PatronManager Security Overview

Supports Bluefin (U.S. & Canada) and Stripe (other geographies) for payment processing.
Compliant with PCI-DSS 3.2.1.
PCI Attestation of Compliance (AOC) is available upon request.
Architected to be out of PCI-DSS scope (PatronManager never transmits, stores, nor processes PCI data (credit card numbers)).
- eCommerce (online) transactions are tokenized or encrypted in the cardholder’s web browser and raw card numbers never reach PatronManager.
- Card-present or MOTO (mail order, telephone order) transactions are accepted via an SRED payment terminal that encrypts the cardholder data before it leaves the terminal.
- Use of Bluefin’s PCI-validated P2PE solution places the lowest burden of compliance on the merchant.

We have full time staff focused on privacy and security.
We participate in and comply with the EU-U.S. Privacy Shield Framework. You can find out more about our commitment to the EU-U.S. Privacy Shield Framework in our EU-US Privacy Shield Notice.
PatronManager processes user personal data in accordance to GDPR’s data protection principles and has appointed a Data Protection Officer to oversee our GDPR compliance.
You can find our privacy policy at: https://patronmanager.com/privacy/.

All data belongs to you.
Data can be exported from PatronManager using documented Salesforce methods:
- Organization Export
- REST API
- Bulk API

PatronManager is built entirely upon the Salesforce Platform. Salesforce carries many certifications.
Salesforce operates a distributed and redundant platform with a 24/7 NOC.

All software engineers receive software security training that covers security best practices including covering OWASP Top Ten as well as Mobile Security best practices.
PatronManager uses static code analysis tools to analyze code for security vulnerabilities.
All source code is developed in accordance with a standard SDLC process that includes
- Security code review before being shipped to production.
- Running through a continuous integration test suite.
- Manual QA testing.

All web traffic is encrypted by TLS 1.2 or greater.
PatronManager follows NIST recommendations for hashing, symmetric and asymmetric encryption.

All staff regularly receives security training by trained professionals and must pass security quizzes testing their security awareness.
All staff regularly receive simulated phishing tests.
All staff must sign off on security and acceptable use policies and procedures.

If you discover a vulnerability, PatronManager requests that you responsibly disclose the vulnerability to our security team by taking the following steps.
- Do not attempt to exploit the vulnerability
- Email our Security Incident Response Team at security@patrontechnology.com
- If the contents of the vulnerability are sensitive in nature, please use our PGP key, below