Being able to guarantee to our customers that their data is secure and that their privacy is being protected is absolutely essential to us. We can ensure this due to a combination of implementing strict internal processes, reliable partners, and more than 10 years of experience being in business as a PR software company.

We work directly with some of the biggest brands in the world with some of the highest standards in terms of security and privacy regulations. This page gives you an overview of our privacy policies, security measures, and where you can request more in-depth information in case you need it.

Data processing

Location of data

All of our services and data are hosted in Amazon Web Services (AWS) facilities (er-west-1) in the The Republic of Ireland in the European Union.

Failover and availability

Our software platform was built with disaster recovery in mind. Our infrastructure and data are spread across multiple server nodes and AWS availability zones and are designed to continue to work should any one of the data centers or facilities fail.

Backups and monitoring

On an application level, we produce audit logs for activity and for data storage devices we log all activity to a centralised place for review. Actions taken on cloud management consoles or in the pr.co dashboard are logged.

Permissions and authorization

Access to customer data is limited only to authorized personnel who absolutely require it for their job. Every service hosted by pr.co is served over forced HTTPS only, with HTST enabled. We have a strict SAML Single Sign-on (SSO), 2-factor authentication (2FA), and strong password policies on critical cloud services used by our team like GitHub, Google, HubSpot (CRM), AWS, Mailgun (ESP) and Intercom (support) to ensure access to cloud services is protected.

Encryption and storage

All data sent to or from pr.co is encrypted in transit using 256 bit encryption. Our APIs and application endpoints are TLS/SSL only and score a solid “A” rating on Qualys SSL Labs‘ tests. This means we only use strong cipher suites and have features such as HSTS enabled. We also encrypt data at rest using an industry-standard AES-256 encryption algorithm by making use of AWS's RDS encryption.

Privacy & GDPR

General Data Protection Regulation (GDPR)

We adhere to GDPR standards and are registered within the EU with relevant Data Authorities. We rely on the Standard Contractual Clauses (SCCs) as a data transfer mechanism.

Customers of pr.co who are data controllers can download and export all their data at any point in time. Just let our support staff know and we'll send you the full export.

Data Processing Agreement (DPA)

If you, as a pr.co customer, are processing personal data through the pr.co platform, typically a Data Processing Agreement (DPA) needs to be agreed between your company and pr.co. We have prepared a standard contract for this purpose, which accurately describes the specific characteristics of our product. If you need a DPA, we strongly urge you to make use of our template, since it’s the most efficient option.
 

Want to receive a copy of our Data Processing Agreement (DPA)? Please contact us at privacy@pr.co.

Technical and organisational measures

We've implemented various technical and organisational measures to ensure the privacy of our customers and the personal data of anyone involved with our customers' PR activities.

Think of a strict internal confidentiality policy, clear data authorization policies, data protection trainings, social engineering awareness trainings, a review policy for sub-processors, a comprehensive whistleblower policy, strict office access polices, and more.

On a technical level, think of encryption of all data in motion, encryption of data at rest, vulnerability scanning, automatic software patching, automatic data retention schedules, automated backups, strict authorization controls (strong passwords, bcrypt encrypted passwords, Multi-factor Authentication).

Want to see a copy of our Technical and Organisational Measures white paper? Please contact us at privacy@pr.co.

Security & compliance

Secure payments with PCI compliance

Payments made to pr.co go through our partner Chargebee. Details about their security setup and PCI compliance can be found at Chargebee's security page.

Physical and Network security

We make use of Amazon's AWS cloud platform and infrastructure. Our staff does not have any physical access to these hosting facilities or environments. Here are more details about security setup of AWS.

Cloud security is the highest priority at AWS. As an AWS customer, we are benefitted from a data center and network architecture built to meet the requirements of the most security-sensitive organisations.

“Amazon has many years of experience in designing, constructing, and operating large-scale data centers. This experience has been applied to the AWS platform and infrastructure. AWS data centers are housed in nondescript facilities, with military grade perimeter control berms. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, state of the art intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication no fewer than three times to access data center floors. All visitors and contractors are required to present identification and are signed in. They are also continually escorted by authorized staff.”

In addition to physical security, being on the AWS platform also provides us significant protection against traditional network security issues on the infrastructure including,

  • Distributed Denial Of Service (DDoS) Attacks
  • Man In the Middle (MITM) Attacks
  • Port Scanning
  • Packet sniffing by other tenants

We obtain the SOC 1 and SOC 2 report from AWS for the services rendered by them and validates the same for the effectiveness of the opinion of the third party auditor.

Application level security

For the software development of the pr.co platform we've made sure to cover the bases that you should expect of a modern web application. As the foundation we only make use of well-maintained, industry-standard languages and frameworks.

We have automatic vulnerability scanning scanning in place to check for any known vulnerabilities in our software versions or libraries we use. On a periodic basis we review these and upgrade to the required versions to mitigate this.

We've mitigated most known web application vulnerabilities and have confirmed this during previously performed pentests. Some of the confirmed mitigations, not limited to this list:

  • OWASP Top 10 Risks
  • Cross-site scripting (XSS)
  • Cross-Site Request Forgery (CSRF)
  • SQL injection
  • User input sanitization
  • Brute-force login attacks
  • Replay attacks
  • Strict CORS polices
  • File upload scanning (malware, executables, etc)
  • JSON Web Token for secure API authorization (JWT)

Security features for you

Besides our infrastructure and application being secure, it's just as important that you and your colleagues have the right tools to use pr.co safely. For that we've made sure that there's a couple of functionalities in place that allow you to do so:

  • Strong password rules (in-line with the OWASP recommendations)
  • Simple password detection (prevent users from choosing easy to crack passwords)
  • Multi-factor authentication (2FA)
  • Automatic session timeouts (Timing configurable)
  • IP Whitelisting (your account only accessible through set IP-range)

Request our Security Whitepaper

There's only so much we can and should disclose on a page like this. If you're interested in choosing pr.co as your PR Software vendor, please get in touch with our sales representative and ask for our Security Whitepaper.

This document goes a lot more in-depth into the exact technologies, processes and policies that we've implemented to make pr.co a reliable partner for organization big and small.

Please get in touch here: pr.co/talk-to-sales.

Risk questionnaires & pen tests

Catering to organizations big and small for many years made us have a lot of experience working together with risk assessment teams, filling-in questionnaires, going through IT reviews, or facilitating penetration tests to be performed on our platform.

Is this something that you require to be a part of your risk assessment procedure? Please make sure to point this out during your talks with our sales team so that they can make sure we include this as a part of your SLA.

Bug bounty policy

We maintain a very straightforward bug bounty policy. If you have reported anything that we can reproduce and verify as a vulnerability or as a security risk, we'll find a way to reward you for it in proportion to the severity of the vulnerability found.

Have you found something? Please send your report on the risk and how we can reproduce it through to this email address: security@pr.co.

Uptime status

Get a live view of our uptime

We have uptime of 99.9% or higher. We base this on the fact that we're live monitoring all critical components of the pr.co platform. You can check our past month stats at: status.pr.co.