Last Updated: September 25, 2024
This Security Addendum describes Pigment’s policy related to the principles and architecture of the security and privacy related practices, and the administrative, technical and physical controls applicable to the Services. Capitalized terms in this Security Addendum shall have the meaning assigned to them in the Agreement unless otherwise defined herein.
(a) Accountability: Pigment has dedicated security personnel that act as a point of contact of all information security matters and is responsible for designing, enforcing, and controlling the security policies, standards and procedures applicable at Pigment. The security team is responsible for continuously identifying and quantifying the operational and technical risks faced by the organization and adjusting the policies to ensure their adequate coverage of the identified risks.
(b) Risk management: Risks are continuously re-assessed and quantified. An annual review is performed, and a gap analysis is performed against the security controls. The security roadmap is informed and prioritized by this gap analysis.
(c) Policies: Pigment maintains a set of written information security policy documents consistent with established industry standards.
(d) Compliance: Pigment develops and maintains security and privacy compliance programs to ensure alignment of security practice with industry standards, independent audits from certified third parties, and transitive compliance to standards, regulations and laws. Supporting evidence of these compliance efforts can be provided upon customer request.
Pigment emphasizes on the following principles in the design and implementation of its security program and practices.
(a) Confidentiality: The “least privilege principle” is enforced wherever possible (that includes network configuration, application access to data stores, and Pigment employee privileges internal systems). Customer data can only be accessed by authorized personnel: customer success managers (CSM) assigned to named accounts, support teams upon customer request and authorized engineers that may need to access data for troubleshooting. Access to production data by internal personnel is subject to logging.
(b) Integrity: Pigment strives for preserving the accuracy and consistency of customer data over time. Daily backups are performed on all our persistent storage systems. Changes made to the data are recorded in Pigment’s built-in audit trail feature that allows users to track modifications, ensures accountability and allows restoring previous states. Snapshots allow users to set restore points of their choosing.
(c) Availability: The Solution is delivered off industry leading cloud providers to be able to rely on their platform availability’s SLAs. The service is spread across several availability zones to guarantee continuity of service in case of failure of one of the zones.
(d) Business continuity and disaster recovery: Pigment’s infrastructure uses the infrastructure-as-code principle that helps quickly restore the service in another region or on a different service provider. Customer data is backed up in several geographical regions. In case of occurrence of a disaster and unless otherwise noted, Pigment's Recovery Time Objective (RTO) is six 6 hours and Recovery Point Objective (RPO) is twenty-four (24) hours.
(e) Data Sovereignty: Pigment commits to disclose the location of the infrastructure hosting and processing customer data.
(a) Continuous security assurance program is operated by Pigment to provide a security posture that is proportionate to the risks. This program leverages internal resources and a variety of vetted third-party security vendors and includes activities such as:
Third party audits are conducted at least once a year.
Our vulnerability mitigation objective is to mitigate critical vulnerabilities within five (5) days, high impact vulnerabilities within thirty (30) days and Medium impact vulnerabilities within ninety (90) days. These objectives are indicative and may be reassessed on a case-by-case basis by Pigment’s CISO.
(b) Security & privacy training: all employees are trained about common security threats. Training sessions take place during employee onboarding and yearly training and awareness as per a risk-driven training plan.
(c) Employees are subject to our data privacy policy & computer security policy: Checks include:
(d) A clear & documented off-boarding process: In case of employment termination, employee accesses are revoked with no delay.
(e) Third party service providers: Pigment personnel take commercially reasonable steps to select and retain only third-party service providers that will maintain and implement the security measures consistent with the measures stated in this Security Addendum and in accordance with all applicable laws and regulations. Vendors undergo a security vetting process that is scoped according to the goods or service being provided.
(a) ISO 27001 and SOC compliant infrastructure: All customer data is hosted on industry leading hosting providers which are SOC2, ISO 27001 and ISO 27018 compliant.
(b) Identification and Authorization controls. All connections to any third party or internal service involved in the provision of the Solution are made in compliance to current state of the art security standards, including systematic use of encryption in transit and multi factor authentication. Authentication is made against a central source-of-truth user database. Privileges are granted through role-based access control according to the principle of least privilege, and groups are reviewed annually.
(c) Minimal exposure: We implement the principle of least exposure by ensuring we only expose a minimal attack surface, thus minimizing the risk of exposing potentially vulnerable components.
(d) Network segregation: our production networks are isolated from our R&D networks. Pigment’s development environments do not hold production data and are logically separated from the production environment.
(e) Data Encryption. Pigment uses industry-standard encryption methods to protect customer data and communications during transmissions between a client’s network and Pigment. All data in transit between client and server is encrypted using HTTPS/TLS. Customer data is stored encrypted at rest.
(f) Backups of all our databases are performed daily and restoration tests are part of our release process and are carried out on a daily basis.
(g) Versioned change management: All Pigment’s infrastructure is created via Infrastructure-as-Code and imperative configuration management design pattern: this allows Pigment to ensure that the desired configuration is uniformly deployed and correct throughout the platform components at any point in time. Changes are all committed to production through code versioning and systematically undergo peer review. Code is pushed to production through a Continuous Integration / Continuous Deployment process (CI/CD) and allows for progressive deployment and rollback procedures.
(h) Development environments: Production and staging environments are strictly separated. Non-production environments don’t contain production data. Strict change management is applied, and systematic peer reviews are enforced in the version management system and code release system.
(i) Static dependency checking is performed on 3rd party libraries we use such that alerts are raised as soon as one of them is affected by a newly discovered vulnerability. As a general rule, we continuously update all dependencies even when not affected.
(j) Service continuity and disaster recovery: Pigment relies on its cloud infrastructure service provider business continuity standards. The infrastructure is deployed in order to sustain the loss of an availability zone without service interruption. If an outage impacts an entire cloud region, Pigment can restore the service in another region in a reasonable time thanks to Infrastructure-as-Code. Pigment's Recovery Time Objective (RTO) is six 6 hours and Recovery Point Objective (RPO) is twenty-four (24) hours.
(k) Physical security: Our production environment is hosted on industry leading hosting providers that comply with the strongest physical security standards. Physical security of the offices is under the responsibility of Pigment’s Security team. Security controls are in place to ensure that customer data is not exposed on employees' workstations, at the office as well as in the context of work-from-home dispositions.
(l) Human resources security: We perform background checks for all employees, and we implement a whistleblowing policy that encourages employees to notify illegal or unethical behavior. We have a documented onboarding and offboarding process. We implement a strict need to know policy that limits the exposure of customer data to authorized personnel and maintains audit trails of sensitive actions.
(m) Secure data disposal: Customer data is securely deleted from the production environment three months after the end of the contract termination, or immediately upon request.
(a) User Access rights system: Pigment offers a fine-grained access right system on the data the customer holds in the platform. Giving access to only certain models, parts of a model or part of the data contained in a model block to a select group of customer employees is possible.
(b) Secure authentication system: our authentication system supports SAML 2.0 Single-Sign-On (SSO) which clients can use to centrally manage user access. Controls are in place to ensure passwords comply with a reasonable complexity level, are reset on first use and robust against password-related attacks such as dictionary, brute-force, password spraying, and credential stuffing are enforced. The password initialization procedure makes use of high entropy, short validity, one-time tokens.
(c) Security Audit Logging: Pigment customers have access to an audit trail that tracks the modifications made by users on the platform so that changes in the customer’s data can be attributed to a responsible user account.
(d) Built-in backup system: The Pigment platform performs backups of the customer data every 24h. Backups are stored in several geographical regions to minimize the risk of data loss.
(a) Security Incident detection: Infrastructure and application logs are produced, securely collected, centralized, indexed, correlated, and monitored in a central system that serves a Security Operation Center (SoC). Sensitive security events are subject to an alerting system that is monitored by the engineering and security team. Sensitive user data is filtered from log events.
(b) Incident management process: Pigment maintains incident management policies and procedures describing the roles and responsibilities of the Support, TechOps, Security and Engineering teams and other functional groups. Escalations between the teams are determined based on the nature of the issue (infrastructure, security, application, or client model), duration of issue, and/or scope of issue. A root cause analysis is performed after an issue is resolved.
(c) Customer notification: Customers will be notified of incidents without undue delay from discovery of an incident impacting the security of their users or confidentiality of their data. Customers will be regularly informed on the status of the incident resolution. Pigment reserves the right to update this Security Addendum from time to time, provided that no such update will materially and adversely diminish the overall security of the Solution.
(d) Vulnerability disclosure / incident reporting: Security notifications must be notified to Pigment at security@gopigment.com or by any other acceptable means published in our responsible disclosure policy at https://pigment.app/.well-known/security.txt.
You agree and acknowledge to be responsible for the following:
(a) managing the access rights of Authorized Users related to the Solution, including designing an access control and privilege matrix and performing periodical access rights reviews;
(b) selecting an appropriate authentication method of those We offer, and enforcing password controls (included but not limited to password robustness, password sharing, password reuse or password compromise);
(c) deploying and managing the System for Cross-domain Identity Management (SCIM) protocol, single sign-on (SSO) and multi-factor authentication (MFA);
(d) selecting the appropriate data center location amongst those We offer;
(e) performing change management activities pertaining to Authorized Users’ utilization of the Solution (including but not limited to testing of changes or releases in their Pigment environment, such as data, models, formulas, boards, etc.);
(f) the ingestion, long term storage, event correlation and alerting of activity logs We produce; and,
(g) following any additional security best practices We reasonably request You to follow from time to time.