Last update: August 19, 2020

Security & Compliance

Overview

Keeping our customers data protected at all times is our highest priority. This security policy provides a high-level overview of the security practices put in place to achieve that objective. Have questions or feedback? Feel free to reach out to us at [email protected]

Infrastructure

Prezly is entirely hosted on Amazon Web Services (AWS) and Google Cloud Platform (GCP). The safety and security policies that AWS and GCP provide to us are also applicable to our customers.

AWS and GCP data centers operations comply with a set of standards and regulations including ISO 27001, ISO 27017, ISO 27018, SOC 1, SOC 2, SOC 3, SSAE 16, PCI Level 1, PCI DSS, FISMA Moderate Sarbanes-Oxley (SOX), and HIPAA (at the server level).

Please refer to the links below for more information about AWS and GCP Data Center Security :

- AWS - GCP

Network level security monitoring and protection

We follow AWS and GCP Security Best Practices to ensure network security. Access to our network infrastructure is provided through multiple secured access points which restrict network-level access based on job function, utilizing the principle of least privilege.

We monitor and protect our network, to make sure no unauthorized access is performed using:

• A virtual private cloud (VPC), a bastion host or VPN with network access control lists (ACL’s) and no public IP addresses.

• A firewall that monitors and controls incoming and outgoing network traffic

• IP address filtering.

• A service mesh providing routing, traffic shaping, load balancing, and telemetry combined with security capabilities such as access control policies and encryption (mutual TLS).

• A identity-aware access proxy that enables secure access to internal applications

• Multiple alerting systems that track and evaluate our cloud providers access, rules and configurations.

DDoS protection

We use Distributed Denial of Service (DDoS) mitigation services powered by an industry-leading solution.

Data encryption

We use the industry best practice encryption algorithms for cryptographic controls to ensure the security of data and the environment where the data is stored in.

Encryption in transit

• All data sent to or from our infrastructure is encrypted in transit via industry best-practices using Transport Layer Security (TLS). You can see our SSLLabs report here.

Encryption at rest

• All our user data (including passwords) is encrypted in the database.

• All manual and automatic data backups are encrypted.

Data retention and removal

We retain our customers data for a period of 90 days after an account is terminated. All data is then completely removed from our servers. User data contained in our monthly snapshots can be stored encrypted for up to 24 months. Every user can request the removal of usage data by contacting support. Read more about our privacy settings at https://www.prezly.com/privacy-policy

Logging

We maintain extensive logs specific to the application, operating system, database layers, logins and commands issued by operation team in a centralized logging environment to allow for performance and security monitoring.

Business continuity and disaster recovery

We run our platform in 3 different availability zones in a single cloud provider region and automatically migrate all applications to a healthy zone in case of an outage.

We back up all our critical assets and regularly attempt to restore the backup to guarantee a fast recovery in case of disaster.

Daily backups are automatically restored to isolated, production like environments and tested for consistency.

Application security monitoring and protection

• We use multiple security monitoring and scanning solutions to get visibility into our infrastructure and application security, identify attacks and respond quickly to a data breach.

• We use technologies to monitor exceptions, logs and detect anomalies in our applications.

• We collect and store logs to provide an audit trail of our applications activity.

• We use a service mesh to monitor and secure our micro-services.

• We use a runtime protection system that identifies and blocks OWASP Top 10 and business logic attacks in real-time.

• We use security headers to protect our users from attacks. You can check our grade on SecurityHeaders.io

• We use security automation capabilities that automatically detect and respond to threats targeting our apps. Security events are logged and notifications are sent in case of critical attacks to allow for fast remediation.

Secure development

We develop following security best practices and frameworks (OWASP Top 10, SANS Top 25). We use the following best practices to ensure the highest level of security in our software:

• We review our code for security vulnerabilities.

• We regularly update our dependencies and make sure none of them has known vulnerabilities.

• We use Static Application Security Testing (SAST) to detect basic security vulnerabilities in our codebase.

• We use Dynamic Application Security Testing (DAST) to scan our applications.

• We rely on yearly third-party security experts to perform penetration tests of our applications.

• We follow the Agile methodology for software development which facilitates continuous deployment, meaning that features and bug fixes are released to production when completed.

• All changes are verified with automated unit, integration, functional, performance, and security tests.

• Developers work together to review changes and use various pre-production environments to test them before production deployment.

Responsible disclosure

We encourage everyone that practices responsible disclosure and comply with our policies and terms of service to report us any vulnerabilities they might discover.

Please avoid automated testing and only perform security tests with your own data. Do not disclose any information regarding the vulnerabilities until we fix them. Rewards are done at our discretion depending on the criticality of the vulnerability reported.

You can report vulnerabilities by contacting us via either Keybase or Email. Please include a proof of concept. We will respond as quickly as possible to your submission and won’t take legal actions if you follow the rules.

Important: our bug bounty program is currently closed and we are not looking for new security researchers. We won’t pay rewards to anybody not part of it.

You can not use our trial accounts for vulnerabilities discovery. If you want to perform any security testing on our platform, you first have to provide a valid profile as a security researcher and request approval thru Keybase or Email.

Coverage

• *.prezly.com

Exclusions

• docs.prezly.com

• status.prezly.com

• careers.prezly.com

Accepted vulnerabilities are the following:

• Cross-Site Scripting (XSS)

• Open redirect

• Cross-site Request Forgery (CSRF)

• Command/File/URL inclusion

• Authentication issues

• Code execution

• Code or database injections

This bug bounty program does NOT include:

• Account/email enumerations

• Denial of Service (DoS)

• Attacks that could harm the reliability/integrity of our business

• Spam attacks

• Clickjacking on pages without authentication and/or sensitive state changes

• Mixed content warnings

• Lack of DNSSEC, SPF, DKIM, ...

• Content spoofing / text injection

• Timing attacks

• Social engineering

• Phishing

• Insecure cookies for non-sensitive cookies or 3rd party cookies

• Vulnerabilities requiring exceedingly unlikely user interaction

• Exploits that require physical access to a user's machine

User protection

Single sign-on

Single sign-on (SSO) is offered for our EXPERT or ENTERPRISE plans.

Account takeover protection

We protect our users against data breaches by monitoring and blocking brute force attacks.

Role-based access control

Advanced role-based access control (RBAC) is offered on our EXPERT or ENTERPRISE plans and allows admins to manage user permissions.

Suspicious user behaviour monitoring

We monitor suspicious behaviours and react fast in case of account takeovers. We also protect customers against data theft by blocking credential stuffing or brute force attacks.

Compliance

GDPR

We’re compliant to the General Data Protection Regulation (GDPR). The purpose of GDPR is to protect the private information of EU citizens and give them more control over their personal data. More details on how we comply to GDPR are available here.

Payment information

All payment instrument processing is safely outsourced to Stripe which is certified as a PCI Level 1 Service Provider. We don’t collect any payment information and are therefore not subject to PCI obligations.

Employee access

• Access is limited by Role-Based Access Control ensuring that only the users who require access to a certain resource are able to login.

• The access rights of employees are reviewed according to their job responsibilities at regular intervals.

• Access to information and applications is restricted by SSO and all endpoints are protected by a identity-aware access proxy.

• All our employees sign a Non-Disclosure and Confidentiality Agreement when joining the company to protect our customers sensitive information.

• Systems are protected using Ed25519 or 4096 bit RSA keys and access is extremely limited and closely monitored. Wherever feasible, Prezly uses private API endpoints restricted using Role-Based Access Control to manage production systems, avoiding the use and distribution of private keys.