Security & Compliance

Propel3 runs on infrastructure and practices designed to protect your business. That means secure systems, access controls, data safeguards, and continuous monitoring—all backed by the standards you’d expect from an enterprise-grade platform.

Whether you’re capturing leads, managing customers, or building automated campaigns, your data stays protected. This page outlines how.

1. Overview

Propel3 is a software-with-a-service platform built by marketers for small businesses. We’ve built Propel3 to work out of the box—backed by expert support, prebuilt marketing systems, and ongoing updates that respond to real-world business needs. Our platform supports AI-powered tools, drag-and-drop builders, workflow automation, and omnichannel engagement across email, SMS, forms, and chat. We offer full system setups, ongoing managed services, and access to tools businesses can relabel as their own.

Security is foundational to every part of Propel3. From infrastructure to user access to disaster recovery, we operate on clear controls, verified protocols, and continuous monitoring. This page outlines how we protect your data, support compliance, and maintain platform resilience—so you can operate with confidence.

2. Security and Risk Focus

The primary goal of our security program is to safeguard customer data. Propel3 has invested in dedicated programs to protect the platform at the infrastructure, application, and organizational levels. These programs are built and maintained by teams across engineering, product, and legal, with defined ownership over risk management, incident response, and compliance practices.

Our platform is hosted entirely in the cloud. We rely on trusted infrastructure providers—Google Cloud Platform and Amazon Web Services—for physical, environmental, and datacenter security. From there, we layer in our own technical and administrative controls to secure every element of how the platform runs.

3. Our Security and Compliance Objectives

Our security framework is based on established best practices in the SaaS industry.

Our core objectives:

Customer Trust and Protection

Protect the confidentiality, privacy, and integrity of customer data—at all times.

Availability and Continuity of Service

Ensure that the Propel3 platform remains available, reliable, and resilient against failure.

Information and Service Integrity

Ensure data is accurate, uncorrupted, and handled appropriately throughout the system.

Compliance with Standards

Align our security controls with globally recognized compliance frameworks and continuously improve over time.

4. Security Controls

We use multiple layers of administrative, technical, and physical safeguards to protect our systems and your data. The following sections detail how we manage infrastructure, monitor for threats, secure applications, handle backups, enforce access control, and meet privacy expectations.

4.1 Infrastructure Security

Cloud Hosting

Propel3 does not run product systems or store customer data in any physical office or owned datacenter. All hosting is handled through leading cloud providers—primarily Google Cloud Platform and Amazon Web Services. Our infrastructure is hosted in the United States. We rely on Google and AWS’s independently audited programs for physical security, access control, and environmental safeguards. Both platforms provide detailed compliance documentation, including SOC 2 Type II reports, ISO 27001 certifications, and uptime guarantees. Google offers 99.5% or higher availability; AWS guarantees up to 100% uptime on core services. You can review their respective controls here:

Google Cloud Compliance Resource Center

AWS Compliance Programs

Network and Perimeter Defense

All Propel3 infrastructure is protected by multiple layers of network security. These include firewall rules, security groups, and access control lists that restrict traffic to only authorized services. Firewalls default to block all connections unless explicitly allowed, and rulesets are regularly reviewed under formal change control. External requests are inspected for threat signatures and behavioral anomalies before reaching the application layer. Configuration changes are reviewed and applied through standard workflows to ensure consistency and auditability.

Configuration Management

We use automation to manage infrastructure scale, configuration, and resilience. Every component of the platform is deployed from hardened base images, and container environments are initialized with locked configuration files. Any configuration drift from the expected state is automatically reverted within 30 minutes. Patch management is handled through automation, and non-compliant containers are destroyed and replaced with approved instances. All changes to infrastructure follow a controlled release process and are logged.

Logging and Monitoring

Every action within the Propel3 platform is logged to a centralized and secure log store. Logs include platform events, access attempts, API requests, system errors, and administrative actions. These logs are stored in-region and protected from unauthorized write access. Security-related logs are retained based on data type and relevance. Write access to log storage is restricted to essential personnel. Our engineering team uses these logs to investigate incidents, respond to alerts, and monitor system health.

Alerting and Response

Propel3 uses a layered monitoring system that continuously watches for anomalies across the platform. These include high error rates, abuse patterns, unauthorized access attempts, and other indicators of system misuse or compromise. When an anomaly is detected, alerts are routed to the appropriate team. Many issues are automatically mitigated—through rate limiting, process throttling, or rollback actions—without human intervention. Teams are notified of relevant incidents through an internal alerting system with escalation paths defined by impact level.

4.2 Application Security

Web Application Defenses

All content hosted within the Propel3 platform is protected by both network-level firewalls and application-layer defenses. Our system continuously monitors for abnormal behavior at the session and request levels. Traffic is evaluated against rule sets derived from OWASP Top 10 standards and other industry guidance to block malicious payloads and intrusion attempts. The platform includes built-in protection against Distributed Denial of Service (DDoS) attacks, ensuring that hosted websites, forms, and other assets remain responsive during high-volume or hostile traffic events.

Development and Release Management

Propel3 uses a modern continuous delivery pipeline for software deployment. Code is reviewed, tested, and approved before it is merged or promoted. Static analysis is run routinely against code repositories to prevent common vulnerabilities and misconfigurations from reaching production. All code changes pass through a dedicated QA environment with strict network segmentation. Production access is limited and isolated. If a release introduces instability, our deployment process supports instant rollback to the last known-good version. Feature rollouts are gated through internal controls—private betas, staged rollouts, and full releases are managed via traffic flagging and user controls. Major changes are communicated through in-app notifications and platform updates. Because Propel3 is delivered as a SaaS application, updates happen in real-time without customer-managed downtime.

Vulnerability Management

We take a multi-layered approach to vulnerability management. Regular scans are run against infrastructure and applications using updated detection signatures and threat feeds. New and existing assets are automatically added to inclusion lists for coverage. Annual penetration testing is conducted by independent firms to validate the security of our environment. Findings are assessed, triaged based on risk, and resolved under defined remediation timelines. High-priority risks are escalated immediately to the engineering team for action.

5. Customer Data Protection

5.1 Data Classification

As defined in our Terms of Service, customers are responsible for collecting only the data required to run their business functions within Propel3. The platform is not intended to be used for storing sensitive personal information such as credit card numbers, banking credentials, Social Insurance Numbers, passport details, or health-related records unless otherwise permitted.

5.2 Tenant Separation

Propel3 is a multi-tenant SaaS platform. All customer data is logically separated using unique identifiers that bind records to specific accounts. Each account operates in isolation with independent access controls. Internal processes regularly validate tenant separation rules to ensure that data remains compartmentalized.

Authentication and session activities are logged. Changes to user roles, access, or data records are recorded and monitored as part of our audit procedures.

5.3 Encryption

All data is encrypted in transit using Transport Layer Security (TLS) v1.2 or higher with 2048-bit keys or better. This applies across web interfaces, APIs, and hosted customer assets. Transport encryption is enforced by default and cannot be disabled. Data at rest is encrypted using AES-256. Passwords are hashed and encrypted in line with current best practices. Sensitive platform keys are stored and managed through hardened Key Management Systems (KMS), which handle key creation, rotation, and destruction automatically. TLS certificates are renewed annually. At this time, Propel3 does not support customer-supplied encryption keys.

5.4 Key Management

Encryption keys used for both data in transit and at rest are managed by the Propel3 platform. TLS private keys are issued and rotated through our content delivery provider. At-rest volume and field-level encryption keys are maintained in a secured KMS with tight access control. Rotation schedules vary based on the data class and function. We do not expose encryption key material to customers or allow external key management integration at this time.

6. Backup and Disaster Recovery

6.1 System Reliability

All services in the Propel3 platform are built with failover and redundancy in mind. Infrastructure is distributed across multiple availability zones and virtual private cloud environments. Web, application, and database components are deployed with snapshot and point-in-time recovery mechanisms enabled.

6.2 Backup Strategy

Databases are backed up on a rolling schedule and stored regionally with 7 days of recovery points available. Backups are monitored for successful completion. Any failures trigger alerts, which are escalated for investigation and resolution. Daily backups are standard, and backup health is actively monitored through internal alerting. If replication or execution fails, our engineering team is notified automatically.

6.3 Backup Storage

As a cloud-native platform, Propel3 does not operate or maintain physical storage infrastructure. We do not store product data on hard drives, tapes, or physical media. All backups exist within secure, cloud-based environments and are protected using access controls and WORM (Write Once, Read Many) protections.

6.4 Customer Backup and Recovery Options

Customers cannot trigger platform-level failover or directly access backend systems. However, Propel3 provides self-service recovery tools for specific asset types. The recycle bin allows users to restore contacts, notes, tasks, and similar records for up to 30 days after deletion. Page builders and email tools support rollback via version history. Customers can also export data manually through the UI or use our API to sync key data to external systems. For accounts requiring additional backup, these tools provide flexibility without introducing unnecessary complexity.

7. Identity and Access Control

7.1 User Permissions

Every Propel3 account supports customizable user roles and permissions. Administrators define who can view, edit, or delete content across CRM records, campaigns, automations, and more. Permissions are enforced in real time and updated immediately when changed.

7.2 Login Protections

All users authenticate using Propel3’s built-in login system, which enforces password complexity (minimum 8 characters, mixed case, symbols, numbers). This policy is fixed and cannot be overridden by users. Two-factor authentication (2FA) is available and can be enforced across the organization by account administrators. 2FA uses either time-based one-time passwords (TOTP) or mobile-based verification to confirm login attempts.

7.3 Employee Access to Customer Data

Access to internal tools, infrastructure, and production systems is strictly controlled. Only authorized engineers with a defined operational need may access production environments, and all access is provisioned using role-based access controls (RBAC). Access to customer portals is time-limited and logged. Propel3 uses a Just-In-Time Access (JITA) model where support staff may request limited access for troubleshooting purposes. These sessions expire after a maximum of 24 hours and are monitored for unusual activity. High-risk actions such as domain changes, user exports, and API key edits are blocked during JITA sessions. All logins—by customers and staff—are recorded and auditable. Content activity, data changes, and administrative actions are logged and reviewed under our internal monitoring protocols.

8. Organizational and Corporate Security

8.1 Background Checks and Onboarding

All Propel3 employees undergo a background check through a third-party service before receiving a formal offer. Reference checks are conducted at the discretion of the hiring team. Upon joining, employees must read and acknowledge the Propel3 Employee Handbook and Code of Conduct, which outline each team member’s responsibilities regarding data protection and system security.

8.2 Policy Management

Security policies at Propel3 are documented, maintained, and reviewed annually. These policies cover topics including acceptable use, incident response, access control, data classification, privacy requirements, and disciplinary actions for violations. Our core Written Information Security Policy (WISP) guides the procedures followed across departments and is updated to reflect changes in regulatory, operational, or risk conditions.

8.3 Policy Management

Security policies at Propel3 are documented, maintained, and reviewed annually. These policies cover topics including acceptable use, incident response, access control, data classification, privacy requirements, and disciplinary actions for violations. Our core Written Information Security Policy (WISP) guides the procedures followed across departments and is updated to reflect changes in regulatory, operational, or risk conditions.

8.4 Security Awareness Training

All new hires are required to complete security awareness training during onboarding. Training includes safe data handling, secure system usage, phishing recognition, and breach response. Ongoing training is delivered annually to all team members. This ensures that everyone—not just engineers—stays current on threat models and responsibilities.

8.3 Policy Management

Security policies at Propel3 are documented, maintained, and reviewed annually. These policies cover topics including acceptable use, incident response, access control, data classification, privacy requirements, and disciplinary actions for violations. Our core Written Information Security Policy (WISP) guides the procedures followed across departments and is updated to reflect changes in regulatory, operational, or risk conditions.

8.5 Vendor Management

Propel3 partners with third-party vendors to support software development, analytics, hosting, and other platform functions. All sub-processors are evaluated for their security posture and compliance practices prior to onboarding. We maintain a current list of approved sub-processors in our Data Processing Agreement, which is updated as our vendor ecosystem evolves. Our vendor contracts require appropriate safeguards for personal and customer data, and we only share information necessary to fulfill their role.

8.6 Endpoint Protection

All company-issued laptops are managed centrally through Mobile Device Management (MDM). Devices are configured to require full disk encryption, password protection, and remote-wipe capabilities. MDM ensures compliance with company policies and gives administrators visibility into device status, installed applications, and access logs. Unauthorized software installations and insecure configurations are blocked by default.

9. Jurisdiction-Specific Notices

9.1 Sensitive Data Storage

Propel3 is not a PCI-DSS certified platform and does not store, transmit, or process payment card data. All billing transactions are handled by third-party processors who maintain their own PCI compliance. Customers who accept payments through forms, calendars, or ecommerce features are doing so via integrated third-party gateways, not via Propel3 itself.
If you use Stripe, PayPal, or another provider within your system, data is routed securely to them and never retained by Propel3.

9.2 Privacy Protections

Propel3 is not a PCI-DSS certified platform and does not store, transmit, or process payment card data. All billing transactions are handled by third-party processors who maintain their own PCI compliance. Customers who accept payments through forms, calendars, or ecommerce features are doing so via integrated third-party gateways, not via Propel3 itself.

9.3 Data Retention and Deletion

Propel3 retains customer data for the duration of an active account. Former customers may request data deletion in writing, and Propel3 will remove the appropriate records in accordance with legal, contractual, and security requirements.

We may retain certain system logs or metadata to address audit requirements, fraud detection, dispute resolution, and platform integrity—even after an account is closed. At this time, Propel3 does not offer custom data retention configurations on a per-account basis.

9.4 Privacy Program Oversight

Our Legal team works closely with product and engineering to ensure that our data handling practices align with modern privacy expectations. From feature design to third-party integration, privacy reviews are built into our product lifecycle. Our privacy approach is documented in the Data Processing Agreement, and updated in accordance with new legal standards or platform changes.

9.5 Breach Response

If Propel3 becomes aware of a breach that affects your personal data, we’ll notify you as required by applicable law. Our breach response process includes incident triage, internal escalation, containment, root cause analysis, customer notification, and remediation.

9.6 GDPR

Propel3 supports features that help customers meet their GDPR responsibilities. These include tools for consent tracking, data export, record deletion, and role-based access. However, using Propel3 does not in itself make you GDPR compliant. Your own implementation, data practices, and policies will determine whether your business meets the standard.

For more information, see our GDPR Overview.

10. Document Scope and Legal Disclaimer

This document is provided for informational purposes only. It does not create legal obligations or contractual rights beyond what is covered in the Propel3 Terms of Service, Privacy Policy, or individual customer agreements.

Security controls and compliance practices are reviewed and updated regularly. As such, some procedures may change as part of our ongoing platform development. Please refer to the latest version of this document for current practices.

11. How to Contact Us

If you have questions about this document or any aspect of Propel3’s security and compliance program, reach out to: legal@propel3.com.

We’re happy to provide additional documentation for customers with specific legal, procurement, or compliance requirements.

12. Changes to This Overview

We may update this Security and Compliance Overview at any time. We encourage you to review it periodically. Changes take effect once posted.