Vendor Security and Privacy Policy

Our policy regarding content ownership, access, sharing and sale of data, privacy, and security assurances for vendors

Summary

Prevalent helps firms identify and manage risk in third party business relationships by offering the industry’s only purpose-built, unified platform that integrates a powerful combination of automated assessments, continuous monitoring, and evidence sharing for collaboration between enterprises and vendors. No other product on the market combines all three components, providing the best solution for a highly-functioning, efficient third-party risk program.

As a vendor who has received a request to complete an online survey in the Prevalent platform, you may have some questions regarding how your company’s sensitive data is handled. This document will cover content ownership, access, sharing and sale of data, privacy, and security assurances.

About Prevalent

Prevalent, Inc., is a Delaware Corporation with its principal place of business located at 11811 N. Tatum Blvd., Suite 2400, Phoenix, Arizona 85028 USA and the parent company to its wholly owned subsidiary, Prevalent Limited (formerly 3GRC LTD), incorporated and registered in England and Wales with company number 09673268 whose registered office is at First Floor, 10/11 Cedarwood Chineham Business Park, Crockford Lane, Basingstoke, Hampshire, England, RG24 8WD. Insight Venture Partners, LLC (“Insight”), a private equity and venture capital firm, is the principal owner of Prevalent, Inc.

Further Information

For further information on this document, contact the Prevalent support and customer success team at:

Content Ownership

The vendor owns their content in the Prevalent platform. Vendors have the power to update their content, request that their content is removed, share it with others, or not share it at all.

Access

Completed vendor assessments and associated evidence are stored in our secure repository where it is viewable only by the company requesting the assessment or by Prevalent if the company has outsourced the collection to Prevalent. By completing and submitting the assessment and associated evidence vendors are allowing the requesting company and/or Prevalent to view it.

Data Sharing

Vendor data is not shared unless vendors expressly approve their assessment results and associated evidence be shared with other entities besides the requesting company or Prevalent.

Sale of Data

Data in the Prevalent Platform will not be sold under any circumstances.

Third-Party Certification

Prevalent holds a SCA certification. The assessment was completed in late December 2019 by PivotPoint as the auditor.

The Standardized Control Assessment (SCA) is the Shared Assessment group’s on-site third-party vendor assessment tool. It is in-depth, independently validated security assessment of Prevalent’s internal controls - essentially an onsite validation of the answers provided in the SIG questionnaire.

It is applicable to a broad range of frameworks and requirements. The controls specified in the SCA are expressly mapped to controls and requirements for the following:

  • ISO 27001: 2013
  • NIST SP 800-53 (National Institute of Standards and Technology Special Publication 800-53)
  • NIST Cybersecurity Framework
  • HIPAA (Health Insurance Portability and Accountability Act)
  • PCI DSS (Payment Card Industry Data Security Standard)

Location of Data

The Prevalent Platform allows clients to choose the geographic region of deployment and makes use of Availability Zones to ensure service. Data is replicated within Availability Zones, and daily backups are performed. Client data is never stored outside of their chosen region.

Users can check the region their data is stored in at any time by checking the footer of the application user interface.

Data Security

Prevalent assesses the software and service providers used in the operation and support of our applications using our technology. We provide our own SIG Lite and PCF assessments within the Prevalent platform, as well as third-party attestations of our suppliers (as applicable), and documentation of policy, procedure, and technical artifacts as necessary.

Prevalent’s products are all cloud-based SaaS applications hosted in AWS. They are designed to run securely at high scalability and availability, with robust failover processes.

The Prevalent Platform includes layers of security throughout the technology stack. This includes the following security features:
Data and file encryption

  • Encryption keys stored in Amazon AWS Key Management Service (KMS).
  • All access is logged to CloudTrail for auditing.
  • Data in transit is secured by AES 256-bit SSL certificate.
  • Databases are AES 256-bit encrypted at rest.
  • File storage is AES 256-bit encrypted at rest.

Scalability

  • Load balancers with a built-in Web Application Firewall (WAF).

Multi-Tenancy Protection

  • All customer data stored in separate federated databases.

Resilience

  • Databases are backed up daily and retained for 14 days in different A-Z zones.
  • Databases replicated in standby mode for instant deployment in different A-Z zones.

Endpoint Protection

  • Anti-virus is installed to self-scan application servers.
  • Anti-virus is installed to scan all file uploads.

Network Security and DDOS Protection

  • Data & service layers separated in private subnets which are not publicly accessible.
  • Auto-scaling and AWS Shield enabled to mitigate DDoS attacks.

Monitoring and Auditing

  • The application uses WAF, CloudWatch and Amazon inspector for self-monitoring and automated alerting of unusual activities.
  • All access is logged to CloudTrail for auditing.

Vulnerability Detection

  • Regular third-party penetration tests after major releases.
  • Weekly automated vulnerability scans.

Access Management

  • Access rights policy, backed up by audit logging in CloudTrail and IAM.
  • In application security features: Advanced password strength policy; Multi-Factor Authentication; IP Range whitelisting for whole instances and/or individual users

This process is under constant review and verified by the Prevalent security team.

Privacy Policy

Click here to view the Prevalent Privacy Policy.

Updated September 10, 2020

  • Ready to get started?
  • Schedule a personalized solution demonstration to see if Prevalent is a fit for you.
  • Request a Demo