How Product Security Hub protects your data

Hosted in Microsoft Azure using Azure App Service, Azure SQL Database, Azure Web Application Firewall on Azure Front Door (Prevention Mode), Microsoft Defender for Cloud, Azure Key Vault for secret storage, Application Insights and Log Analytics for monitoring, and Azure DevOps for source code and change control.

Manual Code Reviews, Static Application Security Testing, and Software Composition Analysis are continuously run against all source code and open-source components. SSL/TLS Testing and Dynamic Application and Web Application Security Testing are periodically run against the web interface.

Microsoft Azure B2C is implemented for authentication with local accounts and text message two-factor authentication enabled by default. Self-service password resets are enabled.

Rigorous testing follows documented procedures, requirements specifications, test plans, and test reports across development, quality, and production environments. A Verification Report for ProdSecDesigner is available upon request.

All communication is protected with TLS 1.2/1.3 encryption and Transparent Data Encryption (AES-256) is enabled for the database. Backup policies include differential backups every 12 hours, weekly and monthly backups for 3 months, and yearly backups for 1 year. Only name, email, and company are collected on users.