Announcing Prismatic general availability! Read the launch post
Legal Center

Terms of Service, Acceptable Use, Privacy, and Security information for Prismatic.

Security at Prismatic

Effective: December 11, 2020

At Prismatic we take the security of your data very seriously. On this page we'd like to outline the practices, policies, and procedures we use to ensure that your data is handled securely. If you have any questions about security practices at Prismatic, or if you believe you have found a vulnerability in Prismatic's platform, please reach out to us by emailing security@prismatic.io.

Prismatic Platform Servers

All Prismatic websites, APIs, databases, and servers are hosted in data centers run and secured by Amazon Web Services (AWS). AWS has a track-record of enforcing industry-leading security policies, which you can read about at https://aws.amazon.com/security/. Within AWS, Prismatic places all compute and database servers in a virtual private cloud (VPC) and within private subnets where they are not directly accessible from the public internet.

Integration Execution Environments

Servers that run customers' integrations are placed on a separate, firewalled network segment from the rest of the compute and database infrastructure in order to mitigate risk of malicious users compromising the platform or other customers' data. Additionally, each execution of an integration is run in a distinct environment in such a way that one integration cannot access another integration's execution environment.

Encryption in Transit, and at Rest

Traffic between your client (Web Browser, command line tool, etc) is encrypted in transit using TLS (SSL), which is terminated by Amazon CloudFront. Data transferred between CloudFront, internal load balancers, and compute nodes are all encrypted similarly, as are connections between compute nodes and Redis and database instances, and other Amazon services (S3, DynamoDB, etc). At no point does data flow across a network unencrypted; all data are encrypted in transit.

Relational databases (we use PostgreSQL), Redis, Amazon DynamoDB, and Amazon S3 are all configured to encrypt data at rest. Sensitive user data (results of integration execution runs, credentials etc.) are additionally AES-256 encrypted in S3 buckets and DynamoDB by tenant-specific encryption keys that are managed through AWS Certificate Manager. For information in encryption key specs, etc., see AWS's documentation on the SYMMETRIC_DEFAULT key spec.

To achieve high availability (HA), backups of databases and S3 are encrypted and streamed to an additional AWS region, where the backups are encrypted at rest.

Handling of Third Party Keys and Credentials

As you assemble integrations using Prismatic's platform, you will inevitably authenticate against third-party APIs (e.g. AWS, Azure, GCP, Dropbox, some SFTP server, etc). The passwords, keys, and other credentials that you provide us to enable third-party connectivity are handled securely within the Prismatic platform. Credentials are stored encrypted at rest using AES-256 using tenant-specific encryption keys managed through AWS Certificate Manager, and secure measures are put in place to ensure that running integrations only have access to the decryption keys for their specific tenant. So, each customer can encrypt their own saved credentials, but no one else's.

For integrations that require OAuth grants to third-party services, you can provide Prismatic with a client ID, client secret, authorization scopes, an authorization URI, and a token URI, and Prismatic will take care of the rest of the OAuth process - see our docs for more details. In order to ensure that API tokens created using the OAuth 2.0 flow are kept valid (as OAuth tokens expire), a service within our API periodically refreshes the API tokens, and saves those tokens using the customer's tenant-specific encryption key.

Credentials are never logged, and you can always delete credentials from Prismatic within the Platform.

User Credential Handling

Prismatic uses Auth0 to authenticate users. Users authenticate on an Auth0 website, receive an API key that is saved as a cookie on their web browser. That cookie is used to authenticate users on Prismatic's platform. Prismatic does not store users' credentials, and never interacts with user credentials. See Auth0's site for information on their security practices.

Secure Payments

We use Stripe to process payments for the Prismatic platform. Payment method information is stored exclusively on Stripe's systems, though metadata about payments made through Stripe are shared between Stripe and Prismatic (so we can know what you paid for, and when). Stripe sets the industry standard for payment security, and details about security at Stripe can be found in their docs.

Reporting Bugs and Vulnerabilities

If you believe you have found a bug or vulnerability in Prismatic's platform, please contact our security team at security@prismatic.io. Our security team will work quickly to remedy any issues you find.

To encrypt sensitive communications to Prismatic, please use this PGP key. If you are unfamiliar with PGP encryption, please check out GPG and see these docs on importing a public key.