Legal Center
Terms of Use, Acceptable Use, Privacy, and Security information for Prismatic.
Security at Prismatic
Effective: December 1, 2021
We take the security of your data very seriously at Prismatic. This page is dedicated to providing information about the practices, policies, and procedures we employ to ensure the security of your data. If you have any inquiries about our security practices or suspect a vulnerability in our platform, we urge you to contact us at security@prismatic.io.
Prismatic Platform Infrastructure
All Prismatic websites, APIs, databases, and servers are hosted in data centers run and secured by Amazon Web Services (AWS). AWS has a track-record of enforcing industry-leading security policies, which you can read about at https://aws.amazon.com/security/. Within AWS, Prismatic places all compute and database servers in a virtual private cloud (VPC) and within private subnets where they are not directly accessible from the public internet.
Integration Execution Environments
Compute nodes that are responsible for executing customer code are isolated such that they do not have access to the rest of the compute and database infrastructure. Additionally, each execution of an integration is run in a distinct environment in such a way that one integration cannot access another integration's execution environment.
Data Encryption
Data traffic between your client and our platform is encrypted both in transit and at rest. We ensure that all data flows across the network remain encrypted at all points of transfer using TLS1.2 or later encryption.
Additionally, we use various data storage and processing systems, all configured for data encryption at rest. To maintain high availability, we regularly back up our databases and storage systems and store these backups in an additional secure location, where they remain encrypted at rest.
Third Party Keys and Credential Management
During the integration process using our platform, you may need to authenticate against third-party APIs. We assure you that the credentials provided for this purpose are securely handled within our platform. We employ a robust encryption method for credential storage (AES-256) and limit access to decryption keys strictly to their relevant tenants.
For integrations requiring OAuth grants to third-party services, Prismatic facilitates the OAuth process on your behalf. Our system refreshes API tokens regularly to maintain their validity, saving them using customer-specific encryption keys. We do not log credentials, and you always have the option to delete them from the platform.
User Credential Handling
For user authentication, Prismatic utilizes Auth0, ensuring secure user access to our platform. We neither store user credentials nor interact with them. See Auth0's site for information on their security practices.
Your Responsibilities
Despite the stringent security measures we implement, we must remind our users that they also have a role to play in ensuring their data security. We recommend you to adopt best practices for information security while using Prismatic. This includes:
- Reading and understanding our Acceptable Use Policy and Terms of Use.
- Regularly updating us about changes to your organization's technical or administrative contact information.
- Regular auditing of your organization's users, their roles, and permissions within Prismatic.
- Handling credentials securely and maintaining the privacy of sensitive information.
- Promptly notifying Prismatic about any suspected information security breaches or compromised user accounts.
Certifications
Our commitment to securing your data is backed by a SOC 2 Type 2 certification, which certifies that our security policies and procedures have been independently audited and meet stringent data security requirements.
Reporting Bugs and Vulnerabilities
Should you discover a bug or vulnerability in our platform, please contact our security team at security@prismatic.io. They are dedicated to addressing such issues promptly. To encrypt sensitive communications to Prismatic, please use this PGP key. If you are unfamiliar with PGP encryption, please check out GPG and see these docs on importing a public key.