Your data is valuable and we’re committed to keeping it safe.

We use industry-leading security practices to ensure your sensitive information is always safe. Here’s how.

The Basics

• Privacy: Pogo is committed to compliance with all applicable data privacy laws. For more information on how we collect, use and share your information, please see our Privacy Policy.
• Authentication and authorization: Pogo maintains role-based access control across our internal and external systems. Access to all critical services requires SSO or multi-factor authentication where available.
• Risk assessment: Pogo conducts regular risk assessments to gain an accurate and thorough understanding of the potential risks to security, availability, and privacy in our services.
• Penetration tests: We work with trusted third parties to complete application vulnerability scans at least once per year. Vulnerabilities and findings are ranked according to severity and prioritized accordingly.
• Vulnerability scans: Pogo regularly performs vulnerability scans, including with independent security researchers, to identify, prioritize, and remediate potential system vulnerabilities.
• Background checks: Pogo conducts background checks on all full-time employees and contractors that have access to our internal systems.
• Training: All Pogo employees are required to complete security training annually.
• Confidentiality: All employees and contractors are required to sign and adhere to industry standard confidentiality agreements prior to their first day of work.

Infrastructure security

• External audits: Pogo conducts an annual external independent audit — penetration testing, vulnerability scans, and information security.
• Audit logs: Pogo collects audit trails, covering every write operation in our ecosystem.
• Data encryption: Pogo encrypts all data, both at rest (AES-256-GCM) and in transit (TLS 1.2).
• Segmentation: Pogo’s environments - production and staging - are fully segregated VPCs.
• Network: Pogo uses AWS Security Groups to filter inbound traffic access to our servers and databases. Outbound traffic is only allowed for known IPs. We also use a Web Application Firewall to restrict traffic only to the US, known IP addresses and have bot detection measures in-place.