Terms of Service, Acceptable Use, Privacy, and Security information for Prismatic.
Effective: December 1, 2021
At Prismatic we take the security of your data very seriously. On this page we'd like to outline the practices, policies, and procedures we use to ensure that your data is handled securely. If you have any questions about security practices at Prismatic, or if you believe you have found a vulnerability in Prismatic's platform, please reach out to us by emailing email@example.com.
All Prismatic websites, APIs, databases, and servers are hosted in data centers run and secured by Amazon Web Services (AWS). AWS has a track-record of enforcing industry-leading security policies, which you can read about at https://aws.amazon.com/security/. Within AWS, Prismatic places all compute and database servers in a virtual private cloud (VPC) and within private subnets where they are not directly accessible from the public internet.
Servers that run customers' integrations are placed on a separate, firewalled network segment from the rest of the compute and database infrastructure in order to mitigate risk of malicious users compromising the platform or other customers' data. Additionally, each execution of an integration is run in a distinct environment in such a way that one integration cannot access another integration's execution environment.
Traffic between your client (Web Browser, command line tool, etc) is encrypted in transit using TLS 1.2 or later, which is terminated by Amazon CloudFront. Data transferred between CloudFront, internal load balancers, and compute nodes are all encrypted similarly, as are connections between compute nodes and Redis and database instances, and other Amazon services (S3, DynamoDB, etc). At no point does data flow across a network unencrypted; all data are encrypted in transit.
Relational databases (we use PostgreSQL), Redis, and Amazon S3 are all configured to encrypt data at rest. To achieve high availability (HA), backups of databases and S3 are encrypted and streamed to an additional AWS region, where the backups are encrypted at rest.
As you assemble integrations using Prismatic's platform, you will inevitably authenticate against third-party APIs (e.g. AWS, Azure, GCP, Dropbox, some SFTP server, etc). The passwords, keys, and other credentials that you provide us to enable third-party connectivity are handled securely within the Prismatic platform. Credentials are stored encrypted at rest using AES-128 using tenant-specific encryption keys, and secure measures are put in place to ensure that running integrations only have access to the decryption keys for their specific tenant. So, each customer can encrypt their own saved credentials, but no one else's.
For integrations that require OAuth grants to third-party services, you can provide Prismatic with a client ID, client secret, authorization scopes, an authorization URI, and a token URI, and Prismatic will take care of the rest of the OAuth process - see our docs for more details. In order to ensure that API tokens created using the OAuth 2.0 flow are kept valid (as OAuth tokens expire), a service within our API periodically refreshes the API tokens, and saves those tokens using the customer's tenant-specific encryption key.
Credentials are never logged, and you can always delete credentials from Prismatic within the Platform.
Prismatic uses Auth0 to authenticate users. Users authenticate on an Auth0 website, receive an API key that is saved as a cookie on their web browser. That cookie is used to authenticate users on Prismatic's platform. Prismatic does not store users' credentials, and never interacts with user credentials. See Auth0's site for information on their security practices.
We use Stripe to process payments for the Prismatic platform. Payment method information is stored exclusively on Stripe's systems, though metadata about payments made through Stripe are shared between Stripe and Prismatic (so we can know what you paid for, and when). Stripe sets the industry standard for payment security, and details about security at Stripe can be found in their docs.
While we can control the security surrounding Prismatic systems and the code that we write, we do not have control over what you create within Prismatic. Please follow good security practices when using Prismatic.
This includes, but is not limited to:
- Reading and understanding our Acceptable Use Policy and Terms of Service.
- Notifying Prismatic of changes made to technical or administrative contact information for your organization.
- Regularly auditing your organization's users, and the roles and permissions they have within Prismatic.
- Handling credentials securely (e.g. not writing secrets to logs).
- Keeping other sensitive information private (e.g. don't send sensitive information to unsafe systems).
- Notifying Prismatic if you suspect any information security breaches or compromised user accounts, including those used for integrations and secure file transfers.
Prismatic holds a SOC 2 Type 1 certification. That means that an independent auditor has evaluated our security policies and procedures and certifies that Prismatic complies with their stringent data security requirements.
If you believe you have found a bug or vulnerability in Prismatic's platform, please contact our security team at firstname.lastname@example.org. Our security team will work quickly to remedy any issues you find.