PIM
Manage all product content in one central system of record.
Activation
Easily syndicate product content to every consumer touch point.
Enhanced Content
Enrich product pages with below-the-fold content and rich media.
Catalog Sites
Share secure, on-brand, and always up-to-date digital product catalogs.
Automation
Enhance collaboration with Salsify’s automated workflow engine.
Activation Insights
Continuously optimize your organization’s product content syndication.
GDSN Data Pool
Synchronize standard supply chain, marketing, and ecommerce attributes globally.
PXM Platform, Integrations, and APIs
Integrate the PXM platform with the rest of your enterprise systems architecture.
Supplier Onboarding
Accelerate supplier onboarding while ensuring your schema requirements are met.
Product Listing
Sell products faster with Product Listing.
Content Enrichment
Increase online conversions with Content Enrichment.
Automation
Save time and increase operational efficiency with retail automation.
SXM Platform, Integrations, and APIs
Integrate the SXM platform with the rest of your enterprise systems architecture.
Activation Network
Automate how you exchange product content data to the digital shelf.
Enhanced Content Network
Turn product pages into product experiences with Enhanced Content.
Ecommerce Platform Integrations
Create winning product experiences on owned sites with powerful ecommerce software.
GDSN Data Pool
Synchronize standard supply chain, marketing, and ecommerce attributes globally.
Open Catalog
Connect to the digital shelf faster with an open, standardized, and free product catalog.
Resources
Resource Library
Explore our ecommerce resources to get everything you need to win on the digital shelf.
Blog
Read our blog to get actionable insights for navigating changing markets and industry demands.
Webinars
Watch our on-demand ecommerce webinars to gain expert advice and tips from our community of industry leaders.
Knowledge Base
Investigate our knowledge base to build your Salsify skills and understanding.
Product Updates
Explore the latest news and updates for Salsify products.
API
Examine our comprehensive API and webhook guides to start working with Salsify quickly.
Download Salsify's report to get insights into the latest trends and consumer behaviors.
At Salsify, we know your content, product information and personal data/information relating to your customers are some of your organization's most valuable assets. We are committed to protecting your data and the investment you’ve made in our technology and infrastructure. Here are some key security best practices and compliance tools that we employ which we can publicly share.
Salsify has achieved SOC 2 Type II Compliance for its ProductXM and SupplierXM platforms. Salsify certifies its systems annually to AICPA SOC 2 Type II, successfully auditing the operational and security processes of our service and our company. You can request a copy of our SOC2 Type2 report through your Salsify sales or customer success contact.
The Information Security System that manages the controls around our ProductXM and SupplierXM platform is based on ISO 27001:2013. This certification proves our expertise in securely managing information technology systems.
Download the ISO 27001 certificate
People can be the greatest asset but also your greatest security risk. We work hard to make sure that everyone in our organization goes through annual security awareness training. New hires are trained as well.
Our business continuity plans and physical security safeguards help ensure that during a non-system event that people know what to do.
Our office is secured by security keycode access and other security protection methods. Employees have individual key cards to access our floor.
We conduct thorough background checks on all of our employees prior to employment, including criminal and personal reference checks.
Off-boarding procedures are put in place so that access is terminated when someone leaves the organization.
Salsify maintains standard security policies and processes. The policies, standards, and procedures are reviewed at least annually and updated as necessary. Our security framework is built based off of NIST 800 recommendations.
Salsify arranges for rigorous third-party security assessments to be conducted at least once per year, including network and application vulnerability threats, penetration testing, and application security framework controls auditing. A letter of attestation of the test can be furnished upon customer request.
We have a formal, management approved Incident Response and Security Incident Response plans. The Incident Response Plan defines the roles and responsibilities for the Incident Commander and supporting roles, as well as the response process, including customer notification, as well as a postmortem process to capture remediation actions. The Security Incident Response plan defines the security incident response team (SIRT) roles and responsibilities, as well as response plan steps.
Salsify utilizes an agile development process with Continuous Integration (CI). Our CI pipeline includes development, staging, and production environments. This configuration allows for authorized access controls per environment.
Security is built into each step of our process. Data handling, code deployment, configuration, and patch management each follow security best practices outlined in our security policies and SDLC.
Our SDLC requires code review and approval for all changes, as well as a green build on all automated tests in our CI environment before deployment. All developed code is reviewed manually and automatically tested for potential security vulnerabilities. We strive to follow OWASP (Open Web Application Security Project) best practices.
Identified and confirmed security vulnerabilities go through an impact and risk assessment. Patches or other means of remediation are first deployed in a development environment, tested in staging, and then sent into production.
In addition, automated application penetration tests are run internally on a regular basis.
Salsify follows the principle of “least privilege”. Our practice is to only issue credentials to the individuals, and systems that absolutely need access to a system or resource. Access can only be granted by a member of our Operations team and is tracked for auditing purposes. Administrators can revoke access at any time; this supports our off-boarding process.
Salsify hosts all services on resilient and elastically scalable infrastructure, using a fault tolerant application architecture. This ensures high availability and consistent application performance, as described in our Terms of Service.
Our cloud service providers adhere to industry standard compliance, certifying in ISO 27001, SOC 2 or similar. We obtain and review these reports on an annual basis to confirm compliance.
All SSL certificates are created and updated with 2048-bit key length and SHA-256.
Our keys are encrypted and stored using a key management service.
Disaster Recovery
Our infrastructure architecture supports a recoverable process. Automated data backups, documented recovery procedures and annual testing ensures that we have everything in place in the event of a disaster.
Salsify has a defined Recovery Time Objective (RTO) and Recovery Point Objective (RPO) for our service.
Authentication & Authorization
Salsify utilizes a cloud service provider solution which includes multi-factor authentication in order to access environments. User defined groups and roles follow our “least privilege” concept.
Remote access to infrastructure is restricted to only authorized users and is accessible only through our VPN.
Log monitoring is in place and we retain audit logs in accordance with our retention policy. Any suspicious activity or unauthorized access triggers alerting to our operations staff. The security team is engaged, as necessary, per our Incident Response plan.
Passwords are rotated on a regular cadence for staff that supports our infrastructure.
Customer Data
We host customer data in a multi-tenant environment. Data segregation is supported at the application level, per customer. This prevents the potential of exposing customer data to unauthorized users at other organizations.
All traffic is encrypted with a minimum of TLS V1.2. Salsify implements the latest encryption algorithms. We test and upgrade to newer and more secure standards as they become available. We currently use 256-bit AES encryption including the key management service as part of our cloud service provider’s offering.
Data is also encrypted at rest including our system and database backups.
Access to customer data is only provided to authorized personnel.
We support SAML 2.0 based Single Sign-On (SSO) integrations with many of the large identity providers, such as Okta, Onelogin, ADFS, and Google. This allows for simplicity and a better user experience as a user will only need to account for one login credential.
Logins are based on only HTTPS requests and each user session requires an authentication token.
Authorization
Customers assign administrators in their organization to the Salsify product. These administrators set up user groups for their organization, usually based on the function of the group (ie, Marketing Team). Permissions are defined at the user group level and individuals are assigned to the appropriate group(s).
Logging
Application logging occurs using a combination of service providers. Logs are used for troubleshooting, issue resolution and forensic analysis by our development and security teams.
We retain the logs based upon our retention policy.
If you need to report a security concern please email: security@salsify.com.
If you would like to report a security related bug or configuration issue please review our Responsible Disclosure Guidelines prior to submitting your report.
For privacy questions or concerns, please refer to our privacy policy.
Salsify’s IAM system provides a strong foundation for GDPR compliance and can help reduce your risk. You can learn more and download Salsify’s GDPR-compliant DPA by clicking the link.
As of January 1, 2020, Salsify updated its privacy policy and necessary internal procedures to comply with CCPA.