Security Overview

Company Overview

Procurify is a spend management solution serving over 350 customers across 62 countries. We are a fast growing, venture-backed startup employing more than 100 individuals in Vancouver, British Columbia. Our company works tirelessly to provide the best customer experience through our Software-as-a-Service (SaaS) offering and our world class customer-focused teams.

Infrastructure

Cloud Hosting - AWS & GCP

Procurify focuses on delivering the best spend management product to our customers. We partner with industry-leading companies to handle cloud hosting, employing their expertise and compliance with best practices in maintaining key systems infrastructure such as: DNS, routers, switches, load balancers, computer systems, database servers, caching systems and more. Procurify has selected Amazon Web Services (primary) and Google Cloud Platform (secondary) as our providers of cloud services.

Compliance

Both Amazon and Google are pioneers in ensuring safety and security is across all their data centers and infrastructure through their 15+ years of experience of running industry leading web services. Their respective security documentation can be found on their websites here:

Procurify is hosted in SAS-70 II, SSAE 16 data centers that have achieved ISO 27001 & SOC3 certifications, among other certifications that are performed by third-party auditors to both AWS and GCP. We follow the EU’s GDPR (General Data Protection Regulation) and have had these guidelines and processes implemented by Price Waterhouse Coopers’ (PwC) compliance team.

Severity and Expected Response Times

Procurify will provide the Customer with support related to server accessibility and performance 24 hours a day, 5 days a week. This is separate from and in addition to the support services specified in the Support Service Level Agreement (link) and/or the Support Subscription Packages referenced in that document.

Expected response times for a ticket submitted by the Customer via email, phone, or in-app request during support hours to report an incident which has been deemed by Procurify (in its reasonable discretion) to be related to server accessibility or performance shall depend upon the severity level assigned by Procurify to such ticket (in its reasonable discretion). Such severity definitions and expected response times are as follows:

SERVER ACCESSIBILITY & PERFORMANCE INCIDENT ASSESSMENT

Incident Response

In the event of an incident, our Team Members responsible will immediately work towards a resolution. Incidents are grouped as stated here:

  1. Our Data Centers (Amazon AWS & Google Cloud) will notify us about any physical or virtual breaches to the equipment that Procurify is hosted on. Procurify will respond according to best practices depending on the nature of the incident.
  2. If Procurify detects an Application Level Breach, our Development / Operation teams will immediately investigate. We will determine the cause and affected Customer(s), notify those Customer(s), and restore any backups as necessary.

Information Security Policies

Access Control

Our Team Members are provided access with the appropriate permissions to perform in their role. They are provided access as needed, any requests for other platforms will have to be approved by their Team Lead.

User Access Management

Team Members are given access to systems that are used by their Team. Any change in their employment status will immediately cause a change in their ability to access systems, more on this topic is stated in the Human Resources section.

User Responsibilities

When invited to other systems, users will be granted the level of rights necessary to perform their role. Team Members that require more access than initially granted will have to ask their Team Lead for permission to determine if additional rights are granted. In our software development team, developers have access to code repositories that they are directly contributors to. Only our Lead Developer and CTO have the ability to work on production systems that Procurify is hosted on.

System and Application Access Control

Our main user directory is on Google G Suite (Google Apps for Business) allowing a centralized management of emails and documents created by Team Members. All services that we use are encouraged to go through Google Login (SSO). For services without Google Login, Team Leads & our internal I.T. team maintains admin control to software systems. This includes third-party SaaS applications, Amazon Web Services, and Google Cloud Platform.

Human Resources

Procurify relies on other software platforms to ensure we are the most productive in serving our customers.

Prior to Employment

Procurify interviews candidates rigorously to ensure that Team Members are able to provide the best performance and care to our customers. Our People Operations team conducts reference checks.

During Employment

Once hired, only systems and software that are necessary for their work are granted to the team member. In addition, Team Members are provided with access to the office in Vancouver, BC, access to the control system alarm code and a RFID fob to the building and unit.

Termination and Change of Employment

Prior to the change of employment, People Operations will reach out to our I.T. Team and Team Leads to ensure we are ready to go through an “off-boarding” process to revoke user credentials and access control. This includes: G Suite Login, Software Credentials, API Tokens, ACLs, RFID Fob, and Alarm Code being revoked from the User. During the exit interview, our People Operations Manager will also ask for any property of Procurify to be returned immediately. Any outstanding tasks will be handled by the Team Lead.

Product

Your security and privacy are important to us at Procurify. Our team makes tremendous efforts to ensure that your interactions with Procurify are conducted securely.

Data

Data Storage is of utmost importance at Procurify. Each company has an isolated data store, as opposed to single multi-tenant database systems. This allows us to ensure that only you will have access your data when using Procurify. Our databases are hosted on the latest-generation database servers on Amazon Web Services. They are hosted across multiple data centers to provide redundancy, safety, and security in storing your data. In the event of an incident with our database cluster, we are able to efficiently and quickly restore from multiple sources of backup and route traffic from the previous database cluster to a new database cluster. Any file attachments are stored on Google Cloud Platform across their US Data Center network, which ensures files are replicated across multiple data centers securely.

Data Transfer

Any data transfer between you and Procurify’s Web Application is done using a secure 256-bit HTTPS (SSL) connection. Our application and database servers are hosted within Amazon Web Services (AWS). Data transferred within AWS is done securely within a private network. Additionally, our application and database servers are behind firewalls that allow specific access and privileges to services. For example, our application servers are allowed direct access to the database server cluster through the network & user credentials.

Data Retention

Procurify keeps data for active customers of the platform. Data is stored securely across data centers at Amazon Web Services and Google Cloud Platform. If a customer does not renew their Procurify Subscription, the customer will have 90 days to export data from the platform. Procurify will remove data from inactive customers after the 90 day period.

Authentication

Users of Procurify must go to their specific web application URL to login with their credentials. Logins can be achieved using an email and password, Google Login, or select Single Sign On (SSO) providers. Administrators of the Procurify instance have the ability to manage user credentials, roles, and revoke access as necessary. 

Based on the user role(s) that are assigned to a user, the system will show the appropriate pages that can be accessed. If the user tries to access different pages through different links, they will be redirected to the home page (Dashboard) of the application with an error stating that they do not have the proper permissions to access that page.

System Performance

Procurify wants our customers to have the best experience when using our platform and services. We have designed our product to have multiple redundancies and distributed systems. At the start, there are multiple application servers that sit behind a state-of-the-art load balancer that routes traffic an application server with the most resources available to serve requests. Similarly, we run on the current generation database server clusters that are able to serve heavy traffic loads. In the result of a failure, our systems will automatically re-adjust and re-route traffic to the appropriate systems. In the event of a complete failure, we have the ability to restore the system from other infrastructure using system scripts to rebuild servers.

Data Access

Only authenticated users can access your Procurify Instance. Any objects created (order requisitions, expense reports, travel tickets, and accounts payable objects) are tied to the specific logins with the details, comments, and attachments. Changes that are made in the system are logged in an audit log with details on the action, previous information stored, and new changes. 

Admin Users are able to use our importer and exporter systems within our settings page to work with their data. They are able to import initial setup data that may come from other systems. Also, it is possible to export data generated within Procurify to other formats for the purposes of audit or to import to other systems.

Software Development & Quality Assurance

Our software team follows the best practices recommended by the Scrum Alliance, outlined in Agile Software Development. The Scrum Masters and Product Owners have been trained officially by these teams on how to execute proper requirements planning, design, developer sprint planning, delivering code based on the requirements and our internal definition of done (code quality, unit tests, code review, and review by our Product Management Team), quality assurance, staging, launching to production, and sprint retrospectives for our Software Development Lifecycle (SDLC).

Development

As products are in development, each developer is given a containerized environment that gives them the necessary resources to run the application on a local environment with a sample database. Developers work within this environment and push code changes to a centralized and secure code repository.

Staging

This environment allows our Quality Assurance team to test latest work, reported bugs, and performance improvements. 

A Quality Assurance Member will review the work of the developer and test their work on a staging environment that is hosted on AWS. This allows for our Quality Assurance team to test for any issues or failures and request fixes before deploying the system to production.

Production

Production systems environment access is restricted to our Lead Developer and CTO. They are able to administer, monitor, and make improvements to the infrastructure. They are responsible to ensure uptime of the system.

Test Data

In order to address customer-specific issues, our Quality Assurance Team may request environments that replicate The Customer’s interface. Our internal tooling allows us to sanitize any sensitive data towards a staging environment. Once fixes are created and tested, these databases are removed from the staging environment. We maintain an isolation of Staging and Production environments to ensure that team members do not access production data for testing purposes.

Revision Date: September 18, 2019