Security and Compliance

Your data security is a top priority at Notably. Your data contain information that only you and your customers need to see, and we intend to keep it that way. Every day we ensure that our security is parallel with industry standards and compliance.

Certifications

Notably has planned to get SOC2 Type I certified by the end of 2021 and SOC2 Type II by mid-2021. 
Notably has planned to get ISO/IEC 27001:2013 certification by the end of 2022

GDPR

GDPR & privacy compliance is critical for businesses to be able to function today. Notably is GDPR and CCPA compliant, and also enables your business to choose your own compliance preferences.

Data & Network Security

Notably uses Amazon Web Services (AWS) facilities in the USA to hosts its software. You can see Amazon’s compliance and security documents for more detailed information, including SOC 13 and ISO 27001. Notably’s servers are located within our own virtual private cloud (VPC), protected by restricted security groups. We ensure that only the minimal required communication occurs between servers.

Application Security

The web application architecture and implementation follow OWASP guidelines. They are built in into web frameworks that Notably is built on top of. Notably supports SSO via Auth0. Notably does not store passwords in the database. Audit logging lets administrators see when users last logged in or when they last changed their password.Access to Notably applications are logged and audited.

Security Policies

Notably conducts mandatory code reviews for code changes and periodic and in-depth security reviews. Notably’s testing and development environments are separated from its production environment. Background screening is conducted for all new hires. Every year, engineers participate in secure code training covering OWASP Top 10 security flaws, common attack vectors, and Notably security controls. Notably maintains a formal response plan for significant incidents.

Third-party Subprocessors

Notably currently uses third-party Subprocessors to provide various business functions after due diligence to evaluate their defensive posture and executes an agreement requiring each Subprocessor to maintain minimum acceptable security practices.