Security at PartnerPortal.io
Your partner data — and the data of your partners and their contacts — is trusted to us, and we take that seriously. This page explains, in plain language, how we protect it. For formal reports and documentation, visit our Trust Center.
We protect your data
PartnerPortal.io is built so that your data is encrypted, isolated from other customers, and accessible only to the people you authorize. We run entirely on established cloud infrastructure, we don't sell your data, and you own it at all times.
Encryption
All data is encrypted in transit and at rest.
-
In transit: Everything sent between you and PartnerPortal.io is encrypted using TLS 1.2 or higher, enforced at every endpoint.
-
At rest: Your data is encrypted using AES-256 in our database (MongoDB Atlas) and file storage (Amazon S3).
Authentication and access
Identity and passwords are managed by Auth0 (an Okta company) — a dedicated, certified identity provider. We never store or see your password.
-
Single sign-on (SSO): Supports SAML 2.0, OpenID Connect, and federation with providers like Okta, Azure AD, Google Workspace, and OneLogin.
-
Multi-factor authentication (MFA): Available for added account protection.
-
Role-based access control: Access is governed by roles (Admin, Staff, Partner, Agent) with granular, configurable permissions. Every request is checked against the user's permissions, with a deny-by-default policy.
Your data stays yours
PartnerPortal.io is a multi-tenant platform, and your data is logically isolated from every other customer. Each request is authenticated and scoped to your company, and this boundary is enforced by the application on every database query — not left to user input. Users can only ever access data belonging to their own organization.
Logging and monitoring
We maintain detailed, tamper-resistant logs across the platform:
-
Authentication events (successful and failed logins) via Auth0
-
Account, permission, and configuration changes
-
API access logs (timestamp, user, source IP, action, and result)
-
Infrastructure activity via AWS CloudTrail and CloudWatch, with distributed tracing via AWS X-Ray
Production logs are retained for 12 months and stored in append-only, access-controlled systems.
Reliability and backups
-
Continuous backups with point-in-time recovery via MongoDB Atlas, encrypted and stored separately from primary data.
-
Separated environments: Production and non-production environments run on entirely separate infrastructure — separate AWS accounts, database clusters, and identity tenants. Production data is never copied into development or testing.
Threat protection
-
DDoS mitigation through AWS Shield and Amazon CloudFront, which absorb volumetric attacks at the edge.
-
Rate limiting and filtering at the API layer.
-
Anomaly detection via Auth0 — brute-force protection, breached-password detection, and suspicious-IP blocking.
-
Security headers (HSTS, content-type protection, and more) enforced on every response.
How we build and ship changes
Changes to the platform follow a controlled process: code is developed on separate branches, submitted as reviewed merge requests, and deployed first to a staging environment. Production releases require a separate, manually approved step, and every deployment records its exact source version for traceability.
Privacy and data ownership
-
You own your data. You retain all rights to the data and content you submit.
-
We don't sell it. We process your data only to provide, secure, and support the service — never for our own commercial purposes.
-
Export and deletion: You can export lead and opportunity data as CSV at any time, and request deletion or return of your data on termination.
-
Compliance: We support GDPR and CCPA/CPRA obligations, including EU Standard Contractual Clauses and the UK IDTA for international transfers. See our Privacy Policy and Data Processing Agreement
Subprocessors
We rely on a small set of trusted subprocessors to deliver the service, including AWS, MongoDB Atlas, Stripe, Auth0 (Okta), HubSpot, Google, Intercom, ChartMogul, GitLab, Integration.app, and SafeBase. The current list is maintained in our Data Processing Agreement.
Infrastructure and certifications
PartnerPortal.io runs on cloud infrastructure operated by providers with leading security certifications — AWS, MongoDB Atlas, and Auth0 (Okta) each maintain SOC 2 Type II and ISO 27001. All infrastructure is hosted in the United States (AWS us-east-1).
The platform previously operated under a SOC 2 report held by its prior parent company. Following a change of ownership in 2025, PartnerPortal LLC is obtaining SOC 2 certification under the new entity. For current reports and security documentation, visit our Trust Center.
Incident response
We monitor for suspicious activity across our infrastructure and application. In the event of a personal data breach, we commit to notifying affected customers without undue delay and, where feasible, within 72 hours of confirmation, as set out in our Data Processing Agreement. To date, we have had no known security breaches.
Want to know more?
-
Trust Center — security grades, documentation, subprocessors, and reports
Report a concern
If you believe you've found a security vulnerability or want to report a concern, email security@partnerportal.io. We appreciate responsible disclosure and will work with you to investigate and address valid reports.