Security & Compliance Features
Prismic content is distributed through an API that can be configured as private. In private mode, the API requires the client application to authenticate itself to query, retrieve and display any content stored in a Prismic repository. Each data-consuming client application may use a distinct set of authentication credentials.
User management is strictly isolated from one Prismic repository to another. Isolation allows for granular control over permissions across Prismic repositories delivering content to client applications. More information on user roles here.
Content and API versioning
Prismic keeps track of content version history and provides restoring capability to previously published versions. Additionally, any new publication creates a new identifiable version of the API. More about the API here.
SSO & 2FA
Prismic integrates with most Enterprise identity federation and Single-Sign-On standards or services (AD, Okta) through the OAuth2 standard. This integration with SSO allows you to implement and enforce an existing centralized Access Management Policy such as password enforcement rules, multi-factor authentication, etc.
Specifications and support for integrating your Enterprise SSO are available upon request for Enterprise clients.
Development teams typically need separate environments for safely iterating on the content model. The ability to clone a Prismic repository into a development or staging environment is available on the Platinum and Enterprise tiers. Beyond being convenient for development workflows, this feature eliminates the risk of impacting the client's production website when the development team is making changes to the content model. More about Environments here.
Data hosting and storage
Prismic services and data are hosted in Amazon Web Services (AWS) facilities us-east-1 located in Northern Virginia, USA.
AWS facilities comply to the following security and data privacy standards: ISO/IEC 27001:2013, ISO/IEC 27017, ISO/IEC 27018, PCI-DSS Level 1, CSA STAR Level 1,2&3, SOC 1, SOC 2, SOC 3.
Prismic shares with its employees a set of security policies and guidelines, covering a range of topics, among which : strong password policy, physical security policies, best practices in cybersecurity, privacy and confidentiality rules and policy.
Security in SDLC (software development lifecycle)
Security is enforced throughout the whole release cycle. Quality assurance processes for each release involve code peer-reviews and verifying a list of security checks and/or tests to be successfully passed. Extensive non-regression testing is done and subject to approval before releasing into production.
Prismic maintains a list of its services and software suppliers. Prismic performs a risk-analysis on third-party suppliers, reviews their security posture and security tracks, and ensures they follow mandatory compliance laws and certifications (such as PCI compliance for payment providers, SOC2, ISO 27001 for business-critical services).
Prismic is running on AWS infrastructure (EC2, S3, Lambda and Cloudfront). Learn more about AWS security.
Audit Logging / Intrusion Detection
Prismic has tooling and processes in place for monitoring account activity related to actions across the infrastructure.
Segregation and firewalls
Prismic uses AWS' Network Security Groups rules. Additionally, Prismic reviews and adapts these rules at least once a year. A virtual firewall between tenants, as well as an environment protection by firewall is provided by the AWS / EC2 services.
Prismic continuously performs vulnerability scanning using industry standards and tools.
Prismic performs periodic internal evaluation of its peripheral and in-depth services. Audits are performed by external and independent contractors specializing in web application cybersecurity.
Penetration tests are performed on a yearly basis. A remediation plan is scheduled according to the criticality of the issues found, including additional tests for the resolved vulnerabilities.
System and Network Monitoring
System and Network availability, performance and capacity are routinely monitored to ensure that potential issues are detected, reported, logged, and resolved in a timely manner.
Availability, Business Continuity & Operational Resilience
Prismic infrastructure is running on Amazon Web Services (AWS).
"AWS is continuously innovating the design and systems of their data centers to protect them from man-made and natural risks by implementing controls, build automated systems, and undergo third-party audits to confirm security and compliance. AWS provides multiple Availability Zones that are separate, yet interconnected data centers within the major regions."
AWS is responsible for providing a secured data center facility with environmental control systems. AWS is responsible for providing space, power, cooling, and physical security for the servers, data storage, and networking equipment as part of their service offering. AWS provides Prismic connectivity to a variety of telecommunications and network service providers. AWS also provides Prismic with environmental control systems including fire suppression systems, cooling systems, uninterruptible power supply (UPS) systems, and generators.
Prismic addresses high availability, failure resilience and business continuity through a range of principles and processes to minimize operational disruption of services. Some highlights are:
- Data & application services are redundant
- All Prismic functional and data services operate on three availability zones with active redundancy
- Automated failing machines replacement
- Data modifications logged and backed up
- Data snapshots stored and archived for a full year on a resilient and redundant storage
- Physical and logical separation between backend and API services to ensure failures in backend services do not impact API services
Prismic implements and yearly tests runs for Disaster Recovery procedures to rapidly recover and restore both its infrastructure and clients' data:
- Hot "standby" environments enabling
- Rapid failover at scale
- Data backup and archiving
- Restoring databases from backups
Uptime and SLAs
General availability of the API and Writing Room uptime monitoring is available here using a third-party Performance and Availability Monitoring service.
Encryption and data transfer
All communication between the user's web browser or your middleware and Prismic servers is done using HTTPS and encrypted using Transport Layer Security (TLS) version 1.2. Data transferred within Prismic, for instance between EC2 instances and S3 storage facilities, is secured via SSL endpoints using the HTTPS protocol.
Customers are free to comply to additional backup requirements beyond what Prismic provides by using the Export module or by querying their Repository API endpoint.
Backups and data recovery
Prismic ensures backups through snapshots and retains them on a pre-established rule set in Amazon S3 buckets (Amazon's highly available cloud storage). Backups are used to restore a customer’s content Repository in the case of multiple disk failures or total data center loss. Amazon S3 repositories are distributed amongst multiple Availability Zones (datacenters) and multiple devices within each Availability Zone for redundancy. From here, Prismic is able to perform granular level recovery.
Incident Response Plan
Prismic implements and maintains appropriate incident response measures and procedures for systems that handle or hold Customer Data, including, but not limited to: Operational problems and all security incidents being detected, reported, logged, and resolved in a timely manner.
Prismic’s Incident Response Plan incorporates tenant specific information security contacts for each Enterprise customer, and incident response procedure best-practices from international standards or regulations which meets a wide range of customer requirements.
Prismic fulfils its obligations and maintains transparency about how it processes personal data.
Data Processing Addendum (DPA)
Prismic is in the process of making a DPA available online, in the meantime, customers with an Enterprise written agreement may reach out to their Account Manager to extend their written agreement with a DPA.
Prismic customers can export all content created by users in the Prismic interface. This data set export includes the content itself (images, texts, link, etc. input by users) as well as metadata generated by the application such as first publication and last updated dates. This data set can be exported through the tenant API endpoint.
Personal data processed by the Prismic application is limited to the name and email of business users that have access to a Prismic repository. More personal data can be processed by Intercom (learn more about Intercom’s Security Posture) which Prismic uses for Sales, Marketing and Support operations. Users can reach out to email@example.com to request an export of their personal data.
Permanent data deletion
Permanent data deletion request should be addressed directly to firstname.lastname@example.org, or made through one of our support channels. Prismic users are required to delete the content repositories they own (or transfer their ownership) before their user account can be permanently deleted.
Data security breach
Prismic’s DPA and Master Service Agreements enforce that any data privacy breach would prompt a communication toward its customers in a timely manner. Prismic Data security policy complies with EU data privacy laws (GDPR).
Compliance certifications & policies
Prismic’s security team is responsible for ensuring that controls are designed and are operating effectively. This consists of auditing our processes to ensure they operate according to management's intentions.
Prismic's Security Officer ensures, in coordination with its legal counsel, a watch on legal issues and regulations for any emerging regulatory requirements to better anticipate and align with new legal requirements.
Prismic employees complete a Security and Awareness training on an annual basis.
All payment instrument processing is outsourced to Stripe. Stripe has been audited by a PCI-certified auditor and is certified as a PCI Service Provider Level 1. More info: https://stripe.com/docs/security/stripe
Anything else you'd like to know – about security or else? Send us an email.