ProcessUnity Security FAQs

The purpose of this page is to provide transparency into the safeguards that have been implemented to protect ProcessUnity’s Workflow Platform, Global Risk Exchange and our customers’ data. This summary is intended to address the most common questions that we receive from external stakeholders who are interested in the maturity and effectiveness of our security program.

Third-Party Risk Management Software Dashboard

Q: Does ProcessUnity have a team that is dedicated and responsible for the protection of customer data?
Yes. The ProcessUnity security team is tasked with the implementation of a comprehensive and effective risk management program that covers our enterprise corporate environment, the Workflow Platform and the Global Risk Exchange.

Q: Does ProcessUnity have a dedicated security officer?
Yes. ProcessUnity has an assigned and dedicated Chief Information Security Officer (CISO) who is responsible for the ProcessUnity security program and the management of the security team.

Q: Is the ProcessUnity security program based on industry-standard security best practices and control frameworks?
Yes. The ProcessUnity security program leverages concepts, and security and privacy controls from a number of global standards such as the NIST Special Publication 800 series, NIST CSF, ISO 27001/2, OWASP, GDPR, CCPA.

Q: Has ProcessUnity undergone an independent audit or certification of compliance with security standards?
Yes. On an annual basis ProcessUnity renews our SOC 2 Type 2 audit and ISO 27001:2022 certification. Note that the Global Risk Exchange is not currently included in the scope of these audits.

Q: Has ProcessUnity developed a security policy framework?
Yes. ProcessUnity has developed, and continually refines, a library of security policies, procedures, and plans. These documents are accessible by all ProcessUnity staff and are included in new hire and annual training. They cover standard security domains such as: identity and access management, configuration and change management, personnel security, and incident response. Policies, standards, and plans are approved by the ProcessUnity executive leadership.

Q: What are the core elements of the ProcessUnity security program?
ProcessUnity’s security program is based on an understanding of our assets, their criticality to both ProcessUnity and our customers, the internal and external threats to those assets, and the effectiveness of our controls in response to those threats. We utilize a risk-based approach where strategic planning and the prioritization of corrective actions is based on a qualitative and quantitative understanding of risks that impact our organization and our customers.

Q: Has ProcessUnity undergone penetration testing by an independent third party?
Yes. The Workflow Platform and the Global Risk Exchange each individually undergo penetration testing on an annual basis, at minimum, and after significant changes.

Q: What type of internal security risk or vulnerability assessments does ProcessUnity perform?
ProcessUnity uses multiple methods and techniques to evaluate our environments for security weaknesses or vulnerabilities. These methods include, but are not limited to:

annual SOC 2 Type 2 and ISO 27001 compliance audits;
annual, at minimum, independent penetration testing; and
ongoing updates of the ProcessUnity assessment on the Global Risk Exchange, including evidence validation by Deloitte.
automated, scheduled vulnerability scanning of operating systems, firmware, middleware, etc.,
static and dynamic scanning of code repositories;
software composition analysis scans of third-party code;
security-focused systems testing as part of the ProcessUnity platform’s system development lifecycle (SDLC);
manual audits/tests of security control implementation and effectiveness;
security-focused interviews with ProcessUnity teams and individual personnel;

Q: Are ProcessUnity employees subject to a background screening prior to being provided access to any customer data?
Yes. All employees must successfully pass a background check before finalizing the job offer and onboarding process. New hires are not given access to any ProcessUnity systems or data until the background screening process is complete.

Q: Has ProcessUnity implemented a security awareness and training program?
Yes. ProcessUnity leverages an industry-standard tool to plan, develop, execute, and track security-focused training. All new hires are required to complete training within ten business days of onboarding. All employees are required to complete annual and quarterly security training. In addition, employees may be asked to complete unscheduled training based on the outcome of internal testing (e.g. phishing campaigns) or violations of security policy. All new hires sit with a security team member in their first two weeks of employment to discuss security policies, basic security principles, and specific security responsibilities that apply to their role.

Q: Does ProcessUnity process, transmit, or store any customers’ personally identifiable information (PII)?
Yes, but this is limited to business contact and usage information only. Specifically, we collect an individual’s name, business email address, business phone number (optional), and IP address when accessing our applications.

Q: Where are the Workflow Platform and Global Risk Exchange hosted, and what physical security controls are in place to protect customer data?

The Workflow Platform is hosted by Azure in regional facilities. All physical security controls directly associated with the application are inherited from Azure. For more information about Azure’s physical security program please visit: https://learn.microsoft.com/en-us/azure/security/fundamentals/physical-security

The Global Risk Exchange is hosted by Amazon Web Services (AWS) in US-East region datacenters. All physical security controls directly associated with the platform are inherited from AWS. For more information about AWS’s physical security program please visit: https://aws.amazon.com/compliance/data-center/controls/

ProcessUnity headquarters is located in Concord, Massachusetts. This facility is protected by safeguards that include electronic locks, badge readers, CCTV surveillance at all ingress and egress points, access logging and audits, and a centralized fire detection and suppression system.

Q: How are the Azure and AWS environments securely configured and managed?

Both environments are designed for resilience, leveraging multiple availability zones (AWS) or redundant cloud sites (Azure), autoscaling, and distributed denial of service (DDoS) protections.

We use hardened and regularly updated container images, and development and testing environments are fully separated from production.

Both environments produce verbose event logging that is centrally aggregated and monitored by industry-standard security information and event management (SIEM) tools.

If needed, our SOC 2 and ISO 27001 audits, independent penetration tests, and CyberGRX assessments contain more information about the technical controls in place to protect our customers’ data.

Q: How often does ProcessUnity backup customer data, and are data backups ever tested?
ProcessUnity performs full, hourly backups of the Workflow Platform’s production databases, and full, daily backups of the Global Risk Exchange production databases. Backups are tested monthly, at minimum.

Q: What authentication mechanisms are in place for users accessing the ProcessUnity application or the Global Risk Exchange?
Users of the Workflow Platform and Global Risk Exchange may choose between username and password, multi-factor authentication, and single sign-on.

Q: How can customers control what data and functionality their employees have access to while using the Workflow Platform or Global Risk Exchange?

We provide out of the box role-based access control (RBAC) to ensure that our customers can manage their accounts and instances in accordance with the concept of least privilege access.

Q: How does ProcessUnity encrypt data in transit and at rest?
All customer data (name, business email, business phone, assessment answers, etc.) is encrypted in transit using TLS 1.2 or better. Customer data is encrypted at rest via AES-256 strength encryption.

Q: Does ProcessUnity have a policy regarding the use of removable storage media?
Yes. The use of removable media to transmit or store customer data is strictly forbidden by policy and via technical controls. Any exceptions to this policy must be approved by the CISO. Exceptions undergo monthly access reviews to understand if there is still a need. USB exceptions require encryption and scanning of the device before it can be used.

Q: Does ProcessUnity have targets for service restoration in the event of a disaster?
Yes. ProcessUnity Platform: RTO is defined as 4 hours and our RPO is 1 hour. Global Risk Exchange: RTO is defined as 48 hours and our RPO is 24 hours.

Q: How does ProcessUnity ensure that their application code is free of vulnerabilities or flaws?
The ProcessUnity Platform and Global Risk Exchange follow a defined system development lifecycle (SDLC). All code changes must be approved by a product manager, a peer developer, and a tester before being deployed to the production environment. The SDLC process includes submitting all updated code repositories for code vulnerability scanning. We deploy application code by using a staged deployment process. The changes are applied first in the staging environment, where they are tested, before they are applied to the demo environment for additional testing, and finally on to the production environment. In addition, the ProcessUnity Platform is dynamically scanned by our code vulnerability scanning solution and is pen tested on an annual basis, at minimum.

Q: Does ProcessUnity have an incident response program in place?
Yes. Our incident response program is documented in the ProcessUnity Incident Response Plan and a library of incident playbooks that are focused on response procedures for specific types of incidents. We utilize a suite of industry- standard tools to assist in the identification, verification, containment, analysis, and removal of threats from our computing environments.

Q: Does ProcessUnity have an incident notification process in place?
Yes. We notify any potentially affected customers within a commercially feasible timeframe, and never longer than is required by contract.

Contact ProcessUnity

Security Office
ProcessUnity, Inc.
33 Bradford Steet Concord, MA 07142
[email protected]

Cookie	Duration	Description
__cfduid	1 month	The cookie is set by CloudFare. The cookie is used to identify individual clients behind a shared IP address d apply security settings on a per-client basis. It doesnot correspond to any user ID in the web application and does not store any personally identifiable information.
__stripe_mid	1 year	Stripe sets this cookie cookie to process payments.
__stripe_sid	30 minutes	Stripe sets this cookie cookie to process payments.
cli_user_preference	1 year	This cookie stores consolidated information of consent of all categories in the GDPR Cookie Consent plugin. This cookie is used to ensure the smooth functioning of the plugin with certain cache plugins.
connect.sid	2 hours	This cookie is used for authentication and for secure log-in. It registers the log-in information.
cookielawinfo-checkbox-advertisement	1 year	This cookie is set by GDPR Cookie Consent plugin. The purpose of this cookie is to check whether or not the user has given their consent to the usage of cookies under the category 'Advertisement'.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-analytics	1 year	This cookies is set by GDPR Cookie Consent WordPress Plugin. The cookie is used to remember the user consent for the cookies under the category "Analytics".
cookielawinfo-checkbox-functional	1 year	This cookies is set by GDPR Cookie Consent WordPress Plugin. The cookie is used to remember the user consent for the cookies under the category "Functional".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-marketing	1 year	This cookies is set by GDPR Cookie Consent WordPress Plugin. The cookie is used to remember the user consent for the cookies under the category "Marketing".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-non-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Non Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
cookielawinfo-checkbox-preferences	1 year	This cookie is set by GDPR Cookie Consent plugin. The purpose of this cookie is to check whether or not the user has given the consent to the usage of cookies under the category 'Preferences'.
cookiesession1	1 year	This cookie is set by the Fortinet firewall. This cookie is used for protecting the website from abuse.
PHPSESSID	1 year	This cookie is native to PHP applications. The cookie is used to store and identify a users' unique session ID for the purpose of managing user session on the website. The cookie is a session cookies and is deleted when all the browser windows are closed.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
__cf_bm	30 minutes	This cookie, set by Cloudflare, is used to support Cloudflare Bot Management.
__sharethis_cookie_test__	session	ShareThis sets this cookie to track which pages are being shared and by whom.
bcookie	2 years	This cookie is set by linkedIn. The purpose of the cookie is to enable LinkedIn functionalities on the page.
bscookie	2 years	This cookie is a browser ID cookie set by LinkedIn share Buttons and ad tags.
cf_ob_info	1 minute	The CloudFlare service is mostly used for content distribution network (CDN) services.
cf_use_ob	1 minute	The CloudFlare service is mostly used for content distribution network (CDN) services.
cookielawinfo-checkbox-uncategorized	1 year	The cookie is set by the GDPR Cookie Consent plugin to record the user consent for cookies in the category "Uncategorized".
CookieLawInfoConsent	1 year	Records the default button state of the corresponding category along with the status of CCPA.
lang	1 year	This cookie is used to store the language preferences of a user to serve up content in that stored language the next time user visit the website.
lidc	1 day	This cookie is set by LinkedIn and used for routing.
lissc	1 year	Cookie used for Sign-in with Linkedin and/or for LinkedIn follow feature.
ppwp_wp_session	30 minutes	ppwp_wp_session is a cookie is native to PHP applications. The cookie is used to store and identify a users' unique session ID for the purpose of managing the user's session on the website. The cookie is a session cookie and is deleted when all browser windows are closed.

Cookie	Duration	Description
__stid	1 year	The cookie is set by ShareThis. The cookie is used for site analytics to determine the pages visited, the amount of time spent, etc.
__stidv	1 year	The cookie is set by ShareThis. The cookie is used for site analytics to determine the pages visited, the amount of time spent, etc.
_ce.s	1 year	This Crazy Egg cookie records visitor session unique ID, tracking host and start time.
_CEFT	1 year	Crazy Egg cookie that stores page variants assigned to visitors for A/B performance testing.
_ga	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, camapign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assigns a randoly generated number to identify unique visitors.
_ga_63P4X1D7BY	2 years	This cookie is installed by Google Analytics.
_gcl_au	2 months	This cookie is used by Google Analytics to understand user interaction with the website. All information this cookie collects is aggregated and therefore anonymous.
_gid	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the wbsite is doing. The data collected including the number visitors, the source where they have come from, and the pages viisted in an anonymous form.
6suuid	2 years	6sense is a B2B predictive intelligence engine for marketing and sales.
BIGipServerab07web-nginx-app_https	1 year	This is a cookie used by the Marketo marketing platform for user tracking purposes.
cebs	session	This Crazy Egg cookie is used to track the current user session internally.
site_identity	2 years	An analytics cookie that is used to better understand your use of our website.
sliguid	5 years	Salesloft cookie for use in live website tracking to help identify and qualify leads.
slireg	1 week	Salesloft cookie for use in live website tracking to help identify and qualify leads.
slirequested	5 years	Salesloft cookie for use in live website tracking to help identify and qualify leads.
undefined	never	Wistia sets this cookie to collect data on visitor interaction with the website's video-content, to make the website's video-content more relevant for the visitor.

Cookie	Duration	Description
_mkto_trk	2 years	This cookie is associated with an email marketing service provided by Marketo. This tracking cookie allows the website to link visitor behavior to the recipient of an email marketing campaign, to measure campaign effectiveness.
_mkto_trk	2 years	This cookie is associated with an email marketing service provided by Marketo. This tracking cookie allows the website to link visitor behavior to the recipient of an email marketing campaign, to measure campaign effectiveness.
_mkto_trk	2 years	This cookie, provided by Marketo, has information (such as a unique user ID) that is used to track the user's site usage. The cookies set by Marketo are readable only by Marketo.

Cookie	Duration	Description
cebsp	session	No description
m	2 years	No description available.
pvc_visits[0]	past	This cookie is created by post-views-counter. This cookie is used to count the number of visits to a post. It also helps in preventing repeat views of a post by a visitor.