Security Measures and Practices

Company

GanttPRO (https://ganttpro.com) is a service offered by DPM Solutions Sp z o.o, with its registered office in Krakow, Poland.

At GanttPRO, safeguarding our clients’ data and providing a secure environment is our foremost priority. We continuously enhance our platform’s performance and refine the overall user experience while adhering to stringent security standards.

By implementing modern protective measures and maintaining a proactive approach to data security, we ensure the confidentiality of both personal and business information entrusted to us.

Security audit and certificates

ISO 27001 certified

DPM Solutions Sp. z o.o. has achieved the ISO/IEC 27001:2022 certification, issued by an accredited certification body. This globally recognized standard for Information Security Management Systems (ISMS) confirms our dedication to implementing rigorous processes for safeguarding data and managing risks.

The ISO/IEC 27001:2022 standard emphasizes the importance of structured internal processes, comprehensive risk management, and the consistent application of controls to protect data confidentiality, integrity, and availability. It ensures that all aspects of data handling are continuously managed and improved in line with global best practices.

PCI-DSS compliance

Our order process is conducted by our trusted online reseller, PayProGlobal.com (PayPro Global), which serves as the Merchant of Record for all of our orders. PayPro Global complies with the Level 1 Payment Card Industry Data Security Standard (PCI-DSS) requirements.

This guarantees the highest level of security for payment processing. As a reliable partner, PayPro Global securely handles and stores your payment data, providing a seamless and safe transaction experience.

Microsoft Azure compliance offerings

GanttPRO uses Microsoft Azure, one of the world’s most stable and secure cloud server infrastructure. Microsoft is committed to the highest levels of trust, transparency, and standards conformance.

Microsoft Azure offers a comprehensive set of compliance offerings to help GanttPRO comply with national, regional, and industry-specific requirements governing the collection and use of data.

Microsoft Azure offers over 100 compliance certifications, including more than 50 specific to global regions and countries such as the United States, the European Union, Germany, Japan, the United Kingdom, India, and China. Additionally, Azure provides over 35 compliance offerings tailored to the needs of key industries, including healthcare, government, finance, education, manufacturing, and media.

Network and system security

World-class cloud platform

Microsoft Azure cloud provides multi-layered security across physical data centers, infrastructure, and operations with cybersecurity experts. Our servers are hosted within the EU region. Azure’s platform ensures robust data protection with advanced physical security, including controlled access and 24/7 surveillance, ensuring only authorized personnel can access the facilities. The infrastructure is built to withstand a range of potential risks, providing resilience and reliability. Additionally, Azure’s continuous monitoring and advanced threat detection help identify and mitigate risks promptly, maintaining a secure and stable environment for GanttPRO users.

Encryption for Data In Motion, At Rest and In Use

GanttPRO implements comprehensive encryption measures to protect data at all stages:

  • Data in Motion: All data transmitted between users and GanttPRO servers is encrypted using HTTPS with SSL/TLS protocols, ensuring secure communication and preventing unauthorized access during transmission.
  • Data at Rest: Sensitive data stored within GanttPRO is encrypted to safeguard it from unauthorized access. While the entire database isn’t encrypted to maintain access speed, it is protected with Secure Socket Layer (SSL) inside a private network.
  • Data in Use: During processing, GanttPRO leverages Azure’s secure infrastructure to maintain data integrity and confidentiality, ensuring that data remains protected throughout its lifecycle.

These measures collectively ensure that GanttPRO provides a secure environment for managing your projects and data.

Cloudflare Protection

GanttPRO benefits from Cloudflare’s robust security measures, providing an additional layer of protection against DDoS (Distributed Denial of Service) attacks. Cloudflare’s global network is designed to detect and mitigate DDoS attacks in real-time, ensuring uninterrupted service and protecting against traffic spikes intended to disrupt the platform. This proactive defense mechanism helps maintain high availability and reliability, ensuring that GanttPRO users experience consistent and secure access to their data and tools. Additionally, Cloudflare’s web application firewall (WAF) and threat intelligence work together to block potential threats and unauthorized access attempts.

Server infrastructure and VPN

As an additional security layer, we’ve built our own dedicated virtual private network (VPN) inside the Microsoft Azure cloud. Therefore, your data is cryptographically protected from any attempts to access from Microsoft or any other third parties.

Application architecture

The web-based GanttPRO software is designed as a multi-tiered system, segmented into logical layers: front-end, mid-tier, and database. Each segment is independently isolated, ensuring that even if one layer is compromised, the others remain protected. This structure enhances security by maintaining strict separation and autonomy between layers, minimizing the risk of cross-layer vulnerabilities and improving the overall stability and safety of the platform.

Isolated environments

The network segments in GanttPRO are logically separated to maintain strict isolation between Production, QA, Development and other environments. This ensures that changes or activities in the QA or Development segments do not impact the Production environment, enhancing security and stability. Such separation minimizes the risk of data exposure, unauthorized access, and potential disruptions, ensuring that the production environment remains secure and fully protected.

Network security

To prevent your information from being read or changed while in transit and provide the strongest privacy and integrity protection, all internal and external requests to GanttPRO are transmitted via SSL.

GanttPRO follows best practices in all areas of application security and prevents common web attack vectors (XSS, SQLi, LFI, DDoS, Brute-force, MitM, etc)

Consistently, we run automated security testing. We also address a third party for penetration testing.

Content Security Policy (CSP)

At GanttPRO, we use Content Security Policy (CSP) as an important security measure to protect your data from web-based threats like cross-site scripting (XSS) and code injection. CSP sets strict rules for what content can be loaded and executed on our platform, ensuring only trusted sources are allowed. This helps prevent unauthorized scripts from running and keeps your data safe from malicious content.

CSP is designed to safeguard against various types of attacks, including cross-site scripting (XSS), which prevents malicious scripts from being injected into webpages that could steal user data or perform unauthorized actions. It also protects against code injection attacks by stopping harmful code that attackers might embed in web applications to compromise data or disrupt services. Additionally, CSP defends against clickjacking, shielding users from deceptive interfaces that trick them into clicking hidden or disguised elements leading to unauthorized actions.

Our CSP is consistently monitored and updated to align with the best practices and current security standards, reinforcing GanttPRO’s commitment to providing a secure environment for your project management needs.

File storage

GanttPRO uses the Azure File Geo-redundant storage (GRS) to store users’ documents, images, and other files. All files are stored by the encrypted path with a strictly limited access level. Rest assured your data is encrypted and in transit using SMB 3.0 and HTTPS. For even more safety, GanttPRO has malware protection for all files users upload into the system.

Continuous data backup

GanttPRO’s data backup model includes real-time database replication, ensuring that customer data is continuously backed up and accessible on geographically distributed and redundant servers. To maintain fault tolerance, a full backup is performed daily and stored in an encrypted environment that is physically isolated from the primary server. Importantly, all backups created within the EU region remain within the EU, adhering to data sovereignty requirements and ensuring compliance with regional data protection standards.

Access logs

To enhance data access protection, GanttPRO records each external request with the requester’s IP address and other relevant information. For security reasons, these logs are not publicly accessible. Additionally, an analysis layer continuously reviews these logs to detect and predict potential attacks or technical issues. All project-level activities performed by users with appropriate access rights are also logged. This information is available through the “history” feature in the GanttPRO account, allowing users to track changes and maintain transparency within their projects.

Availability

According to our statistics, GanttPRO currently maintains a 99.96% uptime. This high level of availability means that server downtime is limited to scheduled maintenance periods required for significant updates to functionality or system infrastructure. This ensures that users experience reliable access to the platform with minimal interruptions.

Monitoring and alerting

GanttPRO is continuously monitored 24/7/365 using a range of internal and external tools to promptly identify and address any issues. External monitoring is conducted through services like Site24x7 and Bugsnag to ensure platform reliability and performance. Additionally, internal scanners and third-party vulnerability assessment services regularly inspect all infrastructure assets for potential vulnerabilities and open ports, reinforcing security and minimizing risks.

Regular updates and patch management

We conduct continuous internal network security audits and scans to quickly identify any impacted systems and services. Operating systems, frameworks, software, and libraries within GanttPRO’s infrastructure are regularly updated to the latest versions as part of our internal patch management policy. In cases where vulnerabilities are publicly reported, immediate actions are taken to protect users, including applying hotfixes and patches as soon as they become available and implementing proactive measures such as configuring firewalls or intrusion detection and prevention systems (IDS/IPS).

Account protection

Authentication

GanttPRO verifies users with an email and password.

The password is validated against password policies and stored securely using a strong hashing algorithm (SHA512) with a unique salt for every password. That means nobody (including us) can see or get your password because it’s encrypted and cryptographically protected. As an additional password security measure GanttPRO has built-in brute-force protection (including distributed attacks).

Before submitting the authentication form, a secured communication tunnel is created by GanttPRO. It ensures that user credentials are submitted over encrypted sessions. To communicate with the GanttPRO servers, the authentication process needs an HTTPS/443 port. To access projects or data, there is no need for users to download or install the tool.

Two-factor authentication (2FA)

Two-factor authentication (2FA) – otherwise called multi-factor authentication (MFA) – is one of the best precautions against cyberattacks. At GanttPRO, we implement TOTP algorithm - an approved standard of the Internet Engineering Task Force (IETF). It requires two factors to authenticate: your main password and security code (one-time password)

Time-based one-time passwords provide additional security because even if a user's traditional password is stolen or compromised, an attacker cannot gain access without the TOTP, which expires quickly.

Two-factor authentication is currently available for all GanttPRO plans. To be able to get the one-time password, you need TOTP supported mobile app to be installed on your phone. We suggest using the most trusted apps, as Google authenticator, Microsoft Authenticator, Authy, Duo, but you can use others of your choice.

Single sign-on (SSO)

SSO is a solution for organization access management to third-party corporate resources and services.

GanttPRO can be configured as one of the service providers (SP) connected to your SSO identity provider (IdP) using SAML. SAML (Security Assertion Markup Language) is an open standard approved by OASIS Consortium.

SAML and SSO are important to any enterprise cybersecurity strategy. Identity management best practices require user accounts to be both limited to only the resources the user needs to do their job and to be audited and managed centrally. By using an SSO solution, you can disable accounts from one system and remove access to all available resources (including GanttPRO) at once, which protects your data from theft.

Please contact us at [email protected] to set up GanttPRO integration with the most popular SSO systems (e.g. Okta, OneLogin, Azure AD, GSuite).

Team and projects data protection and management in GanttPRO software

GanttPRO has several security layers to keep team and projects data fully private and secure. All content that is created or imported to GanttPRO is designated as private. Each project and task are protected from changes and deletion by a user with insufficient team level or project level access rights.

To further enhance data protection, GanttPRO implements role-based access control (RBAC) within accounts. Different roles and permission levels are assigned to users, ensuring that only authorized individuals can manage specific data. These roles range from administrators, who have full control over projects and account settings, to members and viewers, who have limited or read-only access. This granular control helps maintain data integrity and ensures that sensitive information is only accessible to those with the appropriate clearance.

Organizational security

Personnel security

GanttPRO strives to screen every employee and contractor. When allowed by law, all candidates are subject to background checks. GanttPRO has the code of ethics, application and security training, as well as information security policy. All employees and contractors are bound by them.

Strict NDA

All employees must sign a strict NDA to work on GanttPRO, ensuring the confidentiality of all platform-related and user data.

Employee access to customer data

GanttPRO employees may access customer data for the purpose of incident response. In this case, GanttPRO account managers or support specialists always request personal customer permission to access their GanttPRO data.

Access to the production environment requires establishing a VPN channel with a personal certificate.

Secure coding and testing practices

GanttPRO follows industry-standard programming techniques, maintaining documented development and quality assurance processes. Security guidelines are strictly adhered to, ensuring that the application meets established security standards. These practices help to identify and mitigate vulnerabilities early in the development cycle, providing a secure and reliable experience for users.

Secure development lifecycle

GanttPRO periodically reviews code, people, and server infrastructure for security and privacy issues. Additionally, we employ a third party to perform periodic security audits of our application.

In GanttPRO, the development lifecycle security is our priority. For this, on a regular basis we:

  • Define security policies and requirements.
  • Apply security best practices in every stage of the project development lifecycle.
  • Review the security of architecture.
  • Review source code for security quality, weaknesses, and vulnerability.
  • Manually assess and dynamically scan the pre-production environment.
  • Conduct security training for our development team.

Physical office environment

We implement different security measures.

A staffed front office and programmable door control access mediate entrance to the office. Surveillance cameras monitor the building 24/7.

Releases lifecycle

GanttPRO releases large updates every 2-3 months. Also, we deploy bug fixes and small functionality improvements each 1-2 weeks. All our updates (small and large) are deeply tested by the professional QA team.

More

Terms of service

Please refer to the Terms of Use to get more details about how we deliver the service.

Privacy policy

Please refer to the Privacy Policy to get more details about how GanttPRO collects, uses, controls, and shares personal information on the website.

GDPR

We are committed to upholding and safeguarding the privacy rights of individuals in accordance with applicable data protection regulations, including the General Data Protection Regulation (GDPR). To ensure compliance, we have implemented a robust privacy compliance framework that governs the collection, processing, storage, and sharing of personal data.

As part of GDPR compliance efforts, we provide a Data Processing Addendum (DPA), which forms an integral part of contractual agreements with customers and partners. The DPA outlines the terms and conditions under which personal data is processed on behalf of our clients.


Feature requests
We actively gather feedback from all our users, and conduct in-depth analysis to identify common patterns and needs (including security requirements). If the requested features align with the product’s development roadmap and contribute to expanding or enhancing existing functionality, we prioritize their implementation to ensure they deliver value to all users.

Additional security information by request

Unfortunately, we can not disclose all the details and techniques for security reasons. If you have any additional questions about the GanttPRO security please contact us at [email protected].

Vulnerability disclosure

GanttPRO customers can report the vulnerability at [email protected] You need to get our permission before disclosing an issue publicly. We’ll only consider your public disclosure request after we’ve fixed the reported vulnerability.