We’re committed to the security of our customers’ data and provide multiple layers of protection for the personal and financial information you trust to Parkable.
Security is directed by Parkable's Chief Technology Officer and maintained by Parkable's Security & Operations team.
Organizational Security
- Information Security Program
- We have an Information Security Program in place that is communicated throughout the organization. Our Information Security Program follows the criteria set forth by the SOC 2 Framework. SOC 2 is a widely known information security auditing procedure created by the American Institute of Certified Public Accountants.
- Third-Party Audits
- Our organization undergoes independent third-party assessments to test our security and compliance controls.
- Third-Party Penetration Testing
- We perform an independent third-party penetration at least annually to ensure that the security posture of our services is uncompromised.
- Roles and Responsibilities
- Roles and responsibilities related to our Information Security Program and the protection of our customer’s data are well defined and documented. Our team members are required to review and accept all of the security policies.
- Security Awareness Training
- Our team members are required to go through employee security awareness training covering industry standard practices and information security topics such as phishing and password management.
- Confidentiality
- All team members are required to sign and adhere to an industry standard confidentiality agreement prior to their first day of work.
- Background Checks
- We perform background checks on all new team members in accordance with local laws.
Cloud Security
- Cloud Infrastructure Security
- All of our services are hosted with Google Cloud Platform (GCP). They employ a robust security program with multiple certifications. For more information on our provider’s security processes, please visit GCP Security.
- Data Hosting Security
- All of our data is hosted on Google Cloud Platform (GCP) databases. These databases are all located in the United States. Please reference the above vendor specific documentation linked above for more information.
- Encryption at Rest
- All databases are encrypted at rest.
- Encryption in Transit
- Our applications encrypt in transit with TLS/SSL only.
- Vulnerability Scanning
- We perform vulnerability scanning and actively monitor for threats.
- Logging and Monitoring
- We actively monitor and log various cloud services.
- Business Continuity and Disaster Recovery
- We use our data hosting provider’s backup services to reduce any risk of data loss in the event of a hardware failure. We utilize monitoring services to alert the team in the event of any failures affecting users.
- Incident Response
- We have a process for handling information security events which includes escalation procedures, rapid mitigation and communication.
Physical Access Control
Parkable is hosted on Google Cloud Platform. Google data centers feature a layered security model, including extensive safeguards such as:
- Custom-designed electronic access cards
- Alarms
- Vehicle access barriers
- Perimeter fencing
- Metal detectors
- Biometrics
According to the Google Security Whitepaper: “The data center floor features laser beam intrusion detection. Data centers are monitored 24/7 by high-resolution interior and exterior cameras that can detect and track intruders. Access logs, activity records, and camera footage are reviewed in case an incident occurs. Data centers are also routinely patrolled by professional security guards who have undergone rigorous background checks and training.”
Parkable employees do not have physical access to Google data centers, servers, network equipment, or storage.
Logical Access Control
Parkable is the assigned administrator of its infrastructure on Google Cloud Platform, and only designated authorized Parkable operations team members have access to configure the infrastructure on an as-needed basis behind a two-factor authenticated virtual private network. Specific private keys are required for individual servers, and keys are stored in a secure and encrypted location.
Penetration Testing
Parkable undergoes annual penetration testing conducted by an independent, third-party agency. For testing, Parkable provides the agency with an isolated clone of parkable.com and a high-level diagram of application architecture. No customer data is exposed to the agency through penetration testing.
Information about any security vulnerabilities successfully exploited through penetration testing is used to set mitigation and remediation priorities. A summary of penetration test findings is available upon request to enterprise customers.
Intrusion Detection and Prevention
Unusual network patterns or suspicious behavior are among Parkable's most significant concerns for infrastructure hosting and management. Parkable and Google Cloud Platform’s intrusion detection and prevention systems (IDS/IPS) rely on both signature-based security and algorithm-based security to identify traffic patterns that are similar to known attack methods.
IDS/IPS involves tightly controlling the size and make-up of the attack surface, employing intelligent detection controls at data entry points, and developing and deploying technologies that automatically remedy dangerous situations, as well as preventing known threats from accessing the system in the first place.
Parkable does not provide direct access to security event forensics but does provide access to the engineering and customer support teams during and after any unscheduled downtime.
Vendor and Risk Management
- Annual Risk Assessments
- We undergo at least annual risk assessments to identify any potential threats, including considerations for fraud.
- Vendor Risk Management
- Vendor risk is determined and the appropriate vendor reviews are performed prior to authorizing a new vendor.
Sub-Processor List
These are the services we use to provide components of Parkable’s functionality, including cloud infrastructure, payments, emails, customer support, and search functionality.
Sub-Processor 1:
- Name: Google Cloud
- Address: 1600 Amphitheatre Pkwy, Mountain View, CA 94043, USA
- Service Provided: Cloud Infrastructure, email and document storage
- Data Types Processed: PII
- Location: USA
- Data Protection Compliance Status: ISO 27001, ISO 27018 and ISO 27701, SOC2
Sub-Processor 2:
- Name: Stripe
- Service Provided: Payment services
- Data Types Processed: PCI, PII
- Location: USA
- Data Protection Compliance Status: PCI-DSS, ISO 27001, ISO 27018 and ISO 27701, SOC2
Sub-Processor 3:
- Name: Mailchimp
- Address:405 N Angier Ave NE, Atlanta, GA 30308, United States
- Service Provided: Email services
- Data Types Processed: PII
- Location: USA
- Data Protection Compliance Status: ISO27001, SOC2, PCI-DSS
Sub-Processor 4:
- Name: Salesforce
- Address: Salesforce Tower, 415 Mission Street, 3rd Floor, San Francisco, CA 94105
- Service Provided: Customer support services
- Data Types Processed: PII
- Location: USA, Japan
- Data Protection Compliance Status: ISO27001, ISO 27018 and ISO 27701, SOC2
Sub-Processor 5:
- Name: Gearset
- Address: The Bradfield Centre, Cambridge Science Park Rd, Cambridge, Cambridgeshire, CB4 0GA, United Kingdom
- Service Provided: Salesforce backup
- Data Types Processed: PII
- Location: USA
- Data Protection Compliance Status: ISO27001
Sub-Processor 6:
- Name: Typesense
- Address: Sugar Land, 14090 Southwest Fwy Suite No. 300, United States
- Service Provided: Cloud based data search functionality
- Data Types Processed: PII
- Location: USA
Data Protection Compliance Status: SOC2 Type 2
Contact us
If you have any questions, comments or concerns or if you wish to report a potential security issue, please contact security@parkable.com.