The concept of trust is enshrined in ProcessUnity’s Core Values and
influences everything we do, from strategic planning and decision
making, to client engagements and individual human interactions.

Overview

This Trust Center is intended to provide informative and time-saving data regarding our commitment to
security, privacy, resilience, and ethical practices. Here, you will find transparent information about our policies,
certifications, security controls, incident response readiness, and ongoing efforts to safeguard the interests of
our customers, partners, and broader community.

Security

ProcessUnity prioritizes confidentiality, integrity, and availability through a foundation of rigorously implemented best practices, strengthened by best-in-class technologies and managed by a highly skilled, experienced team.

Compliance

ProcessUnity understands that compliance provides a baseline from which to build comprehensive and effective, risk-based programs. We comply with internationally recognized standards and regulations to provide our customers and partners with added confidence that their data is in good hands.

Emerging Technology

ProcessUnity is committed to delivering customer value through thoughtful, ethical, and compliant use of cutting-edge technologies. Our approach to innovations like artificial intelligence is purposefully designed to maximize benefits while minimizing risk.

Building Community Through Trust

At ProcessUnity, trust is more than a buzz word, it’s a shared experience. A core objective of our approach to
TPRM is encouraging and enabling the efficient and proactive sharing of data between customers and their
third-parties. One way we do that is by building web pages that third-parties can use to facilitate requests to
access their risk data and reports.

If you’ve come to this Trust Center site you’re likely interested in learning more about ProcessUnity’s
commercial offerings and our security practices. We are happy to provide access to our risk profiles on our
Global Risk Exchange. These profiles include our self-attested responses to an industry-standard security
questionnaire, validation results of those answers performed by globally recognized auditing firms, continuous
outside-in scanning data, and continuous threat intelligence signals. We maintain two profiles, focused on each
of our primary TPRM solutions. Both profiles cover our corporate security controls as well as controls specific to
each product line. Use these links to request access to one or both, as needed:

ProcessUnity, Inc:
TPRM Platform

ProcessUnity, Inc: Global Risk Exchange

Frequently Asked Questions

Below you'll find answers to the most asked questions about ProcessUnity's security, privacy, and compliance practices.

Yes. The ProcessUnity Security and Compliance team is tasked with the design, implementation, and ongoing maintenance of a comprehensive and effective risk management program that covers our enterprise corporate environment, the ProcessUnity TPRM Platform, and the Global Risk Exchange.

Yes. ProcessUnity has an assigned and dedicated Chief Information Security Officer (CISO) who is responsible for the ProcessUnity security program and the management of the Security team. In addition, ProcessUnity has appointed a Chief Trust Officer (CTrO) who is tightly connected to the security and compliance program, with a specific focus on building customer assurance.

Yes. The ProcessUnity security program leverages concepts, and security and privacy controls from several global standards including the NIST Special Publication 800 series, NIST CSF, ISO 27001/2, OWASP, GDPR, and CCPA.

Yes. On an annual basis ProcessUnity renews our SOC 2 Type 2 audit and ISO 27001:2022 certification. Note that the Global Risk Exchange will be included in the scope of these audits and reports beginning in Q3 of 2025.

Yes. ProcessUnity has developed, and continually refines, a library of security policies, procedures, and plans. These documents are accessible by all ProcessUnity staff and are included in new hire and annual training. They cover standard security domains including identity and access management, configuration and change management, personnel security, and incident response. Policies, standards, and plans are approved by ProcessUnity executive leadership.

ProcessUnity’s security program is based on an understanding of our assets, their criticality to both ProcessUnity and our customers, the internal and external threats to those assets, and the effectiveness of our controls in response to those threats. We utilize a risk-based approach where strategic planning and the prioritization of corrective actions is based on a qualitative and quantitative understanding of risks that impact our organization and our customers.

ProcessUnity uses multiple methods and techniques to evaluate our environments for security weaknesses or vulnerabilities. These methods include, but are not limited to:

  • Annual SOC 2 Type 2 and ISO 27001 compliance audits
  • Annual (at minimum) independent penetration testing
  • Ongoing updates of ProcessUnity’s assessments and risk profiles on the Global Risk Exchange, including evidence validation conducted by globally recognized auditing firms
  • Automated, scheduled vulnerability scanning of operating systems, firmware, middleware, software, etc.
  • Static and dynamic scanning of code repositories and production applications, respectively
  • Software composition analysis scans of third-party code
  • Security-focused systems testing as part of the ProcessUnity platform’s system development lifecycle (SDLC)
  • Manual audits/tests of security control implementation and effectiveness
  • Security-focused interviews with ProcessUnity teams and individual personnel

Yes. We are happy to provide access to our risk profiles on the Global Risk Exchange. These profiles include our self-attested responses to an industry-standard security questionnaire, validation results of those answers performed by globally recognized auditing firms, continuous outside-in scanning data, and continuous threat intelligence signals. We maintain two profiles, focused on each of our primary commercial products. Both profiles cover our corporate security controls as well as controls specific to each product. Use these links to request access to one or both, as needed:

Yes. All employees must successfully pass a background check before finalizing the job offer and onboarding process. New hires are not given access to any ProcessUnity systems or data until the background screening process is complete.

Yes. ProcessUnity leverages an industry-standard system to plan, develop, execute, and track security-focused training. All new hires are required to complete training within ten business days of onboarding. All employees are required to complete annual and quarterly security training. In addition, employees may be asked to complete unscheduled training based on the outcome of internal testing (e.g. phishing campaigns) or violations of security policy. All new hires have personalized meetings with a Security team member in their first two weeks of employment to discuss security policies, basic security principles, and specific security responsibilities that apply to their role. 

Yes, but this is limited to business contact and usage information only. Specifically, we collect an individual’s name, business email address, business phone number (optional), and IP address when accessing our applications. 

Yes. Our LEI Code is 254900XSCECKJ2YJRE09. Additional LEI registration data can be found using the Global Legal Entity Identifier Foundation’s (GLEIF) LEI Search function at this link: https://search.gleif.org/#/search/

Yes. Our incident response program is documented in the ProcessUnity Incident Response Plan and a library of incident playbooks that are focused on response procedures for specific types of incidents. The Incident Response Plan is tested at least annually. We utilize a suite of industry- standard tools to assist with the identification, verification, containment, analysis, and removal of threats from our computing environments. 

Yes. We notify affected customers within a commercially feasible timeframe, and never longer than is required by contract.

For your security, please note that our company domain is processunity.com. All legitimate email communications will come from addresses ending in @processunity.com (e.g., [email protected]) or ProcessUnity <[email protected]>. If you receive an email about a ProcessUnity job posting from a different domain, please report it to our Security team immediately at [email protected].

To protect yourself from potential scams, please keep the following in mind:

  • We will never ask for any payment or sensitive personal information (such as banking details, social security number, or copies of identification) during the recruitment process.
  • We do not extend job offers without first conducting formal interviews which include a phone screen with our recruiter and multiple video interviews with the hiring team.

Yes. The use of removable media to transmit or store customer data is strictly forbidden by policy and via technical controls. Any exceptions to this policy must be approved by the CISO. Exceptions undergo monthly access reviews to understand if there is still a need. USB exceptions require encryption and scanning of the device before it can be used. 

Yes. The TPRM Platform and the Global Risk Exchange each individually undergo penetration testing on an annual basis, at minimum, and during any significant changes.

The TPRM Platform is hosted by Azure in regional facilities. All physical security controls directly associated with the application are inherited from Azure. For more information about Azure’s physical security program please visit: https://learn.microsoft.com/en-us/azure/security/fundamentals/physical-security

The Global Risk Exchange is hosted by Amazon Web Services (AWS) in US-East region datacenters. All physical security controls directly associated with the platform are inherited from AWS. For more information about AWS’s physical security program please visit: https://aws.amazon.com/compliance/data-center/controls/

ProcessUnity headquarters is in Concord, Massachusetts. This facility is protected by safeguards that include electronic locks, badge readers, CCTV surveillance at all ingress and egress points, access logging and audits, and a centralized fire detection and suppression system. No production systems or persistent access to production systems are hosted in this office space.

Both environments are designed for resilience, leveraging redundant cloud sites (Azure), multiple availability zones (AWS), autoscaling, and distributed denial of service (DDoS) protections.

We use hardened and regularly updated container images, and development and testing environments are fully separated from production.

Both environments produce verbose event logging that is centrally aggregated and monitored by industry-standard security information and event management (SIEM) tools.

If needed, our SOC 2 and ISO 27001 audits, independent penetration tests, and CyberGRX assessments contain more information about the technical controls in place to protect our customers’ data.

ProcessUnity performs full, hourly backups of production databases. Backups are tested monthly, at minimum.

Users of ProcessUnity’s platforms may choose between username and password, multi-factor authentication, and single sign-on.

We provide out-of-the-box, role-based access control (RBAC) to ensure that our customers can manage their accounts and instances in accordance with the concept of least privilege access.

All customer data (name, business email, business phone, assessment answers, etc.) is encrypted in transit using TLS 1.2 or better. Customer data is encrypted at rest via AES-256 strength encryption.

Yes. For the TPRM Workflow Platform the RTO is defined as 4 hours and our RPO is 1 hour. For the Global Risk Exchange, the RTO is defined as 48 hours and our RPO is 24 hours.

The TPRM Platform and Global Risk Exchange follow a defined software development lifecycle (SDLC). All code changes must be approved by a product manager, a peer developer, and a tester before being deployed to the production environment. The SDLC process includes submitting all updated code repositories for code vulnerability scanning. We deploy application code by using a staged deployment process. The changes are applied first in the staging environment, where they are tested, before they are applied to the demo environment for additional testing, and finally on to the production environment. In addition, both applications are dynamically scanned by our code vulnerability scanning solution and are pen tested on an annual basis, at minimum.

Independent Testing and Assurance

Our independent assessments and certifications demonstrate that ProcessUnity meets the highest international standards for security and compliance — providing our customers with verified assurance that their data is protected by rigorously audited controls.

ISO 27001

ISO 27001 is the international standard for managing information security, providing a systematic framework to protect sensitive data through risk management and continuous improvement. ProcessUnity undergoes ISO 27001 audits on an annual basis.

SOC 2, Type II

The SOC 2, Type II is an independent audit that verifies the effectiveness of a company's controls over time. The scope of ProcessUnity’s annual SOC 2, Type II audit includes the security, availability, and confidentiality Trust Services Criteria (TSCs).

Penetration Testing

Independent penetration tests are a critical part of ProcessUnity’s security program. These tests simulate real-world cyberattacks and threat actor techniques to identify vulnerabilities in an organization's environments and systems, enabling us to identify and address vulnerabilities before they can be exploited.

Industry recognition of ProcessUnity's TPRM solutions:

ProcessUnity is a Leader in the Forrester Wave

Independent recognition plays a crucial role in building trust, which is why we are so proud to be named a leader in The Forrester Wave™: Third-Party Risk Management Platforms, Q1 2024 with the top scores in the Current Offering and Strategy categories.

Access the Full Report

Privacy

ProcessUnity’s privacy program is based on globally accepted privacy principles and compliance with the General Data Protection Regulation (GDPR). We continuously monitor for developments in international privacy legislation but believe that the GDPR sets a high standard for privacy practices. The documents and resources linked below describe how we collect and process personal data while upholding the individual rights of data subjects.

For more details, please read our privacy policy.

ProcessUnity’s current sub-processors are listed in the table below.

Name Applicable Product or Service Description of processing
Microsoft Azure TPRM Platform Cloud hosting of the application, data storage, and compute infrastructure
Amazon Web Services (AWS) Global Risk Exchange Cloud hosting of the application, data storage, and compute infrastructure
Salesforce TPRM Platform &
Global Risk Exchange		 Contract and customer relationship management

Artificial Intelligence (AI)

At ProcessUnity, we are committed to maximizing the value that our technology delivers by thoughtfully integrating innovations, including artificial intelligence, into our operations and commercial products. AI can be an excellent tool for accelerating ideas and productivity. However, as with any powerful technology, the use of AI can also introduce risks related to topics such as data ownership and intellectual property, data quality and accuracy, bias, as well as traditional and novel data security and privacy concerns.

As we innovate, we remain vigilant to emerging risks and prioritize responsible development, data usage and protection, and compliance. Our approach to developing and creating AI starts with executive awareness and accountability, leading to clear enterprise-wide governance and oversight to ensure all usage aligns with our ethical standards and security and compliance requirements. Our Artificial Intelligence Policy has been carefully developed and approved by our executive leadership. It is mandatory for all employees and contractors to undergo training on this policy and adhere to its direction. In addition, we conduct periodic training covering both broad and discreet AI use cases, and monitor and control all use of AI services and applications.

Our AI governance approach is informed by emerging global standards such as the NIST AI RMF and legislation like the EU AI Act. We monitor updates to many widely leveraged AI frameworks and laws and actively participate in discourse with peers and industry leaders to stay abreast of new developments, opportunities, and risks associated with this technology.

Policies, Plans, and Procedures

ProcessUnity’s security- and privacy-focused policies, plans, and procedures are designed to protect customer data at every stage, ensuring consistent and proactive risk management while meeting and exceeding our contractual and regulatory compliance requirements. The following is an abridged list from the full library of governance documents we review, update, approve, publish, and train our employees and contractors on each year.

  • Information Security Policy Broadly defines rules to protect data, systems, and users from security threats.
  • Risk Management policy Outlines how we identify, assess, and mitigate potential risks to our customers and operations.
  • Access Control Policy Defines how human and non-human access is granted, managed, monitored, and restricted.
  • Data Classification and Handling Policy Defines how data is categorized and handled based on sensitivity to ensure proper protection and compliance.
  • Business Impact Analysis and Continuity Plan Identifies critical functions and plans recovery strategies to minimize disruption during and after a business-impacting event.
  • Incident Response Policy, Plan and Playbooks Defines processes and roles for detecting, responding to, and recovering from security incidents effectively and efficiently.
  • Change Management Policy Ensures changes to systems are controlled, documented, and reviewed to minimize risk and disruption.
  • Encryption Policy Defines requirements for protecting data using encryption to ensure confidentiality, integrity, and compliance.
  • Software Development Lifecycle Policy & Procedures Defines secure development practices to ensure software is built, tested, and maintained with security throughout its lifecycle.
  • Third-Party Risk Management Policy & Procedures Outlines how third-party risks are identified, assessed, and managed to protect organizational and customer data and operations.
  • Vulnerability Management Policy Defines processes for identifying, assessing, and remediating vulnerabilities to reduce security risks and maintain system security.
  • Artificial Intelligence Policy Guides the responsible use, development, and oversight of AI to ensure security, ethics, and compliance.

Documents and Downloads

This documentation is provided for you to access, download, and review at your convenience. In some cases, we have redacted specific data from these documents due to its sensitivity. If you have questions or require additional information, please reach out to your Account Manager, Customer Success Manager, or contact ProcessUnity’s Security and Compliance team using the email address in the How to Contact Us section below.

PDF
Corporate Social
Responsibility Policy
Privacy Policy
PDF
Personal Data Consent Policy
PDF
ICO Data Protection Registration Certificate
PDF
ISO 27001 Certificate
PDF
Information Security Policy
PDF
Security Awareness and
Training Policy
PDF
Data Classification and
Handling Policy
PDF
Third Party Risk
Management Policy
PDF
Business Continuity Policy
PDF
Business Impact Analysis Policy

How to Contact Us

Transparency is a core part of ProcessUnity’s commitment to building and maintaining trust. Our Security and Compliance team is available to answer your questions and provide additional information as needed. Please don’t hesitate to reach out. We’re here to support you.

The best way to contact us for most questions and requests is through your assigned Account Manager, Customer Success Manager, or via email to [email protected].

Quick Links