Security at PagerDuty
Security is a top priority for PagerDuty. We understand that your PagerDuty account may contain sensitive data regarding your IT operations and we’re very protective of it. This page describes the various security measures we take to protect your data.
PagerDuty uses ISO 27001 and FedRAMP certified data centers. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, state-of-the-art intrusion detection systems, biometric locks, and other electronic means. Only authorized personnel have access to the data centers.
System and Software Security
The PagerDuty system infrastructure is updated regularly with the latest security patches. All of our servers run hardened, patched operating systems.
We employ an internal team of engineers to keep our software and its dependencies up-to-date, eliminating potential security vulnerabilities. This team carefully audits and tests all software components that affect the overall security of the system.
All communications with PagerDuty via our web application or APIs are transmitted over SSL connections.
All server-to-server communications within PagerDuty’s infrastructure is encrypted with IPsec running in transport mode.
As well as utilizing the firewall controls available via our cloud providers, we also employ custom firewalls on every server to block unauthorized system access. Additionally, we utilize continuous port scanning to immediately detect any potential misconfigurations within our infrastructure.
Data Security and Backups
All customer data is written to multiple disks instantly in multiple geographically distinct data centers. We use a minimum of three different data centers to store all customer data.
We back up customer data on a daily basis to an offsite location.
All employees have signed non-disclosure agreements with PagerDuty. Employees will not change configurations on your account without you first being notified. We strive to pre-announce any changes to the system that will affect your use in any way.
Employee access to our infrastructure is strictly limited to engineers who require such access in order to maintain the stability and efficiency of our systems. Access is based upon the principle of least privilege, and requires the use of two-factor authentication. All access attempts are logged, and multiple failed attempts will cause the relevant users to be locked out.
Our payment processor, Braintree, is a validated Level 1 PCI DSS Compliant Service Provider. Additionally, they are on Visa’s Global Compliant Provider List and MasterCard’s SDP List. They conduct regular automated vulnerability scans and have extended external penetration testing conducted by outside sources.