Contact sales Request a demo Request a demo

Security Practices

These PandaDoc Security Practices describe the PandaDoc’s security practices and safeguards, which include physical, organizational, and technical measures, utilized by PandaDoc and designed to preserve the security, integrity, and confidentiality of the Services and Customer Content to protect against information security threats.

 

1.     Information Security Program.

 

1.1     Information Security Program.  PandaDoc maintains a comprehensive written information security program, including policies, standards, procedures, and related documents that establish criteria, means, methods, and measures governing the Processing and security of Customer Content and the PandaDoc systems or networks used to Process or secure Customer Content (“PandaDoc Information Systems“) in connection with providing the Services under the Agreement. 

 

1.2     Acknowledgement of Shared Responsibilities. The security of data, including Customer Content, that is accessed, stored, shared, or otherwise Processed via PandaDoc Services is a shared responsibility between PandaDoc and Customer. PandaDoc is responsible for the implementation and operation of the PandaDoc information security program. Customer is responsible for appropriately implementing access and use controls and configuring certain features and functionalities of PandaDoc Services that Customer may elect to use.

 

1.3     PandaDoc Personnel Confidentiality.  PandaDoc will ensure that PandaDoc Personnel: (a) are bound by confidentiality obligations with respect to Customer Content substantially as protective as those set forth in the Agreement; and (b) are subject to appropriate training relating to the Processing of Customer Content.

 

2.    Security Controls.  In accordance with its information security program, PandaDoc shall implement commercially reasonable physical, organizational, and technical controls designed to: (a) ensure the security, integrity, and confidentiality of Customer Content Processed by PandaDoc; and (b) protect Customer Content from known or reasonably anticipated threats or hazards, including to its security, integrity, accidental loss, alteration, disclosure, and other unlawful forms of Processing. Without limiting the foregoing, PandaDoc will, as appropriate, utilize the following controls:

 

2.1    Updates. PandaDoc will maintain programs and routines to keep the PandaDoc Information Systems up to date with the latest upgrades, updates, bug fixes, new versions, and other modifications.

 

2.2    Firewalls. PandaDoc will configure and maintain firewalls to protect both Customer Content and PandaDoc’s non-public data. 

 

2.3    Anti-Malware. PandaDoc will use up to date anti-malware tools (including anti-virus software) configured for automatic updates designed to mitigate threats from viruses, worms, Trojan horses, spyware, ransomware, and other malicious code that can reasonably be detected. 

 

2.4    Testing. PandaDoc will regularly test its security systems, processes, and controls to ensure they meet the requirements of these Security Practices.

 

2.5    Access Controls. PandaDoc will maintain an access control policy to control Personnel access to any PandaDoc Information Systems that include Customer Content. The access control policy will include, without limitation, the access controls described below to secure Customer Content Processed by PandaDoc Information Systems:

 

     2.5.1    PandaDoc will assign a unique ID to PandaDoc Personnel with access to PandaDoc Information Systems. 

 

     2.5.2    PandaDoc will restrict access to PandaDoc Information Systems to PandaDoc Personnel that demonstrate a legitimate business need for such access. 

 

     2.5.3    PandaDoc will regularly review the list of PandaDoc Personnel and services with access to PandaDoc Information Systems and remove accounts that no longer require access and excessive privileges that are no longer needed.

 

     2.5.4    PandaDoc will (a) maintain a password management policy designed to mandate the use of system-enforced strong passwords consistent with industry-standard practices, (b) require the use of multi-factor authentication to PandaDoc Information Systems that include Customer Content, (c) not use manufacturer supplied defaults for system passwords on any operating systems, software, or PandaDoc Information Systems, and (d) require that all passwords and access credentials be kept confidential and not shared among PandaDoc Personnel. 

 

2.6    Policies. PandaDoc will maintain and enforce appropriate information security, confidentiality, and acceptable use policies for PandaDoc Personnel that meet the standards set forth in these Security Practices, including methods to detect and log policy violations. 

 

2.7    Data Separation. Development and testing environments will be separate from PandaDoc Information Systems. 

 

2.8    Deletion.  PandaDoc will utilize procedures that are at a minimum in accordance with National Institute of Standards and Technology (NIST) SP 800-88 Revision 1 recommendations (or a successor standard widely used in the industry) to render Customer Content unrecoverable prior to disposal of media.  

 

2.9    Remote Access. PandaDoc will ensure that any access to PandaDoc Information Systems located within PandaDoc private networks will require the use of encrypted VPN connections with multi-factor authentication.

 

2.10   Encryption. PandaDoc will utilize industry-standard encryption methods that are consistent with or exceed recommendations set forth by industry standard setting organizations such as NIST, or Center for Internet Security (CIS). In accordance with such standards, PandaDoc will encrypt Customer Content in-transit and at rest and will only allow encrypted connections to the Service for the transfer of Customer Content.

 

3.      Use of Third Parties.

 

3.1    General Security. Third parties engaged by PandaDoc in accordance with the Agreement will, at a minimum, maintain substantially similar levels of security as required by these Security Practices.

 

3.2    Data Hosting. Any third-party cloud service provider (“CSP”) that PandaDoc utilizes to host and Process Customer Content, including without limitation its current provider Amazon Web Services, will have at a minimum, industry standard physical security precautions in place and conform to ISO 27001 or equivalent certification standards. Without limiting the foregoing, PandaDoc CSPs will meet the following requirements:

 

     3.2.1    Physical Security. PandaDoc’s CSPs will: (a) maintain adequate physical security and access controls as described herein; (b) use professional HVAC & environmental controls; (c) utilize professional network/cabling environment; (d) use professional fire detection/suppression capability; (e) limit access to authorized personnel only; and (f) maintain a comprehensive business continuity plan.

 

     3.2.2    Annual Audit. Conduct annual independent risk assessments and audits, and provide PandaDoc with the resulting reports. In addition, PandaDoc shall conduct annual reviews and assessments of any critical CSP to validate the security measures meet, at a minimum, the requirements of these Security Practices.

 

     3.2.3   Enhanced Requirements. Possess requirements and capabilities of a highly-available, redundant (“N+1”) data center, where multiple components each give at least one independent backup component to ensure that system functionality continues at acceptable performance levels in the event of a system failure.

 

4.    Business Continuity and Disaster Recovery. PandaDoc will maintain a disaster recovery (“DR”) program designed to address the recovery of the Services following a disaster. At a minimum, the DR program will include: (a) validation testing of procedures used to regularly create backup copies of Customer Content; (b) annually reviewed and updated inventories listing all critical PandaDoc Information Systems; and (c) annual review, testing and updating of the DR program.

 

5.     Security Breach.

 

5.1    Procedure

 

     5.1.1    PandaDoc will notify Customer in writing without undue delay upon PandaDoc becoming aware of confirmed Security Breach. Unless otherwise agreed upon by the Parties in writing, notification of a Security Breach, will be delivered to Customer’s billing email address on file with PandaDoc. Customer is solely responsible for maintaining accurate contact information at all times.

 

     5.1.2    PandaDoc will investigate and, as necessary, mitigate or remediate a Security Breach in accordance with PandaDoc’s security incident policies and procedures (“Breach Management”).

 

     5.1.3    Subject to PandaDoc’s legal obligations, PandaDoc will provide Customer with information available to PandaDoc as a result of its Breach Management, including the nature of the incident, specific information disclosed (if known), and any relevant mitigation efforts or remediation measures (“Breach Information”), for Customer to comply with its obligation under applicable laws as a result of a Security Breach.

 

     5.1.4    If Customer requires information relating to a Security Breach in additional to the Breach Information, at Customer’s sole expense and written request and to the extent Customer is unable to access the additional information on its own, PandaDoc will reasonably cooperate with Customer as requested by Customer to attempt to collect and provide such additional information.

 

5.2    Unsuccessful Attempts.  An “unsuccessful attack” is one that does not result in unauthorized or unlawful access to Customer Content and may include, without limitation, pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing (or other unauthorized access to traffic data that does not result in access beyond IP addresses or TCP/UDP headers), or similar incidents. An unsuccessful attack is not a Security Breach subject to this Section 5.

 

5.3    Customer or User Involvement.  Unauthorized or unlawful access to Customer Content that results from the Customer’s configuration settings, compromise of a User’s login credentials, or from the intentional or inadvertent sharing or disclosure of Customer Content by the Customer or a User is not a Security Breach.

 

5.4   Disclaimer.  PandaDoc’s obligation to report or respond to a Security Breach under this Section 5 is not an acknowledgment by PandaDoc of any fault or liability of PandaDoc with respect to the Security Breach. 

 

6.    Auditing and Reporting.

 

6.1    Monitoring.  PandaDoc conducts various audits, risk assessments, and other monitoring activities to ensure the effectiveness of its security measures and controls on an ongoing basis.

 

6.2    Audit Reports.  PandaDoc uses external auditors to verify the adequacy of its security measures and controls for the Services. The audit will: (a) include testing of the entire measurement period since the previous measurement period ended; (b) be performed according to AICPA SOC2 standards or such other alternative standards that are substantially equivalent to AICPA SOC2; (c) be performed by independent third-party security professionals at PandaDoc’s selection and expense; and (d) result in the generation of a SOC2 report (“Audit Report”), which will be PandaDoc’s Confidential Information. Upon written request and subject to the confidentiality obligations of the Agreement or a mutually agreed non-disclosure agreement, Customers may receive a copy of the Audit Report no more often than annually. 

 

6.3    Penetration Testing.  PandaDoc uses external security experts to conduct penetration testing of the Services at least annually and maintains a year-round bug bounty program for ongoing vulnerability scanning. PandaDoc’s annual penetration testing will be performed by independent third-party security professionals at PandaDoc’s selection and expense, and will result in the generation of a penetration test report (“Pen Test Report”) which will be PandaDoc’s Confidential Information. Pen Test Reports will be made available to Customer upon written request no more often than annually, subject to the confidentiality obligations of the Agreement or a mutually agreed non-disclosure agreement.  

 

6.4    Customer Audit.  If Customer legally requires information for its compliance with applicable laws in addition to the Audit and Pen Test Reports, and Customer is unable to access the additional information on its own, Customer may submit a written request for such additional information and assistance to its PandaDoc account representative. Customer’s written request pursuant to this Section 6.4 must include information regarding the applicable laws or regulations forming the basis of the request and specific details about the requisite additional information. PandaDoc will work with Customer to reach mutually agreed upon terms regarding the scope, timing, duration, and other details of such additionally requested information and assistance. PandaDoc will only be required to undertake such additional measures described in this Section 6.4 once per year unless otherwise required by law.

 

7.     Definitions. 

 

7.1  “Agreement” means the agreement that governs Customer’s access to and use of the Services.

 

7.2  “Customer” means the individual or entity that executes or accepts an Order or registers for free trial access to and use of a Service and has entered into an Agreement.

 

7.3  “Customer Content” means any text, personal information, document layouts, source code, pictures, video, images, audio materials, graphics, documents, data files or any other content that Customer or its Users uploads or submits to the Services. Customer Content does not include usage, statistical, learned, or technical information that does not reveal the actual contents of Customer Content.

 

7.4  “Process” means any operation or set of operations performed upon Customer Content, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, alignment, combination, restriction, erasure, destruction or disclosure by transmission, dissemination or otherwise making available.

 

7.5  “Security Breach” means a breach of security resulting in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Content.

 

7.6   “Services” means all online services, add-ons, or applications that are provisioned or controlled by PandaDoc.

 

7.7  “PandaDoc Personnel” means any individual authorized by PandaDoc to Process Customer Content.

 

7.8  “User” means any individual authorized or invited by Customer or another User to access and use the online Services under the terms of the Agreement.