We extend trust through our service infrastructure and platform, with particular focus on security, compliance and availability.
Sequoia takes security seriously and will continue to invest heavily in this area
Sequoia undergoes annual third-party assessment of its control framework
Click below to see current availability and performance status of Sequoia systems
Click below to see recommendations and reminders for secure system access.
Sequoia has invested heavily in security infrastructure and staffing over its 21-year history. Examples of components of our security program are below:
Sequoia has appointed a Chief Information Security Officer (CISO) to lead the Security & IT function and develop policies and procedures to monitor and manage risks. Our cybersecurity program also is supported by operations, product, engineering and legal.
Sequoia’s Acceptable Use Policy (AUP) applies to Sequoia team members regarding the use and/or access of company information systems and data. The AUP includes guidance on information security and practices and emphasizes the scope of individual responsibilities in adhering to company policies, applicable laws, and regulations.
Cyber Security Risk Management
Sequoia undergoes internal and external third-party risk assessments to identify areas where we can improve our security controls and processes and strengthen our security posture.
Sequoia’s approach is to minimize its IT infrastructure footprint to the extent possible in favor of leveraging enterprise-level third-party service providers to host our applications and provide our services. Where possible, core applications are integrated using SSO and are protected using a defense-in-depth approach, ranging from strong passwords to Multi-Factor Authentication (MFA) and Role-Based Access Controls (RBAC). MFA makes it much more difficult for attackers to access protected systems and applications. Sequoia’s applications undergo third-party penetration tests and enforce session timeouts after a period of inactivity.
Sequoia uses strong encryption algorithms such as AES-256 for data at rest and TLS 1.2/1.3 for HTTPS connections so that data is encrypted both in transit and at rest (when stored).
Patch & Vulnerability Management
Security is part of the Software Development Lifecycle (SDLC) at Sequoia. Systems are patched regularly and critical patches are applied on an expedited basis. Threats and vulnerabilities are identified via various methods and technologies, third-party penetration tests, static and dynamic scans, and security assessments.
Endpoint Security & Monitoring
Sequoia’s endpoints are secured using advanced solutions to detect and respond quickly to malicious attacks. We also leverage web filtering solutions to prevent malicious internet traffic. Systems are monitored 24/7 by a variety of technologies and our SIEM is monitored 24/7/365 by a leading MSSP.
Sequoia team members are trained frequently on security best practices, how to avoid phishing attacks, and how to properly handle and protect sensitive data.
Our security team continues to drive forward with additional investments, including implementing additional machine learning and AI capabilities to existing detection tools, staffing an internal incident response and detection team, amplifying our existing third-party testing program to increase testing frequency, and implementing a bug bounty program. As part of our ongoing strategy of continuous enhancement, please continue to check this Trust Center to learn about additional security assets that we will make available to clients.
Sequoia undergoes an annual SOC 2 Type II + HITRUST assessment, which demonstrates our continued focus on establishing and complying with our control framework around protecting systems and data. The assessment report is available for review under NDA.
Best practice recommendations for clients:
Reminders for helping to ensure secure access when using the Sequoia People Platform.
Recommendations for Employers:
- Enable SSO (Single Sign On)
- Enable MFA
- Enforce strong passwords and rotate passwords on a frequent basis
- Followe the Sequoia Trust Center for any new security alerts
- Share the CISA Avoiding Social Engineering and Phishing Attacks
- Ensure your employees know that Sequoia system emails are sent to their work email leveraging your corporate domain, not to their personal emails. Exceptions:
- Dependents will be sent system emails to whichever email they signed up with
- Early-stage companies who sign-up without an established domain (rare)
Upcoming enhancements the Sequoia People Platform:
- Multi-factor authentication (MFA) will be applied to non-SSO access to our mobile app for extra security.
- As an extra reassurance to your people that they are in the right place, your company logo will now be shown as an interstitial step during the login process (right after their email verification step)
Recommendations for Employees:
- Sequoia notification emails will always come from an @sequoia.com email address
- Access to the Sequoia portal is always through a @sequoia.com domain, example: login.sequoia.com, admin.sequoia.com or px.sequoia.com
- As one of our employees, your Sequoia notifications will come to your work email, never to your personal email.
- Note the exception: Your dependents will receive notifications to whatever email they signed up with.
Phishing attempts are unfortunately all too common. Here are some general tips on staying vigilant:
- Always check who the email was sent from. Don’t simply act on familiar aesthetics
- Check for grammatical errors, incorrect spelling, and unusual capitalization
- Avoid acting impulsively to urgent messages – this is a common scammer tactic
- Double check the URL links in any email by mousing over them. Look for the proper domains. When in doubt, type in the URL address manually.
- If you receive an email that looks suspicious or you are not the intended recipient, don’t click on any links and report it to your IT and Security team at your organization