also has a role for 3rd party users, enabling our customers to securely share data with consultants.
Our data segregation features provide the ability to restrict access to the data within the application. This enables our customers to segregate data, for instance, by organizational unit or geographical location, so that only users that are responsible for those organizational units or geographical locations could be provided access to the data.
We have thoughtful privacy features in the product. For example, we have an “Anonymize Personal Data” feature in our product to remove the personal information of selected users from the system. We are committed to adding security and privacy features like these to allow our customers greater control of their data.
We utilize industry-leading Auth0 as the identity and access management partner in our product. User logins into our application are secured by Auth0. Our product utilizes the Auth0 attack protection features in order to prevent malicious activities such as brute-forcing.
Secure Software Development
PI performs secure software development that aligns with NIST Secure Software Development Framework (SSDF). As part of this approach, we have a full-lifecycle approach to security. This includes the security team working closely with product management and product design teams to design security into new features that are being considered; and working with customer support to identify new security feature requirements.
We subscribe to the “shift left” philosophy of catching security issues earlier in the development process. In keeping with this philosophy, we perform extensive and frequent security testing, including Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), and Software Composition Analysis (SCA). We test WebApps as well as APIs for security flaws. Our security tests include automated testing that is incorporated into the DevOps pipeline. Security quality gates are applied to the automated tests, so that the developers are alerted about failing tests and the issues are remediated before merging.
We have a dedicated security issues backlog and a portion of our Engineering development resources is allocated to security tasks. This shows clear organizational commitment to security. Having a preset allocation enables important security fixes or features to be implemented without having to compete with product feature requests.
Security Education and Awareness
We provide annual security awareness training that is mandatory for all employees. We also perform monthly phishing tests. Our monthly phishing test results are shared with all employees and additional resources are provided to those who fail the tests, such as remedial training.
We have implemented a security champions program for our Engineering staff in order to ensure that the developers have relevant security expertise. As part of the program, the developers are provided a wealth of security resources such as training material for OWASP Top 10 issues, curated security libraries, and secure coding standards. We have quarterly security themes, such as Access Control, and we design outreach and resources focused on the theme. This includes hands-on training opportunities such as Capture the Flag (CTF) competitions that reinforce the concepts in the theme, and help assess the teams’ security coding knowledge.
Security Monitoring and Incident Response
The PI product environment as well as the application are monitored using a Security Information and Event Management (SIEM) platform.
PI has formal and tested incident response processes.
We also provide monitoring of our service status to our customers. Our Service Status page is here. You can also subscribe on this page to be notified of any maintenance or incidents.
Privacy of User Data
We take our data protection obligations and user privacy rights seriously. and have contracts with them that include clauses to protect our customer data and users. Our privacy policies are available here.
We utilize reputable vendors like Microsoft Azure and Auth0 for our product. A full list of our subprocessors is here.
Credit Card Security
PI does not store any credit card information. Credit card payments are processed by Stripe, the industry-leading PCI Data Security Standards (PCI-DSS) Level 1 certified service provider. See Security at Stripe for more information.Contact UsIf you have any questions about Security at Predictive Index, please contact us as follows:The Predictive Index, LLC
101 Station Drive
Westwood, MA 02090
If you have identified a potential security vulnerability in our system, please report it within 24 hours by completing the form available here. We will respond to your report within 48 hours.