Please refer to this page to learn about California Resident Rights.
Pendo is a corporate member of the Cloud Security Alliance (CSA) and is part of CSA's Trusted Cloud Provider program. Pendo maintains a copy of its CSA Consensus Assessment Initiative Questionnaire (CAIQ) in the CSA Star Registry
Pendo is in full support of the General Data Protection Regulation (GDPR).
Please see this page to learn about European Union Data Subject Rights.
For any GDPR requests, please reach out to gdpr@pendo.io
Pendo has been assessed by an independent auditor for HIPAA Criteria that is addressed by the AICPA Trust Services Criteria. The HIPAA Criteria that is address by the AICPA Trust Services Criteria are as follows:
Under NDA, Pendo can provide a SOC2 Type II + HIPAA audit report.
Pendo conducts an annual SOC 2 Type II audit that includes all 5 Trust Services Principles: Security, Availability, Processing Integrity, Confidentiality, and Privacy. This report can be provided under NDA.
Pendo's most recent SOC2 Type II report was issued in February 2022 and covers the audit period of January 1, 2021 through December 31, 2021. Our auditors have not identified any control deficiencies.
Pendo can also provide a SOC3 report, which is an abbreviated version of our SOC2 Type II report, without an NDA being in place. Please contact your Pendo account executive or customer service manager for assistance with obtaining a copy of our SOC2 Type II and SOC3 reports.
Pendo logs and stores every change, every action and every event, including the deletion of data, for easy auditing and root cause analysis.
Pendo customers can choose to use multi-factor authentication for their access to Pendo's service by either using SAML to integrate with their own identity management system, or by using Google SSO.
Also note that Pendo employees use multi-factor authentication for access to all systems containing customer and other sensitive data.
Pendo lets you set granular access controls to grant and restrict capabilities based on specific roles and authorities.
In addition to SAML SSO, Pendo also supports Google Authentication. If a user's Google email and Pendo login addresses match, authentication may be required through Google. Authentication through Google also supports two-factor authentication.
Note that while SAML support is not provided by default with entry level service tier plans, it is available as a relatively low cost add on to any service plan.
All data hosted by Pendo is encrypted. Pendo uses industry-accepted encryption products to protect data at rest, with 256-bit AES encryption.
TLS 1.2/1.3, and HTTPS are used to protect data in transit.
By default, we retain Personal Data about you for 7 years as long as you have an open account with us or as otherwise necessary to provide you with our Services. In some cases we retain Personal Data for longer, if doing so is necessary to comply with our legal obligations, resolve disputes or collect fees owed, or is otherwise permitted or required by applicable law, rule or regulation. We may further retain information in an anonymous or aggregated form where that information would not identify you personally.
Pendo supports data deletion requests for both the data we control and the data we process.
Kate Helin is Pendo’s DPO. A licensed lawyer who was introduced to data protection at the Department of Defense, Kate is responsible for defining and enforcing Pendo’s privacy policies across the company.
Policies and procedures for operational and incident response management require incidents to be logged and reviewed with appropriate action (e.g. system changes) taken if necessary.
A formal incident response plan and standard incident reporting form are documented to guide employees in the procedures to report security failures and incidents. The incident response plan enforces a process of resolving and escalating reported events. Its provisions include consideration of needs to inform internal and external users of incidents and advising of corrective actions to be taken on their part as well as a “post mortem” review requirement.
Pendo is designed for uninterrupted uptime and enterprise scale, processing millions of events per hour and billions per day, with no degradation of performance.
Pendo utilizes tools that measure processing queues to verify the timeliness of processing incoming data while monitoring real-time results. Data lost during processing is detected, and automatically creates an alert to the Engineering team. Alerts are addressed by the Engineering team. Upon occurrence of processing errors within Pendo’s application, the change management process is followed with a change ticket initiated and the error investigated and resolved.
See the current status of Pendo, be informed of any downtime, and subscribe to updates.
Members of the Pendo workforce that have access to customer data are required to undergo background checks.
Pendo employees receive training in data privacy concepts and responsibilities, as well as Pendo commitments on privacy, within two weeks of hire and refresher training on an annual basis.
In addition, Pendo personnel are required to read and accept the Pendo’s Code of Conduct and the statement of confidentiality and privacy practices upon their hire and to formally reaffirm them annually thereafter
Access to Pendo’s office location is monitored by a receptionist during business hours. Doors are locked outside business hours and when a receptionist is not present. Visitors to Pendo’s office location are required to sign in and are provided a temporary identification badge. Physical keys and card access to areas where critical equipment is located is restricted to authorized individuals. Pendo management reviews holders of keys and access cards annually.
Pendo maintains a written Business Continuity Plan that documents the organization’s processes for triaging, remediating, and recovering from catastrophic incidents or disasters that may affect critical business processes.
Pendo services are deployed into multiple physically separate zones within Google Cloud Platform (GCP) regions. Data is replicated in near real time across multiple zones. Any zone can fail and the service continue to operate normally.
In addition, critical settings and customer subscription configurations are backed up on at least a daily basis. Backup system settings are reviewed and monitored on a weekly basis to ensure this is operating effectively.
GCP and AWS employ industry-leading security controls and are extensively audited. Both hold multiple certifications, including SOC2 Type II, ISO 27001, PCI, and FedRAMP. For more information about their security practices, see below:
Data submitted to Pendo and Pendo’s application are processed and stored in a secure, multi-tenant environment. Logical segmentation techniques, such as having separate namespaces for each customer, are used to prevent co-mingling of customer data.
On at least an annual basis, Pendo undergoes third-party penetration testing using well established consulting firms. Management addresses all vulnerabilities identified within defined timeframes based on severity level, which is determined using the Common Vulnerability Scoring System (CVSS). A summary of the annual penetration test report can be provided under NDA.
On at least a weekly basis, Pendo executes vulnerability scan to detect vulnerabilities in Pendo’s application. Dynamic and Static Application Security Testing (DAST and SAST) tools are used to conduct these scans.
Refer to this page for the most current list of Pendo's subprocessors, and to subscribe to updates. The list below is current as of May 17, 2022.