Security at PagerDuty

Security is a top priority for PagerDuty. We understand that your PagerDuty account may contain sensitive data regarding your IT operations and we’re very protective of it. This page describes the various security measures we take to protect your data.

Reporting a Security Concern

If you have a security-related concern or wish to disclose a vulnerability, please visit our responsible disclosure page for details on how to submit a report.

Physical Security

PagerDuty uses ISO 27001 and FedRAMP certified data centers. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, state of the art intrusion detection systems, biometric locks and other electronic means. Only authorized personnel have access to the data centers.

physical-security

System and Software Security

The PagerDuty system infrastructure is updated regularly with the latest security patches. All of our servers run hardened, patched operating systems.

We employ an internal team of engineers to keep our software and its dependencies up to date, eliminating potential security vulnerabilities. This team carefully audits and tests all software components that affect the overall security of the system.

Communications

All communications with PagerDuty via our web application or APIs are transmitted over SSL connections.

Data encryption

All server-to-server communications within PagerDuty’s infrastructure is encrypted with IPsec running in transport mode.

encryption

Perimeter Security

As well as utilizing the firewall controls available via our cloud providers, we also employ custom firewalls on every server to block unauthorised system access. Additionally, we utilize continuous port scanning to immediately detect any potential misconfigurations within our infrastructure.

custom firewalls

Data Security and Backups

All customer data is written to multiple disks instantly in multiple geographically distinct data centers. We use a minimum of three different data centers to store all customer data.

We back up customer data on a daily basis to an offsite location.

Employee Access

No PagerDuty employees ever access accounts unless required to for support reasons. All employees have signed Non-Disclosure Agreements with PagerDuty. Employees will not access, view, or change configurations on your account without you first being notified. We strive to pre-announce any changes to the system that will affect your use in any way.

Employee access to our infrastructure is strictly limited to engineers who require such access in order to maintain the stability and efficiency of our systems. Access is based upon the principle of least privilege, and requires the use of two-factor authentication. All access attempts are logged, and multiple failed attempts will cause the relevant users to be locked out.

Payment Processing

Our payment processor, Braintree, is a validated Level 1 PCI DSS Compliant Service Provider. Additionally, they are on Visa’s Global Compliant Provider List and MasterCard’s SDP List. They conduct regular automated vulnerability scans and have extended external penetration testing conducted by outside sources.

Additional Information

For more information on security at PagerDuty, read our latest security white paper.

If you have any additional concerns, please feel free to reach out to support@pagerduty.com with any questions.