Security at Progression

Last reviewed: 05 May 2023

Application security is always top of mind at Progression. We have put in place extensive proccesses, best practices and system design choices to ensure that Progression is a resilient and reliable platform.

Below we provide more information on specific security practices.

Infrastructure security

Hosting

Progression is hosted on world class infrastructure at Heroku.

Heroku is a cloud application platform used by organizations of all sizes to deploy and operate applications throughout the world. Heroku’s platform provides infrastructure management, scaling, and security.

Heroku applies security best practices and manages platform security, protecting customers from threats. Heroku applies security controls at every layer from physical to application, isolating applications and data, and rapidly deploys security updates without customer interaction or service interruption.

More information can be found at Heroku’s security policy.

Heroku utilises ISO 27001 and FISMA certified data centres managed by Amazon. Information about security at Amazon data centres is available here.

Encryption

Data is encrypted over HTTPS using Transport Layer Security (TLS v1.2) protocols with minimum 128-bit keys and using SHA256 certificates, meaning that our users always have a secure connection from their browsers to our service.

Data is encrypted at rest with AES-256, block-level storage encryption as part of the service provided by Heroku.

Database backups are GPG encrypted and stored in an encrypted AWS S3 bucket.

Operations

Vulnerability scanning. We regularly make use vulnerability scanning and static code analysis to scan for vulnerabilities. Our engineers respond to issues raised.

Brute force prevention. We employ password strength requirements, Cross-Site Request Forgery (CSRF) protection, secure password reset practices, and log in attempt rate limiting with automated account lockout. Suspicious behaviour is responded to by rate limiting and blocking IP addresses.

Backups & monitoring. We use Heroku managed database backups which allow us to rollback to any point in the last four days. Nightly backups, stored on AWS S3, are carried out automatically and retained for 90 days.

Incident response. We maintain a 24 / 7 on-call rotation and escalation policy, with production alerts captured and automatically escalated.

People process. Only employees with the necessary rights and roles have pre-authorised access to our underlying data. Access is unique, logged and uses strong password policies managed through an enterprise password manager, coupled with two-factor authentication, where appropriate.

Product security

Authentication and authorisation

Roles & Permissions. Access to customer data within each organisation is controlled with a sophisticated set of roles and permissions built on top of industry standard, open source packages. Roles and permissions are underpinned with a suite of automated tests to ensure correct authorisation.

Secure passwords. We enforce a minimum password length to encourage users to pick more secure passwords.

SSO via Google. Users can authenticate in one click using their Google account. They’ll never need to set a password with us to log in to their account or to sign up, even if they’re creating a new account.

Penetration testing

We undertake twice yearly, 3rd party penetration tests. Any vulnerabilities discovered are addressed immediately. Test report available on request.

Compliance

SOC 2 Type II. We are SOC 2 Type II compliant. Achieving SOC 2 compliance now means that Progression has implemented procedures, policies and controls necessary to meet AICPA’s trust services criteria for security, availability, and confidentiality and that these processes and controls have been tested to ensure that they are operating effectively.

You can view a copy of the report by emailing us at [email protected].

GDPR. At Progression privacy, security and transparency are the heart of how we think about our product and company, read more about our GDPR compliance.

PCI DSS. All payments are handled by our payments provider, Stripe.

Build world class careers in days not months

Find out how we can accelerate your team's career growth, today