It goes without saying, we take the security of our customers very seriously at Paddle. Keeping our customers’ data safe, as well as remaining a secure (and available) service at all times, is at the forefront of our business, our processes, and our teams’ goals.
We spoke to Jonny Herd, our VP of Infosec, to tell us more about how we promote this thinking at Paddle.
Setting the foundations of customer security
As we’ve grown as a company, we have steadily improved our security posture, adding people, knowledge, skills, and appropriate experience and controls - all while ensuring best practices are implemented.
What does best practice look like in terms of SaaS security? Something like:
- Educating our employees and ensuring everyone knows their role.
- Developing, testing, and releasing code securely.
- Operating the SaaS application in a secure manner at scale.
- Using internal and commercial tools to continuously monitor, measure and audit ourselves.
- Evaluating our entire business using different reference frameworks to make sure our actions won’t put our security at risk.
But what if you miss something?
Introducing Paddle’s first VDP
To address these concerns (and let you sleep more peacefully), we’ve launched Paddle’s first Vulnerability Disclosure Program (VDP). A VDP is a formal program where security researchers and experts from all over are able to submit detailed information on security vulnerabilities they discover to organizations, like Paddle. This gives us the best opportunity to discover and fix anything that we’ve missed or that the tools didn’t spot. Because: the more eyes, the better.
We’ve worked with independent security researchers for a while but with our VDP, we are not only improving the operation of our process, but its transparency too. Always seeking to optimize our customers’ security and the resilience of our service more and more, we strive for the utmost confidence in our platform for our customers.
For more information on this launch, take a look at our Vulnerability Disclosure Policy, or head to security.txt for how to interact with Paddle security or to submit a report.