Vendor Security and Privacy Policy

Summary

Prevalent helps firms identify and manage risk in third party business relationships by offering the industry’s only purpose-built, unified platform that integrates a powerful combination of automated assessments, continuous monitoring, and evidence sharing for collaboration between enterprises and vendors. No other product on the market combines all three components, providing the best solution for a highly-functioning, efficient third-party risk program.

As a vendor who has received a request to complete an online survey in the Prevalent platform, you may have some questions regarding how your company’s sensitive data is handled. This document will cover content ownership, access, sharing and sale of data, privacy, and security assurances.

About Prevalent

Prevalent, Inc., is a Delaware Corporation with its principal place of business located at 11811 N. Tatum Blvd., Suite 2400, Phoenix, Arizona 85028 USA and the parent company to its wholly owned subsidiary, Prevalent Limited (formerly 3GRC LTD), incorporated and registered in England and Wales with company number 09673268 whose registered office is at Prevalent LTD, located at The Square, Basing View, Basingstoke, England, RG21 4EB. Insight Venture Partners, LLC (“Insight”), a private equity and venture capital firm, is the principal owner of Prevalent, Inc.

Further Information

For further information on this document, contact the Prevalent support and customer success team at:

• support@prevalent.net
• US: 1-877-318-7876
• UK: 01256 639 450

Content Ownership

The vendor owns their content in the Prevalent platform. Vendors have the power to update their content, request that their content is removed, share it with others, or not share it at all.

Access

Completed vendor assessments and associated evidence are stored in our secure repository where it is viewable only by the company requesting the assessment or by Prevalent if the company has outsourced the collection to Prevalent. By completing and submitting the assessment and associated evidence vendors are allowing the requesting company and/or Prevalent to view it.

Data Sharing

Vendor data is not shared unless vendors expressly approve their assessment results and associated evidence be shared with other entities besides the requesting company or Prevalent.

Sale of Data

Data in the Prevalent Platform will not be sold under any circumstances.

Third-Party Certification

Prevalent, including the Prevalent TPRM Platform, has achieved and maintains ISO/IEC 27001:2013 certification for implementing and managing an information security management system within the context of the organization.

Location of Data

The Prevalent Platform allows clients to choose the geographic region of deployment and makes use of Availability Zones to ensure service. Data is replicated within Availability Zones, and daily backups are performed. Client data is never stored outside of their chosen region.

Users can check the region their data is stored in at any time by checking the footer of the application user interface.

Data Security

Prevalent assesses the software and service providers used in the operation and support of our applications using our technology. We provide our own SIG Lite and PCF assessments within the Prevalent platform, as well as third-party attestations of our suppliers (as applicable), and documentation of policy, procedure, and technical artifacts as necessary.

Prevalent’s products are all cloud-based SaaS applications hosted in AWS. They are designed to run securely at high scalability and availability, with robust failover processes.

The Prevalent Platform includes layers of security throughout the technology stack. This includes the following security features:

Data and file encryption

• Encryption keys stored in Amazon AWS Key Management Service (KMS).
• All access is logged to CloudTrail for auditing.
• Data in transit is secured by AES 256-bit SSL certificate.
• Databases are AES 256-bit encrypted at rest.
• File storage is AES 256-bit encrypted at rest.

Scalability

• Load balancers with a built-in Web Application Firewall (WAF).

Multi-Tenancy Protection

• All customer data stored in separate federated databases.

Resilience

• Databases are backed up daily and retained for 14 days in different A-Z zones.
• Databases replicated in standby mode for instant deployment in different A-Z zones.

Endpoint Protection

• Anti-virus is installed to self-scan application servers.
• Anti-virus is installed to scan all file uploads.

Network Security and DDOS Protection

• Data & service layers separated in private subnets which are not publicly accessible.
• Auto-scaling and AWS Shield enabled to mitigate DDoS attacks.

Monitoring and Auditing

• The application uses AWS WAF, Amazon GuardDuty, CloudWatch, and Amazon Inspector for self-monitoring and alerting of vulnerabilities, malicious activity, and threat detection.
• All access is logged to CloudTrail for auditing.

Vulnerability Detection

• Continuous automated vulnerability scanning.
• Annual third-party penetration tests.

Access Management

• Access rights policy, backed up by audit logging in CloudTrail and IAM.
• In application security features: Advanced password strength policy; Multi-Factor Authentication; IP Range whitelisting for whole instances and/or individual users

This process is under constant review and verified by the Prevalent security team.

Privacy Policy

Click here to view the Prevalent Privacy Policy.

Artificial Intelligence

Prevalent is committed to upholding ethical practices in all aspects of our operations including the use of artificial intelligence tools and services. We carefully evaluate the security, privacy, and reputational aspects for any AI tool or service used by the Prevalent Platform. Any AI use by our team members must meet our security and data protection standards and must be continuously supervised and monitored to avoid the risk of AI hallucinations. For the optional AI-Powered Virtual Third-Party Risk Advisor feature, user inputs are evaluated by large language models to parse questions and determine intentions so that it can deliver risk guidance. No data from clients or entities are added to those inputs, and nothing specifically links risks to the user's organization or any third-parties. These sources may not be accurate or complete, or up-to-date and is subject to ongoing and continual change without notice and should not be a substitute for your own judgment, professional advice, or the need to seek additional input and research before making any decisions based on the inputs. Prevalent assumes no responsibility for any damages that may arise in connection with use of the AI tool and use of the AI tool.

Updated November 28, 2023