Last update: August 19, 2020

Security & Compliance

Overview

Keeping our customers data protected at all times is our highest priority. This security policy provides a high-level overview of the security practices put in place to achieve that objective. Have questions or feedback? Feel free to reach out to us at [email protected]

Infrastructure

Prezly is entirely hosted on Amazon Web Services (AWS) and Google Cloud Platform (GCP). The safety and security policies that AWS and GCP provide to us are also applicable to our customers.

AWS and GCP data centers operations comply with a set of standards and regulations including ISO 27001, ISO 27017, ISO 27018, SOC 1, SOC 2, SOC 3, SSAE 16, PCI Level 1, PCI DSS, FISMA Moderate Sarbanes-Oxley (SOX), and HIPAA (at the server level).

Please refer to the links below for more information about AWS and GCP Data Center Security :

- AWS - GCP

Network level security monitoring and protection

We follow AWS and GCP Security Best Practices to ensure network security. Access to our network infrastructure is provided through multiple secured access points which restrict network-level access based on job function, utilizing the principle of least privilege.

We monitor and protect our network, to make sure no unauthorized access is performed using:

DDoS protection

We use Distributed Denial of Service (DDoS) mitigation services powered by an industry-leading solution.

Data encryption

We use the industry best practice encryption algorithms for cryptographic controls to ensure the security of data and the environment where the data is stored in.

Encryption in transit
Encryption at rest

Data retention and removal

We retain our customers data for a period of 90 days after an account is terminated. All data is then completely removed from our servers. User data contained in our monthly snapshots can be stored encrypted for up to 24 months. Every user can request the removal of usage data by contacting support. Read more about our privacy settings at https://www.prezly.com/privacy-policy

Logging

We maintain extensive logs specific to the application, operating system, database layers, logins and commands issued by operation team in a centralized logging environment to allow for performance and security monitoring.

Business continuity and disaster recovery

We run our platform in 3 different availability zones in a single cloud provider region and automatically migrate all applications to a healthy zone in case of an outage.

We back up all our critical assets and regularly attempt to restore the backup to guarantee a fast recovery in case of disaster.

Daily backups are automatically restored to isolated, production like environments and tested for consistency.

Application security monitoring and protection

Secure development

We develop following security best practices and frameworks (OWASP Top 10, SANS Top 25). We use the following best practices to ensure the highest level of security in our software:

Responsible disclosure

We encourage everyone that practices responsible disclosure and comply with our policies and terms of service to report us any vulnerabilities they might discover.

Please avoid automated testing and only perform security tests with your own data. Do not disclose any information regarding the vulnerabilities until we fix them. Rewards are done at our discretion depending on the criticality of the vulnerability reported.

You can report vulnerabilities by contacting us via either Keybase or Email. Please include a proof of concept. We will respond as quickly as possible to your submission and won’t take legal actions if you follow the rules.

Important: our bug bounty program is currently closed and we are not looking for new security researchers. We won’t pay rewards to anybody not part of it.

You can not use our trial accounts for vulnerabilities discovery. If you want to perform any security testing on our platform, you first have to provide a valid profile as a security researcher and request approval thru Keybase or Email.

Coverage

Exclusions

Accepted vulnerabilities are the following:

This bug bounty program does NOT include:

User protection

Single sign-on

Single sign-on (SSO) is offered for our EXPERT or ENTERPRISE plans.

Account takeover protection

We protect our users against data breaches by monitoring and blocking brute force attacks.

Role-based access control

Advanced role-based access control (RBAC) is offered on our EXPERT or ENTERPRISE plans and allows admins to manage user permissions.

Suspicious user behaviour monitoring

We monitor suspicious behaviours and react fast in case of account takeovers. We also protect customers against data theft by blocking credential stuffing or brute force attacks.

Compliance

GDPR

We’re compliant to the General Data Protection Regulation (GDPR). The purpose of GDPR is to protect the private information of EU citizens and give them more control over their personal data. More details on how we comply to GDPR are available here.

Payment information

All payment instrument processing is safely outsourced to Stripe which is certified as a PCI Level 1 Service Provider. We don’t collect any payment information and are therefore not subject to PCI obligations.

Employee access