Your privacy and the security of your data is our top concern. Here at Polly, we build everything with customer trust and security in mind. We pride ourselves on taking the extra steps to ensure that we meet and exceed the industry standard to protecting your information.
Network and Application Security Features
Cloud Hosting
Polly's data and services are hosted with trusted Amazon Web Services (AWS) in US facilities, spread across multiple availability zones to ensure reliability and disaster recoverability.
Permissions and Authentication
Access to customer data is limited to authorized employees whose job functions require it. Additionally, 2FA and strong password policies on all tools used internally are strictly implemented for all Polly employees to ensure third-party access to these cloud services are protected.
SSL and Encryption
All data is transmitted over HTTPS, and any data stored is encrypted in transit and at rest using 256-bit encryption. Our application endpoints are TLS/SSL only and score an “A” rating on Qualys SSL Labs‘ tests. This means we only use strong cipher suites and have features such as HSTS and Perfect Forward Secrecy fully enabled.
Incident Response
Polly has a protocol in place for handling various security incidences, all of which employees are informed and trained on.
Polly Product Security Features
Single Sign On (SSO) and Two-Factor Authentication (2FA)
Polly inherits the same authentication method that you use for your Slack workspace, including SSO and 2FA.
Permissions
Polly has different levels of permission settings within the app for your team. This includes app settings, user data, and billing.
Compliance Certifications
SOC 2
(Type II) Trust Services Principles
EU/US Privacy Shield
Data Privacy Practices
Additional Security Features
Internal Security Policies
Polly has a set of comprehensive security and awareness policies that cover a wide range of topics. These policies are updated as necessary and shared with all employees.
Confidentiality
All employee contracts include a confidentiality agreement contingent on acceptance of employment.
PCI Compliance
All payments to Polly are processed through our partner, Stripe. To learn more about their security setup and PCI compliance, you can visit Stripe's security page.
GDPR Compliance
Commitment to EU General Data Protection Regulation (GDPR)
As of May 25th, 2018, Polly is GDPR compliant in how we handle customer data. To read more about our commitment to the GDPR, please visit our GDPR page.
Responsible Disclosure
If you believe you’ve discovered a potential vulnerability, please let us know by emailing us at security@polly.ai. We will acknowledge your email within ten business days. Provide us with a reasonable amount of time to resolve the issue before disclosing it to the public or a third party. We aim to resolve critical issues within one month of disclosure. Make a good faith effort to avoid violating privacy, destroying data, or interrupting or degrading the Polly service. Please only interact with accounts you own or for which you have explicit permission from the account holder.
Exclusions
While researching, we’d like you to refrain from
Distributed Denial of Service (DDoS)
Spamming
Social engineering or phishing of Polly employees or contractors
Any attacks against Polly’s physical property or data centers
