Plek Information Security
Plek is built on a strong foundation of security and privacy that keeps our platform secure while helping our clients of all sizes meet their requirements for security, privacy and compliance.
Secure architecture
Plek’s private cloud-based platform is purpose built on fundamental principles of security and privacy.
Security controls
We implemented best in class security, privacy and compliance controls to keep your data safe.
Company culture
We educate and hold everyone accountable to fulfilling their obligations to protect your data.
Data Security and Privacy Controls
Auditing, certification and penetration testing
The Plek organisation is ISO27001 certified and complies with BIR/BIO requirements for The Netherlands’ and European governments. All Plek hosting is ISO27001 and NEN7510 certified. We continually manage risk and undergo recurring assessments to ensure compliance with industry standards. The Plek application and networks are penetration tested at least annually.
Fully GDPR compliant
Plek fully complies with GDPR standards for data privacy and security.
Data storage and transfers
All Plek infrastructure and data storage is hosted and managed in private Netherlands-based secure data centers. Plek and its subprocessors never transfer customer data outside the European Economic Area (EEA).
Enterprise availability and security that you can trust, standard
ISO27001 certified
99.99% up
SIEM
SSO
2+FA
Encryption at rest
All customer data is securely encrypted at rest.
Plek Security Overview
Auditing, certification and penetration testing
The Plek organisation is ISO27001 certified and complies with BIR/BIO requirements for The Netherlands’ and European governments. All Plek hosting is ISO27001 and NEN7510 certified. We continually manage risk and undergo recurring assessments to ensure compliance with industry standards. The Plek application and networks are penetration tested at least annually.
Fully GDPR compliant
Plek fully complies with GDPR standards for data privacy and security.
Data storage and transfers
All Plek infrastructure and data storage is hosted and managed in private Netherlands-based secure data centers. Plek and its subprocessors never transfer customer data outside the European Economic Area (EEA).
Access Management
- Plek adheres to the principles of least privilege and role-based permissions when provisioning access; our people are only authorized to access data that they reasonably must handle in order to fulfill their current job responsibilities. Unless otherwise agreed, our people can never access customer data.
- Plek utilizes multi-factor authentication for employee access to internal systems. VPN multi-factor and SSH are required for accessing the Plek Hosted environments.
- Plek employees are required to use an approved password manager.
You can add an additional layer of security in protecting your Plek by implementing multi-factor authentication, reducing the risk of unauthorized access to your Plek, protecting your company data and user information.
Encryption
- Plek encrypts data using secure cryptographic algorithms.
All data in transit is encrypted using TLS 1.2 or greater. - Plek leverages AES-256 encryption for data at rest.
- Key management is in place for all Plek encryption keys.
- Plek employee endpoints are configured to comply with Plek security standards.
- These standards require all endpoints to be properly configured, updated, and utilize up-to-date Endpoint Protection software, that endpoints employ encryption at rest, have strong complex passwords, and lock when idle.
Network Security and Server Hardening
- Plek segments its platform layers into separate networks with restrictive access between layers to protect customer data.
- Plek utilizes separate hosting environments for Staging, Development, and Production.
- Network access to Plek’s hosting environment is restricted with only load balancers accessible from the Public Internet.
- Only Plek application servers can access Plek database servers.
- Plek logs, monitors, and audits all system events, and has alerting in place for events that indicate a potential intrusion or exfiltration attempt.
- Plek uses an industry-leading Security Information and Event Management (SIEM) solution to collect, aggregate, and correlate millions of system events a day across the
- Plek’s hosting environment to provide Security and DevOps teams with real-time insight into potential security events.
Administrative access, use of privileged commands, and system events on all endpoints in Plek hosting environments are logged and monitored. - Analysis of logs is automated to detect potential issues and alert the Security and DevOps teams.
Penetration Testing & Vulnerability Management
Vulnerability Management & Penetration Testing
- Plek tests all code for security vulnerabilities before release and regularly scans its network and systems for vulnerabilities.
- Plek engages a third party service to conduct application and infrastructure penetration tests on at least an annual basis.
Results of these tests are prioritized and remediated in a timely manner and shared with senior management.
Research & Disclosure
At Plek we take cybersecurity seriously and value the contributions of the security community at large.
The responsible disclosure of potential issues helps us ensure the security and privacy of your and our data.
Vulnerability Management & Penetration Testing
- Plek tests all code for security vulnerabilities before release and regularly scans its network and systems for vulnerabilities.
- Plek engages a third party service to conduct application and infrastructure penetration tests on at least an annual basis.
- Results of these tests are prioritized and remediated in a timely manner and shared with senior management.
Research & Disclosure
At Plek we take cybersecurity seriously and value the contributions of the security community at large.
The responsible disclosure of potential issues helps us ensure the security and privacy of your and our data.
- Plek's secure software development life cycle aligns with OWASP best practices.
All code changes require peer-review and testing (both manual and automated) prior to promotion to production. No single individual may request and implement changes without a review from several other individuals and all changes are logged and tracked. - All developers are required to complete training on secure development practices.
De levenscyclus van Plek voor veilige softwareontwikkeling sluit aan bij de OWASP best practices.
- With Plek you can set-up and control multiple layers of access and security for information. From secure hidden layers, to open groups and content, to publicly visible information (optional, off by default).
With a clear rights structure and access management you can control who has access to what information.
Plek's software and user interface supports your users to adhere to secure practice, e.g. by providing warnings before sharing information or providing access to people.
Plek provides brute-force protection for access controls.
- Plek has a security awareness program that serves to ensure everyone in our team understands the importance of security and its intersection with their workday.
- New employees and contractors are required to take security training and training completion is audited throughout the year.
- Plek employees are required to read and adhere to Plek's IT and Security policies.
- Plek's physical office has a number of security controls in place including access control and remote monitoring.
- The Information Security team leverages several security threat intelligence sources to keep up to speed on the latest and emerging security threats. This information is disseminated through regular security awareness campaigns to help ensure that
Plek employees are aware of these threats and what to do in the event that they encounter them.
Reliability
- Our platform is designed to be highly available with minimal downtime. Plek uses both automated and manual tools to monitor the availability of our services.
Impacts to the reliability of our platform are promptly reported on our real-time status page.
Disaster Recovery and Business Continuity
- Plek utilizes services deployed by its hosting provider to distribute production operations across separate availability zones. These distributed zones protect Plek 's platform from network, power, infrastructure and other common location-specific failures.
- Plek performs daily backups and replication of its databases across distributed zones and supports restore capability to protect the availability of Plek's platform in the event of a site disaster affecting any of these locations.
Plek tests backup and restore capabilities periodically to ensure successful disaster recovery.
Responding to Security Incidents
- Plek has established policies and procedures for responding to security incidents.
- All security incidents are managed by Plek’s Security Incident Response Team. The policies define the types of events that must be managed via the incident response process and classify them based on severity.
- In the event of an incident, affected customers will be informed via email. Incident response procedures are tested and updated at least annually.
Data Privacy Overview
Plek's data privacy controls are designed to honor our obligations around how we collect, process, use and share personal data, as well as our processes to support data retention and disclosure in compliance with applicable privacy laws, including the GDPR.
Plek collects and uses personal data in accordance with our Privacy Policy, and offers our clients a Data Processing Addendum and Service Provider Addendum that fully complies with the GDPR.
Data Sharing and Processing
- Plek's platform complies with GDPR and provides a high level of protection for personal data. This includes only collecting, processing, and storing customer data in compliance with these obligations and providing you the right to access or delete it at any time.
- Plek has implemented policies that provide controls for deleting customer data when it is no longer needed for a legitimate business purpose.
- Plek uses cookies only in accordance with our Cookies Policy.
Data Disposal
- As a customer, you can request data deletion at any time during the subscription period. Plek can honor requests for erasure, access, and rectification so that our clients can comply with the GDPR.
Plek’s hosting providers maintain industry standard security practices for ensuring the permanent removal of data from storage media.
Vendor Management
- Plek only shares customer data with third parties that contractually agree to protect the confidentiality and privacy of the data.
Plek has established agreements that require subprocessors to adhere to confidentiality commitments and take appropriate steps to ensure our security posture is maintained. - Plek only works with subprocessors that contractually agree to not transfer personal data outside of the EEA.
Employee data privacy
- You can choose which personal information can be entered and/or is mandatory in user profiles. Users can choose to whom to provide access to specific personal information in their profile, such as date of birth or private contact information, via an optional 'Connect' option.
- User statistics in Plek adhere to privacy requirements and can be adjusted to comply with your company policy.
- When users are archived, e.g. when an employee leaves or a member ends membership, all personal data will be removed and content created by the user will be anonymised.
Additional Enterprise Security and Service options
With Plek you can rest easy knowing your security requirements are met. With SSO OpenID, security reviews prior to purchase, and SLA industry leading uptimes, we have your needs covered.
Single Sign-On with Azure AD, ADFS, oAuth2 or OpenID
SSO connects your AD or Identity Provider with Plek. This allows your users to securely login to your site through your platform or a third party with one set of credentials and your own user management, which increases security.
Using custom SSO? Add an extra layer of security to your Plek-platform by setting up safe-listed domains.
You can also use Plek as identity provider and offer your users SSO-access to other platforms.
2FA and MFA options
You can enforce always-on or periodic (randomly triggered) two factor or multifactor authentication. Contact your implementation team to discuss options.
Enterprise-Grade Support and SLAs
- Plek offers a clear and complete SLA as standard. Plek can offer additional Support and Service Level Agreements, which details our commitment to providing you with comprehensive support.
- Sleep well knowing that we will work around the clock to ensure that mission critical components of the Plek are available at least 99.99% of the time.
- If your organization has special security needs, we are available for a thoroug review and evaluation our information security and privacy policies and measures, with you and/or a reviewing third party, prior to entering into an agreement.
Transparency
We gladly provide you with ISO27001 audit reports and recent penetration testing reports, after signing a Non Disclosure Agreement.