Last updated: July 7, 2023
Innovation is fun, but it's also a critical part of the success of any company. As such, we take security very seriously at LaunchPath. We adhere to stringent enterprise security standards and are SOC 2 Type II certified, being given unqualified attestation.
LaunchPath successfully completed the AICPA Service Organization Control (SOC) 2 Type II audit. The audit confirms that LaunchPath’s information security practices, policies, procedures, and operations meet the SOC 2 standards for security. LaunchPath was audited by Prescient Assurance, a leader in security and compliance certifications. For more information about Prescient Assurance, you may reach out them at info@prescientassurance.com. An unqualified opinion on a SOC 2 Type II audit report demonstrates to LaunchPath’s current and future customers that we manage their data with the highest standard of security and compliance. Customers and prospects can request access to the audit report by emailing us at security@launchpath.io.
At LaunchPath, integration of new vendors is never taken lightly. Potential new vendor integrations are carefully considered based on their perceived resilience and reputation, impact on our product agility, and any security implications. At minimum, any vendor considered must be SOC 2 certified.
All critical LaunchPath infrastructure is hosted directly on Amazon Web Services (AWS), or through vendors who host their data on AWS. AWS provides around-the-clock physical security and environmental protection.
For all of LaunchPath systems that process or store sensitive information, data is encrypted in transit and at rest using TLS and AES 256-bit encryption. Data is backed up multiple times a day in a different physical location from production data centers. Data resides in US-based AWS data centers.
Authentication for LaunchPath is provided through Auth0 for Team plans, or through WorkOS for Business and Enterprise plans incorporating Single Sign-On.
For Business and Enterprise plans, access can be restricted by IP.
LaunchPath's customer-facing API (currently in closed Beta) is authenticated through API tokens that can auto-expire and can be revoked at any time. This API is regularly penetration tested.
LaunchPath allows for multiple levels of permissiveness for employee participation, such as by limiting access either to select group or to any employee with a company email address. Account and program administration and access to innovation metrics is limited to select roles.
LaunchPath software is regularly scanned during the entire development lifecycle for application vulnerabilities. All critical infrastructure has intrusion detection in place, and penetration tests are performed at least yearly on both our web application and API.
If you have any questions or concerns about security at LaunchPath, please email us at security@launchpath.io.