logo
StoreMy Account

Security Practices

Updated March 01, 2025

These Plumsail Security Practices describe the Plumsail’s security practices and safeguards, which include physical, organizational, and technical measures, utilized by Plumsail and designed to preserve the security, integrity, and confidentiality of the Services and Customer Content to protect against information security threats.

1. Information Security Program.

1.1 Information Security Program. Plumsail maintains a comprehensive written information security program, including policies, standards, procedures, and related documents that establish criteria, means, methods, and measures governing the Processing and security of Customer Content and the Plumsail systems or networks used to Process or secure Customer Content (“Plumsail Information Systems“) in connection with providing the Services under the Agreement.

1.2 Acknowledgement of Shared Responsibilities. The security of data, including Customer Content, that is accessed, stored, shared, or otherwise Processed via Plumsail Services is a shared responsibility between Plumsail and Customer. Plumsail is responsible for the implementation and operation of the Plumsail information security program. Customer is responsible for appropriately implementing access and use controls and configuring certain features and functionalities of Plumsail Services that Customer may elect to use.

1.3 Plumsail Personnel Confidentiality. Plumsail will ensure that Plumsail Personnel: (a) are bound by confidentiality obligations with respect to Customer Content substantially as protective as those set forth in the Agreement; and (b) are subject to appropriate training relating to the Processing of Customer Content.

2. Security Controls. In accordance with its information security program, Plumsail shall implement commercially reasonable physical, organizational, and technical controls designed to: (a) ensure the security, integrity, and confidentiality of Customer Content Processed by Plumsail; and (b) protect Customer Content from known or reasonably anticipated threats or hazards, including to its security, integrity, accidental loss, alteration, disclosure, and other unlawful forms of Processing. Without limiting the foregoing, Plumsail will, as appropriate, utilize the following controls:

2.1 Updates. Plumsail will maintain programs and routines to keep the Plumsail Information Systems up to date with the latest upgrades, updates, bug fixes, new versions, and other modifications.

2.2 Firewalls. Plumsail will configure and maintain firewalls to protect both Customer Content and Plumsail’s non-public data.

2.3 Anti-Malware. Plumsail will use up to date anti-malware tools (including anti-virus software) configured for automatic updates designed to mitigate threats from viruses, worms, Trojan horses, spyware, ransomware, and other malicious code that can reasonably be detected.

2.4 Testing. Plumsail will regularly test its security systems, processes, and controls to ensure they meet the requirements of these Security Practices.

2.5 Access Controls. Plumsail will maintain an access control policy to control Personnel access to any Plumsail Information Systems that include Customer Content. The access control policy will include, without limitation, the access controls described below to secure Customer Content Processed by Plumsail Information Systems:

2.5.1 Plumsail will assign a unique ID to Plumsail Personnel with access to Plumsail Information Systems.

      2.5.2 Plumsail will restrict access to Plumsail Information Systems to Plumsail Personnel that demonstrate a legitimate business need for such access.

      2.5.3 Plumsail will regularly review the list of Plumsail Personnel and services with access to Plumsail Information Systems and remove accounts that no longer require access and excessive privileges that are no longer needed.

      2.5.4 Plumsail will (a) maintain a password management policy designed to mandate the use of system-enforced strong passwords consistent with industry-standard practices, (b) require the use of multi-factor authentication to Plumsail Information Systems that include Customer Content, (c) not use manufacturer supplied defaults for system passwords on any operating systems, software, or Plumsail Information Systems, and (d) require that all passwords and access credentials be kept confidential and not shared among Plumsail Personnel.

2.6 Policies. Plumsail will maintain and enforce appropriate information security, confidentiality, and acceptable use policies for Plumsail Personnel that meet the standards set forth in these Security Practices, including methods to detect and log policy violations.

2.7 Data Separation. Development and testing environments will be separate from Plumsail Information Systems.

2.8 Deletion. Plumsail will utilize procedures that are at a minimum in accordance with National Institute of Standards and Technology (NIST) SP 800-88 Revision 1 recommendations (or a successor standard widely used in the industry) to render Customer Content unrecoverable prior to disposal of media.

2.9 Remote Access. Plumsail will ensure that any access to Plumsail Information Systems located within Plumsail private networks will require the use of encrypted VPN connections with multi-factor authentication.

2.10 Encryption. Plumsail will utilize industry-standard encryption methods that are consistent with or exceed recommendations set forth by industry standard setting organizations such as NIST, or Center for Internet Security (CIS). In accordance with such standards, Plumsail will encrypt Customer Content in-transit and at rest and will only allow encrypted connections to the Service for the transfer of Customer Content.

3. Use of Third Parties.

3.1 General Security. Third parties engaged by Plumsail in accordance with the Agreement will, at a minimum, maintain substantially similar levels of security as required by these Security Practices.

3.2 Data Hosting. Any third-party cloud service provider (“CSP”) that Plumsail utilizes to host and Process Customer Content, including without limitation its current provider Microsoft Azure, will have at a minimum, industry standard physical security precautions in place and conform to ISO 27001 or equivalent certification standards. Without limiting the foregoing, Plumsail CSPs will meet the following requirements:

      3.2.1 Physical Security. Plumsail’s CSPs will: (a) maintain adequate physical security and access controls as described herein; (b) use professional HVAC & environmental controls; (c) utilize professional network/cabling environment; (d) use professional fire detection/suppression capability; (e) limit access to authorized personnel only; and (f) maintain a comprehensive business continuity plan.

      3.2.2 Annual Audit. Conduct annual independent risk assessments and audits, and provide Plumsail with the resulting reports. In addition, Plumsail shall conduct annual reviews and assessments of any critical CSP to validate the security measures meet, at a minimum, the requirements of these Security Practices.

      3.2.3 Enhanced Requirements. Possess requirements and capabilities of a highly-available, redundant (“N+1”) data center, where multiple components each give at least one independent backup component to ensure that system functionality continues at acceptable performance levels in the event of a system failure.

4. Business Continuity and Disaster Recovery. Plumsail will maintain a disaster recovery (“DR”) program designed to address the recovery of the Services following a disaster. At a minimum, the DR program will include: (a) validation testing of procedures used to regularly create backup copies of Customer Content; (b) annually reviewed and updated inventories listing all critical Plumsail Information Systems; and (c) annual review, testing and updating of the DR program.

5. Security Breach.

5.1 Procedure.

      5.1.1 Plumsail will notify Customer in writing without undue delay upon Plumsail becoming aware of confirmed Security Breach. Unless otherwise agreed upon by the Parties in writing, notification of a Security Breach, will be delivered to Customer’s billing email address on file with Plumsail. Customer is solely responsible for maintaining accurate contact information at all times.

      5.1.2 Plumsail will investigate and, as necessary, mitigate or remediate a Security Breach in accordance with Plumsail’s security incident policies and procedures (“Breach Management”).

      5.1.3 Subject to Plumsail’s legal obligations, Plumsail will provide Customer with information available to Plumsail as a result of its Breach Management, including the nature of the incident, specific information disclosed (if known), and any relevant mitigation efforts or remediation measures (“Breach Information”), for Customer to comply with its obligation under applicable laws as a result of a Security Breach.

      5.1.4 If Customer requires information relating to a Security Breach in additional to the Breach Information, at Customer’s sole expense and written request and to the extent Customer is unable to access the additional information on its own, Plumsail will reasonably cooperate with Customer as requested by Customer to attempt to collect and provide such additional information.

5.2 Unsuccessful Attempts. An “unsuccessful attack” is one that does not result in unauthorized or unlawful access to Customer Content and may include, without limitation, pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing (or other unauthorized access to traffic data that does not result in access beyond IP addresses or TCP/UDP headers), or similar incidents. An unsuccessful attack is not a Security Breach subject to this Section 5.

5.3 Customer or User Involvement. Unauthorized or unlawful access to Customer Content that results from the Customer’s configuration settings, compromise of a User’s login credentials, or from the intentional or inadvertent sharing or disclosure of Customer Content by the Customer or a User is not a Security Breach.

5.4 Disclaimer. Plumsail’s obligation to report or respond to a Security Breach under this Section 5 is not an acknowledgment by Plumsail of any fault or liability of Plumsail with respect to the Security Breach.

6. Auditing and Reporting.

6.1 Monitoring. Plumsail conducts various audits, risk assessments, and other monitoring activities to ensure the effectiveness of its security measures and controls on an ongoing basis.

6.2 Penetration Testing. Plumsail uses internal security experts to conduct penetration testing of the Services at least annually and maintains a year-round bug bounty program for ongoing vulnerability scanning. Plumsail’s annual penetration testing will be performed by independent third-party security professionals at Plumsail’s selection and expense, and will result in the generation of a penetration test report (“Pen Test Report”) which will be Plumsail’s Confidential Information. Pen Test Reports will be made available to Customer upon written request no more often than annually, subject to the confidentiality obligations of the Agreement or a mutually agreed non-disclosure agreement.

6.3 Customer Audit. If Customer legally requires information for its compliance with applicable laws in addition to the Audit and Pen Test Reports, and Customer is unable to access the additional information on its own, Customer may submit a written request for such additional information and assistance to its Plumsail account representative. Customer’s written request pursuant to this Section 6.4 must include information regarding the applicable laws or regulations forming the basis of the request and specific details about the requisite additional information. Plumsail will work with Customer to reach mutually agreed upon terms regarding the scope, timing, duration, and other details of such additionally requested information and assistance. Plumsail will only be required to undertake such additional measures described in this Section 6.4 once per year unless otherwise required by law.

7. Definitions.

7.1 “Agreement” means the agreement that governs Customer’s access to and use of the Services.

7.2 “Customer” means the individual or entity that executes or accepts an Order or registers for free trial access to and use of a Service and has entered into an Agreement.

7.3 “Customer Content” means any text, personal information, document layouts, source code, pictures, video, images, audio materials, graphics, documents, data files or any other content that Customer or its Users uploads or submits to the Services. Customer Content does not include usage, statistical, learned, or technical information that does not reveal the actual contents of Customer Content.

7.4 “Process” means any operation or set of operations performed upon Customer Content, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, alignment, combination, restriction, erasure, destruction or disclosure by transmission, dissemination or otherwise making available.

7.5 “Security Breach” means a breach of security resulting in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Content.

7.6 “Services” means all online services, add-ons, or applications that are provisioned or controlled by Plumsail.

7.7 “Plumsail Personnel” means any individual authorized by Plumsail to Process Customer Content.

7.8 “User” means any individual authorized or invited by Customer or another User to access and use the online Services under the terms of the Agreement.