Version: 1.0
Effective: June 19, 2024
PrimeRole Inc. (herein referred to as PrimeRole in this document) is committed to ensuring the Confidentiality, Integrity, Availability, and Privacy of its information assets, providing comprehensive protection against the consequences of confidentiality breaches, integrity failures, and interruptions to availability.
PrimeRole is a B2B Sales Intelligence platform designed to optimize sales processes by delivering enriched company and contact data. Our platform seamlessly integrates with CRMs and multiple data providers, ensuring comprehensive contact coverage and precise enrichment. PrimeRole's AI-driven tools generate personalized outreach messages, while our browser extension offers instant insights into LinkedIn profiles and company domains. With robust analytics and seamless CRM integration, PrimeRole enhances lead prioritization and engagement, driving more effective and efficient sales strategies. We pride ourselves on delivering products that are ready to Go-To-Market, easy to set up, and require minimal customization, all backed by world-class support.
In support of our commitment to Security & Privacy by Design, security is central to how we build our products, safeguard your data, and ensure high resilience. We have established and implemented security and privacy principles within a robust framework for building and maintaining secure systems, applications, and services. This framework allows us to integrate a set of standards, guidelines, and best practices for managing information security, cybersecurity, data security, and privacy considerations, or related risks, by default and by design, while ensuring compliance with multiple global requirements.
We maintain a top-down governance model with security ingrained in our DNA. This approach enables us to continuously navigate evolving threat vectors and to calibrate and strengthen our security posture, aligning with the changing business and technology landscape.
This policy applies to all PrimeRole employees, assignees, partners and contractors that provide services to PrimeRole and is an integral part of the Business Code of Conduct.
This also covers the security of information systems and data networks owned or used by PrimeRole as well as the information that is stored, transmitted, or processed by those systems.
PrimeRole is committed to complying with all applicable legislation and laws of the land in all locations and countries related to its operations and information processing.
Key legislation that is complied with includes laws related to corporate governance, employee relations, data privacy, intellectual property, and financial reporting.
Executive leadership (Top Management) members are a part of the internal Information Security & Compliance Steering Committee (ISCSC), which ensures that all PrimeRole commitments to Customers and stakeholders are upheld.
PrimeRole is committed to information security, protection of personal information, and privacy with applicable laws, regulations, and standards. Information Security & Compliance Steering Committee (ISCSC) members are responsible for defining and improving the Integrated Management System (IMS).
The top management has demonstrated leadership and commitment to the Integrated Management System (IMS) by:
PrimeRole is committed to:
PrimeRole shall adopt leading industry security & privacy standards and practices to design and develop robust information security & privacy management framework to support this policy statement. To this effect, the policy shall be supported by domain-level security & privacy policies, procedures, guidelines, and standards, which shall be communicated and made available to relevant stakeholders.
At PrimeRole, executive leadership (Top Management) is integral to the internal Information Security & Compliance Steering Committee (ISCSC), ensuring that all PrimeRole commitments to customers and stakeholders are upheld. The ISCSC ensures that the security and privacy of customer information, along with the correct processing of any personal information in line with privacy regulations, are standard practices at PrimeRole.
While information security and privacy are organization-wide responsibilities, the ISCSC has established dedicated information security and privacy roles to oversee these principles. Both roles report directly to the ISCSC and independently manage the governance aspects of information security and privacy. The Information Security function is led by the Information Security Officer (ISO), and the Privacy function is led by the Data Protection Officer (DPO), both of whom report directly to the ISCSC. The committee is headed by the Chief Executive Officer (CEO).
The ISCSC is committed to continuously aligning PrimeRole's information security and privacy posture to ensure data security, assure non-repudiation of customer data, secure and stabilize products that provide consistent output, deliver services that are resilient to internal and external threats and interruptions, and orient our people to the principles of security and privacy by design in their respective job roles. Business processes are designed and implemented with a focus on risk and control considerations.
The ISCSC conducts structured reviews of Information Security and Privacy on a semi-annual basis. The broad objectives of these reviews are:
Performance Evaluation: Evaluate the performance and effectiveness of the Information Security Management System (ISMS) and any related controls.
To mitigate the risk of fraud and errors, PrimeRole is committed to maintaining a segregation of duties. Responsibilities are divided among different individuals to prevent any single person from having complete control over critical processes or systems.
PrimeRole Information Security and Privacy Structure:
Additionally, GRC is responsible for ensuring that the company operates within legal and regulatory frameworks, creating and implementing essential policies, procedures, and controls. These documents are reviewed annually and are accessible to all PrimeRole employees through a centralized document repository.
At PrimeRole, we take pride in building a secure, reliable, easy-to-use, and high-performance Sales Enablement application. We believe that our customers and employees are the foundation of our success.
We seek smart, passionate individuals who excel in building great products, designing outstanding user experiences, and creating scalable platforms. All recruitment intents are submitted to HR, accompanied by a job description, roles, and responsibilities. These intents are approved by the respective department or pod heads based on their recruitment plans. HR, along with the respective managers, conducts interviews. Depending on the role's seniority, HR arranges interviews with appropriate stakeholders. Candidates are selected based on a thorough evaluation of cultural and skill fit.
All new employees undergo a mandatory background verification check initiated after the employment offer is extended. PrimeRole engages third-party service providers to verify identity, education, employment history, and criminal background. Any risks identified during the background check are analyzed and reviewed by HR and the respective business manager before a final decision is made.
New employees typically join on Mondays and undergo a 2-3 day onboarding process. This process includes an overview of PrimeRole's values, vision, objectives, organizational structure, and key processes. As part of onboarding, employees receive training on information security, data privacy, the Code of Conduct, and relevant compliance practices. This training ensures that all employees understand their responsibilities regarding information security, privacy, and compliance.
All new hires sign a confidentiality agreement as part of their employment contract. This agreement outlines their obligations and responsibilities in handling confidential information during their employment.
PrimeRole's Code of Business Conduct and Ethics flows directly from our commitment to our mission and core values. We strive for excellence and aim to deliver value to our customers, partners, stockholders, and stakeholders with integrity and high ethical standards. Cutting legal or ethical corners for personal or company gain is unacceptable.
The Code applies to all employees, officers, directors, and independent contractors. All employees must acknowledge their understanding and acceptance of this Code during the annual review cycle. Key policies covered by the Code include:
During onboarding, employees are informed about internal policies and processes. They are also briefed on the complaint reporting mechanism and disciplinary process. Policy violations are reported as incidents and investigated by HR. Depending on the severity, violations can result in a warning, compensation payment, promotion withdrawal, suspension, or termination.
When employees are transferred internally, HR finalizes the transfer date in consultation with the reporting manager and informs the new manager. Access needs are then adjusted according to the new role.
Resignations are submitted to the reporting manager and HR. The exit process is initiated after HR and the reporting manager confirm the relieving date. Access to company information and assets is revoked, and all company property is returned by the employee.
Employees working remotely must adhere to PrimeRole's policies and procedures to protect confidential information. This includes using secure networks, maintaining strong passwords, and following best practices for data protection.
PrimeRole ensures that all employees are security and privacy-conscious through ongoing educational activities and practical exercises. Each employee, upon joining, signs a confidentiality agreement and an acceptable use policy, followed by training in information security, privacy, and compliance.
All employees must complete the annual information security, privacy, and compliance awareness training. Additional role-specific training is provided to personnel with specific job functions, focusing on the security and privacy risks relevant to their responsibilities.
Training logs, including details of the training class, attendees, and dates, are maintained by HR.
PrimeRole has established a formal Asset Management Policy to facilitate the effective management, control, and maintenance of assets and information within its operations. Assets are classified according to their functionality and criticality to ensure appropriate protection and management.
PrimeRole is committed to sustainable asset management practices that promote environmental responsibility and efficiency. The objective of our asset management program is to monitor, track, and optimize the utilization of company assets, ensuring maximum efficiency, cost-effectiveness, and return on investment. Through strategic planning, proactive maintenance, and accurate data analysis, PrimeRole aims to minimize downtime, extend asset lifespan, reduce operational expenses, and enhance overall business performance and profitability. Asset management processes at PrimeRole include planning, acquisition, operation, maintenance, disposal, and performance monitoring.
Information assets at PrimeRole are identified, classified, labeled, and handled according to their level of confidentiality and sensitivity. The confidentiality and sensitivity of information are maintained through an Information Asset Classification scheme, which determines the level of security accorded to each asset.
All new assets are acquired in accordance with PrimeRole's procurement policies and procedures. A risk assessment is conducted prior to acquiring any new asset to ensure alignment with the organization's strategic objectives. Asset acquisition decisions are based on cost-effectiveness and strategic alignment with organizational goals. Asset performance metrics are tracked and analyzed to evaluate asset ROI and inform strategic decision-making.
The Information Asset Inventory must include, at a minimum:
Employees are expected to exercise good judgment and responsibility regarding the personal use of company assets. For security and network maintenance purposes, authorized individuals within PrimeRole monitor equipment, systems, and network traffic.
PrimeRole reserves the right to suspend or disable employee network accounts in the event of an actual or suspected security breach or policy violation. Any IT resource assigned to an employee cannot be transferred to another employee or group without following the proper procedure, which includes notifying IT for the transfer to be recorded and signed off. If an asset is lost due to an unnotified transfer, the responsible employee may be subject to fines.
PrimeRole information assets include, but are not limited to:
PrimeRole maintains an inventory of all virtual and physical devices, including servers and networking components. These devices are labeled and tracked in an asset register that includes information about the asset owner, custodian, and location. The asset register is regularly updated whenever assets are moved, retired, or serviced.
PrimeRole has developed and implemented a formal procedure for the information classification and handling standard consisting of distinct levels which must be followed by all PrimeRole employees. The protection level and requirements for data processing are defined for each classification category. PrimeRole classification model into four levels of categories:
The classification levels of all information or data is identified, both on the data and in the asset inventory. Accessibility will enable PrimeRole to focus information or data protection mechanisms on those assets that are most susceptible to specific risks. Information Assets may be assigned security based on their susceptibility to risk.
PrimeRole has adopted a Zero Trust model for Identity and Access Management (IAM), ensuring the principle of “never trust, always verify.” Access rights are provisioned based on the principles of “least privilege,” “need-to-know,” and “need-to-have or need-to-do.” As part of user lifecycle management, defined processes for adding, changing, and removing users and their access rights are applied across all information systems, applications, and services, with regular periodic reviews conducted to ensure compliance.
IAM is crucial for protecting PrimeRole's information resources and requires the implementation of controls and continuous oversight to restrict access appropriately.
PrimeRole implements the principle of least access privileges and role-based access controls across all information systems. Only a few employees, such as those in Customer Success and Solution Engineering, have access to customer accounts, as necessary for configuration or troubleshooting purposes. These privileged accesses are regularly reviewed.
PrimeRole provides role-based administration for user accounts, with four roles: Owner, Admin, User, and Guest, each with distinct permissions. Account administrators control user permissions and activities.
PrimeRole partners with organizations that adhere to global standards and regulations. These include sub-processors or third parties that assist in providing PrimeRole's products and services. By default, sub-processors do not have access to any customer data. Incidents and support tickets are handled internally by PrimeRole.
In cases where only a sub-processor can handle a specific incident or support request, temporary access is provided by the customer's admin through the product, and this access is immediately revoked once the issue is resolved.
Access to PrimeRole's internal systems is based on the principle of least privilege. Information systems and data are classified and segregated to support role-based access requirements. While defining job roles and designing access roles, conflicts of interest are avoided. Strong identification, authentication, and logging systems are deployed to provide centralized control for administering, monitoring, and reviewing all critical access events.
PrimeRole maintains separate environments for development, testing, and production. Each environment is isolated and shielded from interactions with others. Developers do not have access to the production environment, including migration changes, which are restricted to designated and authorized individuals.
All access requests are logged, tracked, and managed through the Jira (Atlassian suite) system. Requests must be approved by the reporting manager, product owner, and respective department head or their delegate. Once approved, the request is routed to system administrators for provisioning. All access requests, approvals, and provisioning actions are logged to maintain a comprehensive audit trail.
Access to all environments (development, test, and production) and associated resources is centrally managed using the IAM system. User IDs follow internal naming conventions and are managed to ensure identifiability. Strong password parameters are enforced across all systems. Access is permitted only from registered user systems and whitelisted IP addresses, and all access is routed through a bastion host where role-based access and two-factor authentication (2FA) are enforced. System access logs for customer data access are maintained and reviewed by the NOC and SOC teams operating on a 24/7 basis.
Access to the PrimeRole production environment is limited to authorized users within the development or testing teams and is permitted only from within the PrimeRole corporate network, protected by a VPN. For business continuity, disaster recovery, and pandemic scenarios, administrative and management users (Cloud Infrastructure, Database Administrators, On-call Support, 24/7 Monitoring teams) have VPN access to connect to the office network. All remote access is protected via Single Sign-On (SSO) or 2FA, and all access is logged.
On a quarterly basis, the ownership of all user accounts in the production environment is reviewed by the product owner. For sensitive and critical accounts, reviews are conducted monthly. The information security team tracks the user access review process and reports findings to the ISCSC.
PrimeRole enforces password complexity and length requirements according to industry best practices. Password policies include the following:
PrimeRole supports Single Sign-On (SSO) via SAML 2.0, enabling teams to log in using their existing corporate credentials. SSO is available on select packages; please consult your order form for eligibility.
PrimeRole has developed and implemented a formal cryptographic protection standard to ensure the confidentiality, authenticity, and integrity of information transmitted through third-party networks and to protect against unauthorized access or malicious activities.
Cryptographic controls at PrimeRole are employed to achieve various security objectives, including:
These cryptographic controls are implemented in compliance with all relevant agreements, laws, and regulations.
PrimeRole uses industry-standard cryptographic methods to protect customer data both in transit and at rest. Specifically:
PrimeRole prioritizes the security and integrity of cryptographic keys through stringent key management practices that adhere to industry standards and best practices. Our key management approach includes:
This section outlines the physical and environmental security measures at PrimeRole's Product Development center in India and the data centers where PrimeRole products and data are hosted.
Perimeter Security at PrimeRole Office
PrimeRole operates out of a multi-tenant building with perimeter security managed by the Building Management System team. The building is patrolled 24/7 by security guards, and access is granted only to employees with valid ID cards.
Access to the PrimeRole office is restricted to PrimeRole employees and authorized support staff. CCTVs are installed at strategic points, including all entry and exit locations. The administration and facilities team monitors CCTV footage, which is retained for a minimum of 90 days.
Entry points are secured with a proximity-based access card system, with 24/7 security guards stationed at entry and exit points. Regular access reviews are conducted by the PrimeRole Administration team to ensure only authorized personnel have access.
All visitors must register at the entrance, providing details of their host and the purpose of their visit. Visitors receive an ID tag and are always escorted by a host while inside the premises.
PrimeRole has established procedures for the siting and identification of equipment. Security personnel track the movement of equipment and consumables at the entrance, verifying authorization for any classified materials brought in or removed.
The IT team ensures that all equipment movements are approved and directed to authorized recipients. Designated areas are identified for the movement and disposal of electronic media and equipment, with authorization from the IT Manager and tracking by the Facilities Administration team.
The office is equipped with multiple controlled entry and exit points, with visible floor maps and markings to assist in speedy evacuations. Smoke detectors and sprinkler-based fire suppression systems are installed throughout the facility. Fire extinguishers are placed at various locations, and the facility is equipped with a public address system for emergency announcements.
A centrally managed Heating, Ventilation, and Air-Conditioning (HVAC) system is maintained by the facilities team. The power supply is backed by an Uninterruptible Power Supply (UPS) and diesel-based generator, ensuring automatic and uninterrupted switch-over during power interruptions. All power and network cables are secured, shielded, and clearly identified for maintenance purposes.
Equipment and systems providing environmental safeguards are covered under warranties and annual maintenance contracts, with regular preventive maintenance checks to ensure proper functioning.
PrimeRole's products and data are hosted in AWS, Microsoft Azure, and DigitalOcean data centers, which offer cutting-edge security and compliance with various information security standards. The data centers are located in nondescript facilities, with physical access strictly controlled at both the perimeter and building ingress points. Security measures include video surveillance, motion detectors, intrusion alarms, and two-factor authentication for access to data center floors.
The hub room at PrimeRole's corporate office is secured with access control systems, including access cards, biometrics, and video surveillance. A physical logbook is maintained to record details such as the name, purpose, and time of entry and exit.
PrimeRole prioritizes the resilience and reliability of its utility infrastructure. This includes regular inspections, alarm systems for early detection, redundancy measures, network segregation, and emergency provisions for swift response during outages or emergencies.
Cabling security is ensured through underground installation where possible, segregation of power and communication cables, use of armored conduits, controlled access to cable and hub rooms, and proper labeling for identification.
Critical IT equipment is hosted in AWS, Microsoft Azure, and DigitalOcean data centers, which are equipped with automatic fire detection and suppression systems. These systems include smoke detection sensors, wet-pipe, double-interlocked pre-action, or gaseous sprinkler systems, depending on the materials in specific zones.
Flood protection is provided by submersible pumps, and power is supplied through redundant feeder channels, supported by generators and UPS systems with automatic switch-over capabilities. Data centers maintain optimal climate conditions to prevent overheating and service outages, with personnel and systems monitoring temperature and humidity levels.
PrimeRole adheres to supplier recommendations and implements a robust maintenance program to ensure the reliability of equipment. Access to equipment is restricted to authorized personnel, and all maintenance activities are recorded. Security measures are enforced during on-site maintenance, and equipment is thoroughly inspected before reactivation.
PrimeRole ensures the secure disposal and reuse of equipment and storage media containing confidential information. Employees must follow verification processes, physically destroy storage media, remove identifying labels, and consider security controls when moving premises. These measures are critical for maintaining information security and compliance.
PrimeRole maintains a formal information security management program with dedicated security personnel reporting to the Head of Security. A formal policy and process are in place to address key information security considerations for IT operations, including standard operating procedures, change management, configuration management, release management, information backup, restoration, and cloud computing.
Several security controls have been established to protect data, information systems, and to monitor PrimeRole for suspicious activities.
Documented procedures are formally established for operational activities associated with information processing and communication facilities. These procedures are maintained to ensure the correct and secure management of information processing facilities.
Anti-malware systems and services are implemented to detect, prevent, and report malicious software and activities. All in-scope systems are equipped with malware protection and detection software, regularly updated with the latest definitions.
PrimeRole has defined criteria for creating and managing logs, specifying the data to be collected and procedures for protecting and handling log data. Logs must capture user IDs, system activities, event details, and network information, covering events such as access attempts, system configuration changes, and file access. Time synchronization across systems is essential for effective log correlation and analysis.
PrimeRole is committed to a robust monitoring framework that safeguards the security and integrity of our systems, networks, and data. Monitoring activities include scope determination, baseline establishment, anomaly detection, and specific measures for web monitoring. Monitoring records are maintained in compliance with organizational policies and relevant laws and regulations.
PrimeRole's Security Incident Event Management (SIEM) system collects extensive logs from key network devices and host systems to detect potential threats. Alerts are generated when threshold criteria or suspicious event logics are triggered, notifying the security team for investigation and response.
Upon identifying a potential risk, the security team initiates incident handling and response, gathering data (e.g., logs, forensic images) to determine the root cause and the best course of action for mitigation. Post-incident, a detailed post-mortem analysis is conducted to identify lessons learned and to improve future responses, driving proactive guidance and improvements across PrimeRole.
PrimeRole maintains robust threat intelligence practices to protect our assets and stakeholders. We vet and select relevant information sources, collect and process data, analyze findings, and communicate them effectively. Continuous improvement is prioritized to adapt to evolving threats and organizational needs. PrimeRole subscribes to industry threat feeds and uses a combination of automation tools and human review to filter and act on threat intelligence.
Data hosted on the cloud is synced in real-time across Availability Zones (AZs) or to separate AWS/Azure regions, ensuring fault tolerance and stability. Data sync occurs in an active-active model, with each region equipped to handle the load independently in case of failures.
PrimeRole adheres to a CVSS-based vulnerability management standard, categorizing vulnerabilities by severity (critical, high, medium, and low) as reported by scanning vendors. Regular vulnerability scans are conducted on all production systems and endpoints, with remediation timeframes determined by CVSS level, impact analysis, and contractual SLAs.
Operational software, including applications and operating systems, is implemented only after successful testing for usability, security, system impact, and user-friendliness. Operational systems hold only approved executable code, with no development code or compilers.
PrimeRole has defined internal guidelines for conducting information system audits, which must be followed by all employees.
PrimeRole protects its personnel and digital assets from threats associated with accessing malicious or illegal websites. Measures include blocking access to known risky websites, categorizing websites by risk, and restricting access to specific categories. Anti-malware technologies automatically block prohibited sites, safeguarding network and data integrity.
PrimeRole prioritizes the security of its operational systems by adhering to strict guidelines for software changes and installations:
By following these guidelines, PrimeRole ensures the integrity and security of its operational systems.
PrimeRole management is committed to establishing a cross-functional working model tailored to the size, nature of activities, and evolving business realities in product development, support, and maintenance. PrimeRole utilizes the Scrum model from the agile framework, combined with a Continuous Integration and Continuous Deployment (CI/CD) approach, to ensure rapid delivery of functionalities to customers. Cross-functional teams, known as “Squads,” are formed to work on core product features and infrastructure, adhering to secure coding standards and guidelines provided by the Application Security team.
A Squad typically consists of the following members:
Continuous integration (CI) is essential for maintaining fast development cycles within the CI/CD pipeline. Every block of code is unit tested before being checked into the code repository using a source control tool. Changes to uncompiled source code are tracked to ensure code integrity, and the most up-to-date libraries are maintained for subsequent sprints. After Quality Assurance (QA) approval, the code is committed for promotion to staging and production environments.
All product inputs, including enhancements, bugs, and fixes, are accumulated in a central repository managed by Product Owners. Service Level Agreements (SLAs) are defined for issue resolution, and priorities are assigned accordingly. Security fixes are considered high priority and are bundled into the earliest possible sprint. The DevOps sprints are powered by a Squad that includes the Product Owner, Squad Lead, Tribe Lead, and Tribe Members.
Following the principles of Security by Design, product security is integrated into every build cycle at PrimeRole. The Application Security and Cloud Security teams are involved throughout the build cycles. Multiple security checks, including code reviews, web vulnerability assessments, and advanced security tests, are conducted for every build. Source code analysis is performed using approved tools, and identified vulnerabilities are fixed and revalidated before code promotion. Builds undergo stringent functionality tests, performance tests, stability tests, and UX tests before being certified as “Good to go.” Static code analysis is performed during unit testing before compiling in a runtime environment. The “Good to go” flag serves as a gating mechanism for code promotion to production.
To minimize potential downtime, PrimeRole employs the Blue-Green Deployment model. This approach reduces risk by running two identical production environments, Blue and Green, with only one environment live at any time. During a product update, deployment and final testing occur in the non-live environment (Green). Once testing is complete and the updated build is approved, Green is switched to live (Blue). The previous live environment (Blue) is then pushed to an idle state. If any issues arise with the new version, a quick rollback to the previous version is possible by switching back to Blue.
The capacity management process at PrimeRole is designed to ensure continuous alignment between business capacity management (strategic and forecasting) and service capacity management (tactical). This process, managed by the Cloud Infrastructure team, ensures that the application remains available 24x7 throughout the year, except during planned downtimes.
The capacity management process applies to the following:
PrimeRole maintains at least a 20% headroom to accommodate unexpected traffic. The following parameters are used for managing capacity:
PrimeRole conducts regular stress tests on its cloud systems and services to ensure they meet peak performance requirements. These tests help identify potential vulnerabilities or weaknesses in the infrastructure, allowing for proactive measures to be taken. This continuous evaluation and optimization help deliver a seamless experience for customers while safeguarding against potential threats.
Proactive Approach: This approach is facilitated by continuous communication between customer-facing teams and the operations team. Based on projections for new customers, the operations team determines capacity requirements and follows standard operating procedures (SOP) to provision additional capacity. Business-critical components are also equipped with autoscaling to automatically increase capacity when headroom is breached.
Reactive Approach: The production environment is monitored 24x7 by the Network Operations Center (NOC) team, using a variety of tools to monitor system performance. If any parameters exceed their thresholds, the NOC team follows an SOP to commission additional capacity. The alerting system identifies underperforming clusters, allowing the NOC team to take immediate action to mitigate issues.
PrimeRole has implemented robust security and privacy controls to protect the confidentiality, integrity, availability, and safety of its network infrastructure. These controls enforce the concept of “least functionality,” restricting network access to systems, applications, and services, while providing situational awareness of network activities.
PrimeRole's network is designed to facilitate business operations efficiently while mitigating various risks. The following controls have been established to protect exchanged information from interception, copying, modification, misrouting, and destruction:
Network Controls: PrimeRole periodically monitors and updates its communication technologies to ensure network security according to industry best practices. Cryptographic techniques are employed to protect the confidentiality, integrity, and authenticity of sensitive and confidential information. Firewall rules and access restrictions are reviewed regularly.
Infrastructure Controls: PrimeRole employs an Intrusion Detection System (IDS), Security Incident Event Management (SIEM) system, and other security monitoring tools on production servers hosting the PrimeRole product service. Alerts from these tools are sent to the Security Team for prompt action.
Secure Communication: All data transmissions to PrimeRole services are encrypted using TLS protocols, with certificates issued by SHA-256 based Certificate Authorities (CAs), ensuring secure connections from users' browsers to our services. We use the latest and most secure cipher suites.
PrimeRole's product always connects to the web app via HTTPS using Secure Sockets Layer (SSL), a cryptographic protocol designed to protect against eavesdropping, tampering, and message forgery.
Retention and Disposal: PrimeRole has established guidelines for the retention and disposal of all business correspondence, including messages, under defined standards.
Network Segregation: Network segregation is achieved by establishing VLAN/DMZ architectures. The Testing, Production, and Development environments are segregated to ensure security and isolation.
Secure Transfer Agreements: Agreements have been established to ensure the secure transfer of business information to external parties, including customers, suppliers, and other interested entities.
Roles and Responsibilities: The roles and responsibilities for managing network security are clearly defined, communicated, and regularly reviewed. Necessary segregation of duties is implemented to ensure optimal operational effectiveness.
PrimeRole has established a Software Development Lifecycle (SDLC) standard, designed to ensure security and privacy are integral parts of each product or platform developed or acquired. This standard aligns with the principles of “least privilege” and “least functionality,” ensuring that all systems, applications, and services adhere to secure engineering practices.
PrimeRole follows an Agile and DevOps SDLC model focused on process adaptability, customer satisfaction, and quality delivery. The product development process involves breaking down products into small incremental builds, each handled by cross-functional teams (PODs) working simultaneously on planning, requirements analysis, design, coding, unit testing, and acceptance testing.
Key activities enhancing security and privacy posture include:
These practices are guided by industry best practices and frameworks, including ISO 27001, ISO 27034, OWASP, and CIS standards.
Automation is a core component of PrimeRole's application security, enabling continuous security coverage throughout the SDLC. Key automation initiatives include:
PrimeRole emphasizes security testing and verification at every stage of development, including:
PrimeRole enforces strict separation between development, testing, and production environments. This separation includes:
The production environment is logically segregated from development and testing environments using virtual private cloud (VPC) and subnet concepts, with no customer data used in development or test environments.
Network Infrastructure Overview
PrimeRole's network architecture employs a multi-tiered security framework, with services and data hosted in Virtual Private Clouds (VPCs) across multiple availability zones. Core infrastructure elements from AWS and Microsoft Azure include:
External connections are terminated at the Load Balancer, which, along with Cloudflare WAF, provides DDoS protection. The Load Balancer directs incoming connections to private subnets containing the application stack.
PrimeRole's network is decoupled, with multiple firewall rules in place to reduce the attack surface. Key features include:
Each application is serviced from an individual VPC, with each customer uniquely identified by a tenant ID. This design ensures that customers can only access their own data.
PrimeRole prioritizes secure configuration management across all systems and networks, including:
PrimeRole employs AES-256 bit encryption for data at rest and HTTPS with TLS 1.2 and above for data in transit. Certificates are managed via AWS ACM and Digicert, with renewals every 365 days. Passwords are one-way hashed and salted using bcrypt, and third-party API calls are authorized using OAuth 2.0 with secure access tokens.
Secure coding principles are integral to PrimeRole's development activities, adhering to OWASP Secure Coding Guidelines. Key practices include:
PrimeRole values responsible disclosure of security vulnerabilities. Bugs can be reported through email at [email protected].
PrimeRole partners with organizations that adhere to global standards and regulations, similar to itself. These organizations include sub-processors or third parties that PrimeRole utilizes to assist in providing its products. The list of sub-processors, along with their roles in processing and their processing locations, is disclosed on the following URL: https://www.primerole.com/legal/sub-processors.
PrimeRole classifies vendors into five categories based on the nature of the data they handle:
All vendors are required to complete a questionnaire and undergo an information security and privacy compliance review. For Category 1 vendors, external audit reports and compliance certificates are mandatory. PrimeRole will provide 15 days' advance notice to existing customers before introducing a Category 1 vendor into the production environment. Legal sign-off and execution of MSA/DPA and/or BAA, as applicable, are required as part of the contracting process.
For vendors in other categories, audit reports are requested; however, in the absence of such reports, internal audit reports and policy procedures are reviewed and audited to determine security and compliance clearance. This process is managed by the PrimeRole Vendor Management team.
PrimeRole conducts regular assessments of service providers to ensure that data is processed fairly and only for the purposes for which it was collected. In addition to evaluating technical requirements, PrimeRole examines data protection measures, compliance with PrimeRole's security and privacy requirements, and reviews audit reports before onboarding service providers.
Key checks include the service provider's vulnerability and patch management processes, intrusion protection capabilities, and access management processes. Third-party vulnerability testing reports, ISO 27001/27701 certifications, PCI DSS AOC, and other relevant documents are reviewed by PrimeRole as part of due diligence.
PrimeRole's Data Processing Addendum (DPA) executed with sub-processors includes requirements regarding breach notifications and reporting obligations. These requirements are reviewed by PrimeRole's Legal team and the GRC team, ensuring that the sub-processors comply with security and privacy safeguards, rights to audit, and support for subject access requests. The GRC team also conducts periodic reviews of service providers as part of its Risk Management Process.
PrimeRole is committed to empowering sales professionals to achieve exceptional results and build stronger customer relationships. We accomplish this by providing a comprehensive sales intelligence platform that is intuitive, data-rich, and designed for sales representatives and leaders across organizations of all sizes.
PrimeRole adheres to the ISO 27001:2022 standard, GDPR, CCPA, and other relevant privacy and data protection regulations. We have obtained and maintained all necessary certifications to support these claims, ensuring compliance with both current and emerging regulations. Regular audits are conducted to verify ongoing compliance with these standards.
PrimeRole hosts all applications (products) and customer data (hosted data) in AWS (Amazon Web Services) and Azure data centers. As a SaaS product, ensuring availability and seamless functionality for users is a top priority.
PrimeRole's network security architecture is designed with multiple security zones. The most restricted systems, such as database servers, are protected within our most trusted zones. Other systems are hosted in zones that match their sensitivity, based on function, information classification, and risk. Depending on the security zone, additional monitoring and access controls are applied. Demilitarized Zones (DMZs) are utilized between the internet and internally between different zones or trusts.
Our network is safeguarded through the use of key AWS security services, integration with Cloudflare edge protection networks, regular audits, and network intelligence technologies. These systems monitor and block known malicious traffic and network attacks, ensuring robust protection.
PrimeRole employs service clustering and network redundancies to eliminate single points of failure. Our rigorous backup regime, combined with our Disaster Recovery service offering, ensures high service availability. Customers and their data are replicated across multiple availability zones, providing resilience against potential disruptions.
PrimeRole has established a comprehensive security incident management process designed to classify and handle incidents and security breaches efficiently. A dedicated incident management team, consisting of individuals with the necessary technical expertise and authority, has been formed to respond to information security incidents. The information security team is responsible for recording, tracking, responding to, resolving, monitoring, and communicating about incidents to appropriate parties in a timely manner. This process is regularly reviewed and updated during periodic internal audits and is audited as part of the ISO 27001 assessment.
The incident response plan outlines the procedures to be followed in the event of an information security incident, including the roles and responsibilities of the incident management team. Information security incidents are classified based on their severity and impact on the organization's operations, with this classification determining the appropriate response actions and escalation procedures.
For immediate reporting of complaints or breaches, you can contact our 24x7 hotline at [email protected].
PrimeRole has established processes for the early identification and reporting of incidents and breaches. As a data controller, PrimeRole notifies the relevant Data Protection Authority of a breach within 72 hours of becoming aware of it. Depending on specific requirements, we will also notify customers when necessary. As a data processor, we inform the relevant data controllers without undue delay. The Data Protection Officer (DPO) is responsible for reporting security incidents and breaches to customers.
Each customer is assigned a dedicated Customer Success Manager (CSM), who serves as the Single Point of Contact (SPOC) for incident reporting. The account owner/admin of the customer's PrimeRole platform will be notified of any security incident that impacts the customer. If there are any designated email distribution lists (DLs), we can also use them for reporting. We are open to contractually agreeing on such requirements with mutual concurrence.
PrimeRole has established a formal Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) to support people, processes, and technology during any crisis or business interruption. Roles and responsibilities have been clearly defined and documented. The PrimeRole Customer Success team is responsible for communication and notification during a crisis. In the event of a crisis, the BCP team will contact relevant authorities, such as service utilities, emergency services, electricity providers, and health and safety officials, to support business continuity efforts. Information security is maintained at appropriate levels throughout any disruption.
PrimeRole continually reviews its business continuity program, incorporating lessons learned from actual events, exercises, and audits. This ongoing process includes updating BCPs, refining response procedures, and enhancing training and awareness efforts.
Business Impact Assessments (BIA) are conducted for all applicable processes, forming the basis for BCP and DRP. All critical operations, processes, and facilities are included in the BIA, and BCP and DRP requirements are planned accordingly. Dependencies are identified, and all applicable strategies are considered as part of the BCP and DRP planning.
PrimeRole has established a Crisis Management Team (CMT) responsible for coordinating response efforts during emergencies. The CMT is composed of senior leaders from key functional areas and is tasked with decision-making, communication, and resource allocation during crises.
PrimeRole is committed to ensuring the resilience of its ICT services by maintaining an organizational structure that is prepared to respond to disruptions. This includes regularly evaluating and approving continuity plans aligned with business objectives and defining comprehensive performance, recovery time, and recovery point objectives.
All data hosted on the cloud is synced in real-time (with cross-regional network latency) across Availability Zones (AZs) or to separate AWS, DigitalOcean (DO), and Azure regions other than those hosting customer-serving infrastructure. Each AWS, DO, and Azure AZ or region is designed to be completely isolated from other regions, helping achieve maximum fault tolerance and stability. Data sync occurs in an active-active model, with each region capable of independently handling the load in case of failures. Backup and restore testing are conducted annually to ensure the integrity of backups and the effectiveness of restore processes.
PrimeRole employs high availability solutions to provide continuous service to customers. PrimeRole achieves high availability (HA) using AWS and Azure Availability Zones (AZs) within the regions where PrimeRole hosts its applications for customers. Each AWS and Azure data center region has multiple isolated AZs. PrimeRole places resources and data in multiple AZs within each region.
Each AZ is physically separated within the metropolitan region, connected through low-latency links, located in low-risk flood plains, and supported by different power grids, multiple tier-1 transit providers, UPS systems, and on-site backup generators. These measures help reduce Single Points of Failure (SPOF).
The BC and DR Plan is tested and reviewed annually by the PrimeRole Information Security Officer (ISO) and approved by the Information Security & Compliance Steering Committee (ISCSC). Annual training on BCP and DRP requirements is provided to all relevant workforce members involved in the process. The BCP and DRP are reviewed and audited as part of PrimeRole's ISO 27001 standards, which cover availability as one of the key trust service principles.
In light of the evolving threat landscape and the increasing sophistication of cyberattacks, it is imperative for PrimeRole to adopt a robust security framework to safeguard our digital assets. Recognizing the criticality of endpoint security in protecting our systems and data, PrimeRole has implemented a Zero Trust model to fortify our defenses and mitigate potential risks.
All devices, including but not limited to computers, laptops, and mobile devices, are considered untrusted by default. Access to resources, applications, and data is granted based on continuous authentication, least privilege access principles, and contextual factors rather than implicit trust in the network or device.
All employees are provided with company-issued laptops to carry out their responsibilities. These endpoints are configured with standard builds deployed through Mobile Device Management (MDM) solutions for centralized control and management. Authentication is managed via Single Sign-On (IAM) and Two-Factor Authentication (2FA).
PrimeRole has established and communicated comprehensive procedures for the secure configuration and management of user endpoint devices. These procedures address the following areas:
All personal devices (BYOD) used to access PrimeRole systems must comply with strict security controls, including full disk encryption and VPN usage. Non-compliance with these security requirements may result in the revocation of access privileges. PrimeRole also employs MDM solutions for centralized control and management of company-provided assets, ensuring that all devices are secure and compliant with company policies.
PrimeRole prioritizes the security of business information on personal devices by enforcing the following measures:
PrimeRole has established a Risk Management Framework as part of its Information Security Management System (ISMS) in accordance with the ISO/IEC 27001:2022 standard. The Information Security and GRC teams conduct security risk assessments annually and on an ongoing basis, especially when significant internal changes occur or when notable events happen in the industry. PrimeRole identifies and documents potential risks to its assets, including but not limited to information systems, data, facilities, and personnel.
PrimeRole has implemented an integrated control system characterized by different control types, such as layered, preventative, detective, corrective, and compensating controls, to mitigate identified risks. Information security risk management is integrated into the Software Development Lifecycle (SDLC), with roles and responsibilities clearly defined for each SDLC phase. During software or system development, PrimeRole conducts thorough testing and verification to ensure risks are managed effectively.
The risk management process is integrated into the change management process at all levels. Risks associated with proposed changes are identified, assessed, and addressed promptly to minimize potential negative impacts. PrimeRole follows a formal acquisition process that includes risk assessments for purchased commercial products, and supplier contracts are designed to include identified security requirements.
PrimeRole continuously monitors and reviews the effectiveness of its risk management processes and controls. This includes regular reviews of risk assessments, incident reports, and security controls to ensure they remain effective and up-to-date.
Risk assessments at PrimeRole evaluate multiple factors that may impact security, as well as the likelihood and impact of potential loss of confidentiality, integrity, and availability of information and systems. Information security risks associated with the execution of projects, such as the security of internal and external communications, are considered and treated throughout the project lifecycle.
Risk assessments are conducted bi-annually across various departments or whenever the following changes occur:
PrimeRole identifies risks from various sources, including but not limited to:
Key enablers such as people, premises, processes, and technology are documented for each risk identified in the risk register. The risk register includes strategic, financial, environmental, safety, people, and reputation risks.
Mitigation strategies are developed and implemented to address identified risks effectively. These strategies may include technical, administrative, and physical controls aimed at reducing the likelihood and impact of potential incidents. The risk treatment plan, which identifies risks and nonconformities, corrective actions, resources, responsibilities, and priorities for managing information security risks, is regularly reviewed and updated.
Appropriate risk treatment plans (Reduce Risk, Avoid Risk, Transfer Risk, Retain Risk) are considered and approved by the CEO and Risk Owner. The risk assessment, top risk selection, and risk treatment plans are reviewed, and progress is tracked by the Information Security & Compliance Steering Committee (ISCSC).
PrimeRole has established a comprehensive process and control system for handling vulnerabilities in our products and infrastructure. These processes are integral to maintaining the security and integrity of our systems.
PrimeRole follows secure coding guidelines based on OWASP Secure Coding Guidelines, which are shared with the engineering teams. These guidelines cover essential areas such as input validation, output encoding, session management, error handling, and logging. Developers receive training on these secure coding practices from the Application Security team at least annually to ensure adherence to security standards.
PrimeRole conducts an annual Vulnerability Assessment and Penetration Testing (VAPT) for our products, performed by external third-party audit firms. This gray box testing involves providing the external vendor with an application walkthrough, followed by automated scans to identify weaknesses in the application, including OWASP top 10 vulnerabilities, and manual testing of critical application features such as authorization, authentication, session management, injection, input validation, and transmission security.
Identified issues are logged as tickets in our internal tool and are prioritized and resolved according to our defined vulnerability management process SLA:
Any delays are escalated to the respective department head and, for exceptions, to the CEO through the risk tracker.
PrimeRole utilizes AWS and Microsoft Azure for our infrastructure, managed by the PrimeRole cloud infrastructure team. The network components include EKS, application servers, web servers, caches, background servers, database servers, S3, and other components comprising the application and data layers. Only essential traffic is allowed, with all other traffic blocked via security groups and Network Access Control Lists (NACLs).
PrimeRole uses Docker containers, which are scanned daily via Security Hub and SNYK to identify security misconfigurations against CIS benchmarks. The application security team and DevOps team also perform hardening on servers and network components to ensure they meet CIS benchmarks.
Quarterly scans, both automated and manual, are conducted to identify vulnerabilities. We subscribe to a vulnerability database that triggers alert notifications, and our Security Information and Event Management (SIEM) tool provides continuous monitoring. Identified vulnerabilities are logged as tickets in internal tools and are addressed according to our defined vulnerability management process and SLA.
The Network Operations Center (NOC) and Security Operations Center (SOC) teams are responsible for proactive monitoring of information security events and alerts, providing situational awareness through the detection, containment, and remediation of any suspected or actual security incidents. These teams operate 24x7 to identify, analyze, communicate, investigate, and report on critical information security events.
Early warning signals have been configured to trigger alerts to the NOC and SOC teams based on event patterns and strict thresholds. Monitoring is exhaustive, covering the network perimeter, all service zones, and recognizing events based on signatures, patterns, and corrections that help catch false negatives and eliminate false positives. We are equipped to detect and mitigate persistent threats, including DDoS attacks, session hijacking, login spoofing, and data extraction strategies.
PrimeRole's patch management process is governed by applicable policies and standards to ensure that all patches, both security and otherwise, are deployed in accordance with defined SLAs.
PrimeRole conducts multiple types of security scans, including internal, external, authenticated, and unauthenticated scans. These processes are carried out by both PrimeRole and third-party resources.
Note: Customers are not allowed to conduct their own scans without explicit permission. To request permission, customers must work with their PrimeRole account teams to receive the appropriate authorization from the PrimeRole security team.
PrimeRole prioritizes data security through robust policies and tools that encompass the identification, prevention, and monitoring of data leakage, supported by stringent measures, user accountability, and strategies to prevent adversarial intelligence.
PrimeRole ensures the encryption of restricted and confidential data both in transit and at rest.
PrimeRole adheres to stringent policies and procedures for the timely and secure deletion of confidential and restricted information to mitigate risks and maintain data integrity throughout its lifecycle.
PrimeRole prioritizes the privacy and protection of Personally Identifiable Information (PII) by implementing clear policies and procedures that ensure compliance with relevant laws and regulations.
PrimeRole processes and stores customer data while providing services or when data is transmitted via the PrimeRole platform.
PrimeRole ensures that audit access and testing are conducted with precision and caution to protect information systems and data.
Periodic reviews of these guidelines ensure alignment with evolving needs and maintain robust security during audits.
PrimeRole's control environment provides the foundation for all components of internal controls, including the management of logical and physical access, data security, incident response, change management, security and privacy operations, and monitoring. These elements are further detailed in the control activities section below. PrimeRole's control environment reflects the top management's commitment to well-designed security and privacy controls in all areas of computer processing.
PrimeRole is committed to conducting business with the highest ethical standards and integrity. Employees are expected to perform their duties in accordance with governing documentation as defined by PrimeRole. The PrimeRole Code of Conduct addresses potential ethical issues in business transactions, including compliance with laws, regulations, and internal policies. It outlines the principles that guide PrimeRole's interactions with employees, customers, partners, stockholders, and communities.
PrimeRole is led by the Chief Executive Officer (CEO) with the corporate oversight of the Board of Directors. The CEO and Board of Directors provide strategic direction and corporate oversight, reviewing management activities related to overall company risk, audit, and governance. The CEO and Board meet at least quarterly to conduct management reviews.
PrimeRole's Information Security & Compliance Steering Committee (ISCSC) operates under a governing Charter, which specifies requirements for independence and oversees the following functions:
The Governance, Risk, and Compliance (GRC) team within PrimeRole conducts internal audits annually for all defined processes and controls. Audit findings are reported directly to the ISCSC, which tracks and oversees the remediation of these findings until closure.
The Security Product & Engineering (Application Security) team provides necessary training and guidelines to the Development and QA teams on secure coding and testing practices. The development team uses static code analyzers to perform code reviews. Any identified issues or vulnerabilities are addressed by the development team and then passed to the QA team for further security testing, both manually and with tools. Issues are reported in the tracking tool (Atlassian-Jira) and are revalidated until all issues are resolved.
The Application Security team conducts ongoing vulnerability assessments and penetration testing (VA & PT) on all PrimeRole product platforms in production environments, following an iterative cadence cycle:
Security vulnerabilities identified by the Application Security team are reported in the internal tool (Atlassian-Jira), and the respective product team is notified to resolve them within the defined SLA.
PrimeRole also engages external cybersecurity organizations to perform independent VA & PT on an annual basis. Additionally, PrimeRole undergoes independent audits by global audit firms based on the ISO 27001 framework, covering security, confidentiality, process integrity, availability, and privacy trust service principles.
PrimeRole ensures that controls are in place to comply with all applicable statutory, regulatory, and contractual obligations, as well as internal company standards. We are committed to providing secure products and services by adhering to the requirements of GDPR, CCPA, and other privacy and data protection acts, both as a data controller and processor. PrimeRole is ISO 27001:2022 certified and has established a comprehensive privacy and data protection program led by the privacy team, with support from the information security team. Key privacy principles include Accountability, Privacy by Design and Default, Data Minimization, and Subject Access Rights.
PrimeRole has established a formal Compliance Policy and Procedure that addresses all aspects of compliance related to PrimeRole's Information Security and Privacy Policies. This policy also covers the legal and compliance requirements of relevant statutory legislation, contractual obligations, and regulatory requirements, ensuring the protection of documents, records, and assets while preventing the misuse of information processing facilities. These efforts are aligned with PrimeRole's strategic business plan and based on best practices, standards, and principles.
PrimeRole is dedicated to conducting business lawfully and consistently with its compliance obligations. The Legal and Regulatory Compliance Policy establishes the principles and commitment required for achieving compliance by:
PrimeRole regularly identifies, documents, and updates relevant regulatory and legislative requirements according to its contractual obligations and operational needs.
All records mandated by statutory, legal, or regulatory authorities, whether of Indian or foreign origin, are protected from loss, destruction, falsification, unauthorized access, unauthorized release, and intentional or unintentional damage through natural causes. The retention period for statutory records is determined by applicable legislation, while the retention of business records is determined by business group heads or HODs, with appropriate justification.
PrimeRole is committed to protecting the privacy of personal information belonging to its customers, employees, and third parties with whom it has agreements. Disclosure of such information is limited to statutory, contractual, regulatory, or legal requirements. PrimeRole ensures that this information is protected from misuse, leakage, falsification, or unauthorized trading.
Where logs are required to be maintained as per contractual, regulatory, statutory, or legal requirements, they will be kept for the specified duration.
PrimeRole adheres to legal restrictions on the use of assets with Intellectual Property Rights (IPR), including copyright, software licenses, trademarks, and design rights. All software programs, documentation, and other information generated or provided by PrimeRole users, consultants, and contractors for PrimeRole's benefit are considered PrimeRole's property.
IPR will be included in all contracts, and PrimeRole will clearly define and document its intellectual property rights, including copyrights, trademarks, patents, trade secrets, and other proprietary information. A register of intellectual property assets will be maintained, including ownership information, expiration dates, and any licensing agreements.
PrimeRole explicitly defines the statutory, regulatory, and contractual requirements for its information assets, including but not limited to:
During information security audits by independent consultants or bodies, appropriate confidentiality and non-disclosure agreements will be signed. Any access granted to external parties will be restricted immediately after the audit's completion.
Compliance requirements serve as a baseline for security and privacy within PrimeRole. However, these are not the ultimate goal but a starting point for continuous improvement. The primary compliance standards include:
PrimeRole agrees to implement appropriate technical and organizational measures to protect customer, employee, and third-party data as required by applicable data protection laws. PrimeRole also commits to regularly testing, assessing, and evaluating the effectiveness of its Information Security Program to ensure secure data processing.
Any employee found to have violated this policy may be subject to disciplinary and/or legal action according to the PrimeRole Code of Conduct and Disciplinary process.
Please feel free to share your questions to [email protected]; [email protected]