Secure project management software - GanttPRO
GanttPRO is a product of XB Software Ltd., a member of Belarus Hi-Tech Park - one of the leaders among innovative IT clusters in Central and Eastern Europe. The company has more than 10 years of experience and 150+ employees.
Our priority is to keep our client’s data secure and provide a secure environment. At the same time, we always work on and improve GanttPRO performance as well as the overall user experience.
GanttPRO implements a variety of security measures to maintain the safety of your personal and business information.
Security audit and certificates
XB Software certifications
XB Software Ltd. is certified by ISO 27001 (the international Standard for best-practice information security management systems (ISMS) and ISO 9001 (the international Quality Management System standard (QMS).
To get this certification, the company needed to demonstrate and keep up an ongoing, structured commitment to taking care of sensitive business, customer, and employee data. The Internal Security Management System – ISMS – is used to manage the relevant controls and standards of ISO 27001. Securing this certification shows the company’s commitment to guaranteeing that client data is secured by the processes and policies that satisfy standards recognized internationally.
GanttPRO uses external secure third party payment processing and does not process, store, or transmit any payment card data.
Our payments providers comply with the Level 1 Payment Card Industry Data Security Standard (PCI-DSS) requirements.
Microsoft Azure compliance offerings
GanttPRO uses MS Azure cloud, one of the world’s most stable and secure cloud server infrastructure. Microsoft is committed to the highest levels of trust, transparency, and standards conformance.
Microsoft Azure offers a comprehensive set of compliance offerings to help GanttPRO comply with national, regional, and industry-specific requirements governing the collection and use of data.
It provides 90 compliance certifications, including over 50 specific to global regions and countries, such as the US, the European Union, Germany, Japan, the United Kingdom, India, and China. And more than 35 compliance offerings specific to the needs of key industries, including health, government, finance, education, manufacturing, and media.
Network and system security
World-class cloud platform
MS Azure cloud provides multi-layered security across physical data centers, infrastructure, and operations with cybersecurity experts. Our servers are hosted within the EU region.
Server infrastructure and VPN
As an additional security layer, we’ve built our own dedicated virtual private network (VPN) inside the Microsoft Azure cloud. Therefore, your data is cryptographically protected from any attempts to access from Microsoft or any other third parties.
The Web-based GanttPRO software is multi-tiered into logical segments (front-end, mid-tier, and database). These segments are independently separated from one another. This ensures maximum security and autonomy between layers.
The network segments of production are logically separated from Production, QA, and Development segments.
To prevent your information from being read or changed while in transit and provide the strongest privacy and integrity protection, all internal and external requests to GanttPRO are transmitted via SSL.
GanttPRO follows best practices in all areas of application security and prevents common web attack vectors (XSS, SQLi, LFI, DDoS, Brute-force, MitM, etc)
Consistently, we run automated security testing. We also address a third party for penetration testing.
GanttPRO uses the Azure File Geo-redundant storage (GRS) to store users’ documents, images, and other files. All files are stored by the encrypted path with strictly limited access level. Rest assured your data is encrypted and in transit using SMB 3.0 and HTTPS. For even more safety, GanttPRO has malware protection for all files users upload into the system.
Continuous data backup
The software’s data backup model implements database replication in real time to guarantee customer data is backed up as well as accessible on servers that are geographically dispersed and redundant. To guarantee fault tolerance, each day, a full backup is performed. It is stored encrypted in an environment that is physically isolated from the primary server. At the same time, backups taken in the EU region do not leave the EU region.
To provide an additional data access protection layer, we store each external request to GanttPRO with an IP address of a requester, as well as other available info. We do not provide such logs publicly for security reasons. At the same time, we have an additional layer that analyzes logs to predict possible attacks and technical issues.
We log all activities made on a project level by people who have rights to make changes. This information is available in GanttPRO account via “history” feature.
According to our statistics, now GanttPRO has 99.96% uptime what means we stop servers only for maintenance during large updates of functionality and/or system structure.
Monitoring and alerting
Several monitoring tools, both internal and external, control GanttPRO 7/24/365. It allows identifying any issues as soon as possible. GanttPRO is monitored externally via Site24x7 and Bugsnag.
Internal scanners and third-party vulnerability assessment service inspect all assets in infrastructure for vulnerability and open ports.
Regular updates and patch management
We can quickly identify impacted systems and services thanks to continuous internal network security audits and scanning. We regularly update operating systems, frameworks, software, and libraries that are used in GanttPRO infrastructure to the latest versions – this is our internal patch management policy. Immediate actions are taken to reduce any possible risks for our users in case a vulnerability is publicly reported – hotfixes and patches are applied right away when accessible and/or pro-active mechanisms like configuration of firewalls or IDS/IPS.
GanttPRO verifies all users with an email and password.
The password is validated against password policies and stored securely using a strong hashing algorithm (SHA512) with a unique salt for every password. That means nobody (including us) can see or get your password because it’s encrypted and cryptographically protected. As an additional password security measure GanttPRO has built-in brute-force protection (including distributed attacks).
Before submitting the authentication form, a secured communication tunnel is created by GanttPRO. It ensures that user credentials are submitted over encrypted sessions. To communicate with the GanttPRO servers, the authentication process needs an HTTPS/443 port. To access projects or data, there is no need for users to download or install the tool.
Two-factor authentication (2FA)
Two-factor authentication (2FA) – otherwise called multi-factor authentication (MFA) – is one of the best precautions against cyberattacks. At GanttPRO, we implement TOTP algorithm - an approved standard of the Internet Engineering Task Force (IETF). It requires two factors to authenticate: your main password and security code (one-time password)
Time-based one-time passwords provide additional security because even if a user's traditional password is stolen or compromised, an attacker cannot gain access without the TOTP, which expires quickly.
Two-factor authentication is currently available for all GanttPRO plans. To be able to get the one-time password, you need TOTP supported mobile app to be installed on your phone. We suggest using the most trusted apps, as Google authenticator, Microsoft Authenticator, Authy, Duo, but you can use others of your choice.
Single sign-on (SSO)
SSO is a solution for organization access management to third-party corporate resources and services.
GanttPRO can be configured as one of the service providers (SP) connected to your SSO identity provider (IdP) using SAML. SAML (Security Assertion Markup Language) is an open standard approved by OASIS Consortium.
SAML and SSO are important to any enterprise cybersecurity strategy. Identity management best practices require user accounts to be both limited to only the resources the user needs to do their job and to be audited and managed centrally. By using an SSO solution, you can disable accounts from one system and remove access to all available resources (including GanttPRO) at once, which protects your data from theft.
Team and projects data protection and management in GanttPRO software
GanttPRO has several security layers to keep team and projects data fully private and secure. All content that is created or imported to GanttPRO is designated as private. Each project and task are cryptographically protected from changes and deletion by a user with insufficient team level or project level access rights.
GanttPRO strives to screen every employee and contractor. When allowed by law, all candidates are subject to background checks. GanttPRO has the code of ethics, application and security training as well as information security policy. All employees and contractors are bound by them.
All employees must sign a strict NDA to be able to work at GanttPRO.
Employee access to customer data
GanttPRO employees may access customer data for the purpose of incident response. In this case, GanttPRO account managers or support specialists always request personal customer permission to access their GanttPRO data.
Access to the production environment requires establishing a VPN channel with a personal certificate.
Secure coding and testing practices
GanttPRO leverages industry-standard programming techniques such as having a documented development and quality assurance processes and also following security guidelines to ensure that the applications meet security standards.
Secure development lifecycle
GanttPRO periodically reviews code, people, and server infrastructure for security and privacy issues. Additionally, we employ a third party to perform periodic security audits of our application.
In GanttPRO, the development lifecycle security is our priority. For this, on a regular basis we:
- Define security policies and requirements.
- Apply security best practices in every stage of the project development lifecycle.
- Review the security of architecture.
- Review source code for security quality, weaknesses, and vulnerability.
- Manually assess and dynamically scan the pre-production environment.
- Conduct security training for our development team.
Physical office environment
We implement different security measures.
A staffed front office and programmable door control access mediate entrance to GanttPRO offices. Surveillance cameras monitor the building 24/7. To access the office network remotely, a secure VPN is needed.
GanttPRO releases large updates every 2-3 months. Also, we deploy bug fixes and small functionality improvements each 1-2 weeks. All our updates (small and large) are deeply tested by the professional QA team.
We are committed to securing and honoring privacy rights. We have set up a thorough privacy compliance program. Our practices are aligned with regulation such as the General Data Protection Regulation (GDPR)
Terms of service
Please refer to the GanttPRO Terms of Service to get more details about how we deliver the service.
Additional security information by request
Unfortunately, we can not disclose all the details and techniques for security reasons. If you have any additional questions about the GanttPRO security please, contact us at [email protected]
GanttPRO customers can report the vulnerability at [email protected] You need to get our permission before disclosing an issue publicly. We’ll only consider your public disclosure request after we’ve fixed the reported vulnerability.
Update: October, 2020