Security is in
our DNA.
All our products and client solutions are designed with security at the forefront. We go to great lengths to protect the security of your account, your data, and your users.
Vulnerability disclosure
If you have found a vulnerability you would like to disclose, you can contact us directly at:
support [at] prismgroup [dot] io
Account security
We only serve our website and systems via HTTPS, this includes APIs for both Prism and client systems.
We enforce two-factor authentication for logins to sensitive applications such as our backend services and any critical infrastructure.
We use role-based access tokens to serve all client applications and we let API users create multiple customisable access tokens for granular control over access to your data.
Software security
All systems run in isolated container environments running the latest stable versions of Debian linux. The backend applications run on the latest stable version of the language or framework it is built on.
We subscribe to documented threats from public security research databases (such as the Common Vulnerabilities and Exposures catalog). We also run automated vulnerability scanners across our code base before each deploy.
All major changes to code require thorough security and application testing prior to deployment to the production environment.
Physical security
All our application infrastructure runs inside Amazon Web Services (AWS) operated data centers and are all physically located in Australia.
Physical access to AWS facilities is highly restricted and they are monitored by professional security personnel. They feature industry leading environmental security controls and redundancy to safeguard against loss of power, fires, and adverse weather conditions.
Data Security
All data is encrypted in transit and when at rest. Full stop. We also ensure regular backups and redundancy of data.
Logging & Monitoring
We log all activity across our cloud-based systems and networks. This includes actions performed by users on our applications, requests to APIs, configuration changes.
We monitor these logs through a central platform that also provides alerting on security incidents and anomalies.
Payment Processing
Any payments in our apps are handled by Stripe, which is certified to PCI Service Provider Level 1. This is the highest level of PCI DSS certification possible. Payment information is transmitted directly to Stripe in an encrypted format (HTTPS) for secure storage and never touches our systems.
Mitigation
Distributed denial-of-service (DDoS) attacks are common across the internet. All our edge locations and load balancers are protected with AWS DDoS protection.
Our applications are also scalable by design and elastically grow in compute capacity when under increased load.
We also implement a number of intelligent firewalls and controls to protect our services at the application layer.