Being able to guarantee to our customers that their data is secure and that their privacy is being protected is absolutely essential to us. We can ensure this due to a combination of implementing strict internal processes, reliable partners, and more than 10 years of experience being in business as a PR software company.
We work directly with some of the biggest brands in the world with some of the highest standards in terms of security and privacy regulations. This page gives you an overview of our privacy policies, security measures, and where you can request more in-depth information in case you need it.
All of our services and data are hosted in Amazon Web Services (AWS) facilities (er-west-1) in the The Republic of Ireland in the European Union.
Our software platform was built with disaster recovery in mind. Our infrastructure and data are spread across multiple server nodes and AWS availability zones and are designed to continue to work should any one of the data centers or facilities fail.
On an application level, we produce audit logs for activity and for data storage devices we log all activity to a centralised place for review. Actions taken on cloud management consoles or in the pr.co dashboard are logged.
Access to customer data is limited only to authorized personnel who absolutely require it for their job. Every service hosted by pr.co is served over forced HTTPS only, with HTST enabled. We have a strict SAML Single Sign-on (SSO), 2-factor authentication (2FA), and strong password policies on critical cloud services used by our team like GitHub, Google, HubSpot (CRM), AWS, Mailgun (ESP) and Intercom (support) to ensure access to cloud services is protected.
All data sent to or from pr.co is encrypted in transit using 256 bit encryption. Our APIs and application endpoints are TLS/SSL only and score a solid “A” rating on Qualys SSL Labs‘ tests. This means we only use strong cipher suites and have features such as HSTS enabled. We also encrypt data at rest using an industry-standard AES-256 encryption algorithm by making use of AWS's RDS encryption.
We adhere to GDPR standards and are registered within the EU with relevant Data Authorities. We rely on the Standard Contractual Clauses (SCCs) as a data transfer mechanism.
Customers of pr.co who are data controllers can download and export all their data at any point in time. Just let our support staff know and we'll send you the full export.
Want to receive a copy of our Data Processing Agreement (DPA)? Please contact us at firstname.lastname@example.org.
We've implemented various technical and organisational measures to ensure the privacy of our customers and the personal data of anyone involved with our customers' PR activities.
Think of a strict internal confidentiality policy, clear data authorization policies, data protection trainings, social engineering awareness trainings, a review policy for sub-processors, a comprehensive whistleblower policy, strict office access polices, and more.
On a technical level, think of encryption of all data in motion, encryption of data at rest, vulnerability scanning, automatic software patching, automatic data retention schedules, automated backups, strict authorization controls (strong passwords, bcrypt encrypted passwords, Multi-factor Authentication).
Want to see a copy of our Technical and Organisational Measures white paper? Please contact us at email@example.com.
Payments made to pr.co go through our partner Chargebee. Details about their security setup and PCI compliance can be found at Chargebee's security page.
We make use of Amazon's AWS cloud platform and infrastructure. Our staff does not have any physical access to these hosting facilities or environments. Here are more details about security setup of AWS.
Cloud security is the highest priority at AWS. As an AWS customer, we are benefitted from a data center and network architecture built to meet the requirements of the most security-sensitive organisations.
“Amazon has many years of experience in designing, constructing, and operating large-scale data centers. This experience has been applied to the AWS platform and infrastructure. AWS data centers are housed in nondescript facilities, with military grade perimeter control berms. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, state of the art intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication no fewer than three times to access data center floors. All visitors and contractors are required to present identification and are signed in. They are also continually escorted by authorized staff.”
In addition to physical security, being on the AWS platform also provides us significant protection against traditional network security issues on the infrastructure including,
We obtain the SOC 1 and SOC 2 report from AWS for the services rendered by them and validates the same for the effectiveness of the opinion of the third party auditor.
For the software development of the pr.co platform we've made sure to cover the bases that you should expect of a modern web application. As the foundation we only make use of well-maintained, industry-standard languages and frameworks.
We have automatic vulnerability scanning scanning in place to check for any known vulnerabilities in our software versions or libraries we use. On a periodic basis we review these and upgrade to the required versions to mitigate this.
We've mitigated most known web application vulnerabilities and have confirmed this during previously performed pentests. Some of the confirmed mitigations, not limited to this list:
Besides our infrastructure and application being secure, it's just as important that you and your colleagues have the right tools to use pr.co safely. For that we've made sure that there's a couple of functionalities in place that allow you to do so:
There's only so much we can and should disclose on a page like this. If you're interested in choosing pr.co as your PR Software vendor, please get in touch with our sales representative and ask for our Security Whitepaper.
This document goes a lot more in-depth into the exact technologies, processes and policies that we've implemented to make pr.co a reliable partner for organization big and small.
Please get in touch here: pr.co/talk-to-sales.
Catering to organizations big and small for many years made us have a lot of experience working together with risk assessment teams, filling-in questionnaires, going through IT reviews, or facilitating penetration tests to be performed on our platform.
Is this something that you require to be a part of your risk assessment procedure? Please make sure to point this out during your talks with our sales team so that they can make sure we include this as a part of your SLA.
We maintain a very straightforward bug bounty policy. If you have reported anything that we can reproduce and verify as a vulnerability or as a security risk, we'll find a way to reward you for it in proportion to the severity of the vulnerability found.
Have you found something? Please send your report on the risk and how we can reproduce it through to this email address: firstname.lastname@example.org.
We have uptime of 99.9% or higher. We base this on the fact that we're live monitoring all critical components of the pr.co platform. You can check our past month stats at: status.pr.co.