Skip to main content

PathFactory Data Security Policy

Last Updated: September 9, 2025

This Data Security Policy (“Policy”) outlines the technical and organizational controls implemented by PathFactory Inc. and its affiliates (“PathFactory”) to protect the confidentiality, integrity, and availability of Customer Data processed through its platform and Services. PathFactory maintains a formalized Information Security Program which implements the terms of this Policy that is subject to annual review by senior leadership.

This Policy forms part of the PathFactory Software-as-a-Service Terms of Service or other agreement which governs the provision and use of the PathFactory Services and incorporates it by reference (the “Agreement”). Capitalized terms not otherwise specified herein carry the meanings assigned in the Agreement. In the event of any conflict between the terms of the Agreement and this Policy, the terms of this Policy shall govern with respect to the subject matter in question.

PathFactory reserves the right to periodically update this Policy to reflect technological changes, advancements or evolving industry practices, provided that no such updates will materially reduce PathFactory’s obligations to safeguard Customer Data without prior notice to Customer.

1. Access to Customer Data

  • Customers control access to the PathFactory platform using built-in role-based access controls and authentication configurations, such as single sign-on (SSO) and multi-factor authentication (MFA), during account setup.
  • Authorized PathFactory personnel may access customer environments strictly for support, configuration, and troubleshooting purposes. Customers can request restrictions on such access in writing to PathFactory.
  • PathFactory employees are prohibited from storing Customer Data on unmanaged devices, removable media, or non-secured systems outside of PathFactory’s administrative control.
  • Passwords used within PathFactory systems are hashed using strong cryptographic algorithms (e.g., SHA-256 or higher).
  • Customer Data (in its original form) is used solely as necessary to deliver its Services under the Agreement, including any ancillary services such as support activities.
  • All customer production data, including encrypted backups, are stored within secure cloud infrastructure environments located within applicable geographic jurisdictions (e.g. Canada, United States, Europe).
  • Data flow diagrams documenting the movement and processing of customer data are maintained internally and shared upon reasonable request, subject to confidentiality obligations.
  • Any use of sub-processors for data processing is transparently disclosed via PathFactory’s Sub-Processor List page located at https://www.pathfactory.com/legal/subprocessors, with an online form for customers to subscribe to email notifications of any changes. Sub-processors undergo rigorous security and compliance vetting before onboarding.

 

2. Data Encryption

  • Data classified by PathFactory as “sensitive” is protected using industry-standard encryption methods (e.g., AES-256) while at rest.
  • Data in transit is encrypted using secure protocols, such as TLS 1.2 or higher.
  • Customers may enforce TLS encryption between their applications and PathFactory’s Services by providing or requesting a TLS certificate.

 

3. Infrastructure and Access Management

  • Access to production infrastructure is restricted based on job responsibilities, using role-based access controls, enforced MFA, and private key authentication over secure channels (e.g. VPN, SSH).
  • Least privilege and segregation of duties principles govern access provisioning.
  • Access reviews are conducted annually, and access is revoked immediately upon personnel departure or role change.
  • Cloud network security groups enforce deny-all policies by default, exposing only necessary services.

 

4. Endpoint and Workstation Security

  • Personnel access production and development environments exclusively via PathFactory-issued, centrally managed workstations.
  • Devices employ full-disk encryption, enforced password policies, auto-lock mechanisms, and enterprise antivirus solutions with daily signature updates.

 

5. Data Classification and Risk Management

  • Data is classified according to sensitivity levels, and security controls are applied in accordance with data classification standards.
  • Ongoing risk assessments, including third-party evaluations, vulnerability scans, and internal audits, guide security enhancements.
  • Threat intelligence feeds, security bulletins, and vulnerability databases inform proactive risk mitigation measures.

 

6. Vulnerability and Penetration Testing

  • PathFactory conducts annual, independent third-party penetration testing and regular vulnerability scans.
  • Identified vulnerabilities are triaged based on severity, with critical and high findings generally addressed within 30 days of discovery, and medium typically addressed within 90 days of discovery.
  • With PathFactory’s prior approval, customers may conduct their own penetration testing and security scans. Customers are required to provide the results of such scans to PathFactory.

 

7. Monitoring and Incident Response

  • Comprehensive system logging and monitoring tools track infrastructure events, network traffic, and access logs, stored securely and retained for at least 12 months.
  • Advanced threat detection tools monitor cloud environments for suspicious activity.
  • A formal incident response process is in place, ensuring rapid containment, investigation, and remediation of potential threats.

 

8. System Maintenance and Patching

  • Systems supporting Customer Data follow secure configuration baselines and hardened standards.
  • Security patches rated critical or high are typically applied within 30 days of release; medium within 90 days.
  • PathFactory reviews security bulletins and vulnerability disclosures continuously.

 

9. Security Awareness and Personnel Controls

  • All PathFactory personnel undergo security training, including new hire onboarding and continuous education.
  • Background checks are performed during recruitment, subject to local legal limitations.
  • Personnel acknowledge confidentiality obligations and responsibilities for safeguarding Customer Data.
  • Secure software development lifecycle (SDLC) practices, including code reviews and centralized logging, are enforced.

 

10. Physical Security

  • PathFactory leverages trusted cloud providers for hosting services, relying on their robust physical security controls, which include surveillance, controlled physical access, visitor management, and alarm monitoring.
  • PathFactory reviews third-party data center security attestations at least annually.

 

11. Availability and Continuity

  • The current status of the PathFactory SaaS Services can be viewed at https://status.pathfactory.com/ (the “PathFactory System Status Page”). Customers can subscribe to receive real-time updates as incidents occur using the online form on the PathFactory System Status Page.
  • PathFactory employs distributed denial-of-service (DDoS) protection and high availability architecture.
  • Disaster Recovery and Business Continuity Plans are maintained, tested annually, and include region-based failover capabilities.
  • Customers may be required to update network configurations during regional failovers.

12. Security Breach Notification

  • A “Security Breach” is a breach of security leading to the unauthorized access to or disclosure of Customer Data, except where access was obtained via the customer’s credentials.
  • Confirmed Security Breaches affecting Customer Data will be reported within 48 hours of detection and status of PathFactory’s investigation.
  • PathFactory will promptly initiate containment and mitigation measures in response to any Security Breach.

 

13. Certifications and Compliance

  • PathFactory engages accredited third parties to audit and attest to compliance standards, including SOC 2 Type 2, ISO 27001 and ISO 27701.
  • PathFactory complies with applicable data protection laws and regulations, including Canadian privacy laws, US state privacy laws, and European data protection laws.
  • PathFactory provides customers with the controls required to adhere to their requirements under the GDPR.

 

14. Shared Responsibility

  • Without limiting PathFactory’s data security obligations in this Policy, security of Customer Data is a shared responsibility between PathFactory and the customer. PathFactory provides numerous tools to mitigate against Security Breaches. Customer is responsible for configuring and maintaining these settings, managing access controls, and protecting their account credentials.
  • Customers are encouraged to monitor usage, configure session policies, and apply best practices when integrating with PathFactory Services.

 

See PathFactory in action

Schedule a demo to see how PathFactory can help you educate and convert your audience more than 2x faster.

Book a Demo