Getting Started

• Overview

Terms

• User Terms of Service
• API Terms and Conditions

Policies

• Privacy Notice

Security

• Security Measures
• Report a Security Vulnerability

Security Measures Overview

At Procore, we’re serious about protecting our customers’ data, and have implemented numerous security measures to achieve that goal. In the spirit of transparency, some of those measures are described below.

Configurable User Permissions

Procore utilizes access controls that enable customers to control access to projects. The access control levels include (1) administrators, (2) standard users, and read-only users. Administrators can manage projects and add users with custom permission levels to projects. Standard users have permissions assigned to them by the administrator. Read-only users have read-only access to areas of Procore designated by the administrator.

Data Protection

Procore has implemented measures to protect data transmitted to/from and stored on its secure cloud, including:

Password Protection

• Procore uses hashing with salt when storing and transmitting passwords
• Procore's API supports the OAuth 2.0 protocol
• Procore supports single-sign-on (SSO) using SAML 2.0, which provides customers with flexibility in implementing their own security standards

Encryption of Data

For data-at-rest, Procore utilizes provider managed device encryption services. This includes AWS S3 Server-Side Encryption for all data objects, and Amazon EC2 EBS Encryption for EBS volumes. Procore connections are secured using HTTPs protected by Transport Layer Security (TLS). The data in transit is encrypted using the AES256 standard, the secure hash algorithm (SHA-2) for message authentication and RSA as the encryption key exchange mechanism.

Automated Vulnerability Detection

All Procore applications are scanned weekly for vulnerabilities, including (but not limited to) vulnerabilities identified in the Open Web Application Security Project Top 10.

Application Attack Protection

Procore employs countermeasures and technologies to prevent and dissuade attackers.

Secrets Management

Encryption keys are managed and stored using industry standard processes.

Infrastructure Security

Procore implements numerous policies on its infrastructure to protect customers’ information, including:

File-Type Limits

Files uploaded to Procore can be restricted to certain pre-approved file extensions.

Access Control Policies

Procore restricts access to its premises and to customer data, and protects its source code repositories by using, among other measures, multi-factor authentication to access production systems.

Data Hosted by Amazon Web Services

Amazon hosts Procore data in Amazon Web Service’s (AWS) highly secure data centers, which include state-of-the art power supplies and backup generators. Access to AWS data centers requires multi-factor authentication, and all access is logged.

Procore Employee Training

Our employees are continuously trained and re-trained (at least annually) on security best practices.

Best-In-Class Service

Procore has a service-level objective for the 99.9% availability of its services. Individuals can email security@procore.com with any security-specific concerns or questions, or to identify specific vulnerabilities.

Compliance

SSAE 18 Type 2 Compliant

Procore is SSAE 18 (SOC 1 & 2) compliant. The SOC 2 Confidentiality & Trust Principles, developed by the American Institute of CPAs (AICPA) Assurance Services Executive Committee (ASEC) provide our customers with assurance that their data is secure and private. Reports can be shared confidentially.

NIST 800-171

The National Institute of Standards and Technology Special Publication (NIST) publication 800-171 governs Controlled Unclassified Information (CUI) in Non-Federal Information Systems and Organizations. Procore has received a NIST 800-171 attestation after going through a thorough third-party audit of our security controls against the Basic and Derived Controls.

ISO 27001/2 Stage 1

The International Organization for Standardization 27001 Standard (ISO 27001) is an information security standard that verifies security at Procore, including physical security of facilities, personnel and assets, and IT security for all systems and information. Click here to download a stage 1 recommendation letter.

Third-Party Vendor Compliance

Procore’s vendors also work to ensure that Procore’s customers’ data is protected. These third-party vendors are audited for compliance with Procore’s security standards.