At Procore, we’re serious about protecting our customers’ data, and have implemented numerous security measures to achieve that goal. In the spirit of transparency, some of those measures are described below.
Procore utilizes access controls that enable customers to control access to projects. The access control levels include (1) administrators, (2) standard users, and read-only users. Administrators can manage projects and add users with custom permission levels to projects. Standard users have permissions assigned to them by the administrator. Read-only users have read-only access to areas of Procore designated by the administrator.
Procore has implemented measures to protect data transmitted to/from and stored on its secure cloud, including:
For data-at-rest, Procore utilizes provider managed device encryption services. This includes AWS S3 Server-Side Encryption for all data objects, and Amazon EC2 EBS Encryption for EBS volumes. Procore connections are secured using HTTPs protected by Transport Layer Security (TLS). The data in transit is encrypted using the AES256 standard, the secure hash algorithm (SHA-2) for message authentication and RSA as the encryption key exchange mechanism.
All Procore applications are scanned weekly for vulnerabilities, including (but not limited to) vulnerabilities identified in the Open Web Application Security Project Top 10.
Procore employs countermeasures and technologies to prevent and dissuade attackers.
Encryption keys are managed and stored using industry standard processes.
Procore implements numerous policies on its infrastructure to protect customers’ information, including:
Files uploaded to Procore can be restricted to certain pre-approved file extensions.
Procore restricts access to its premises and to customer data, and protects its source code repositories by using, among other measures, multi-factor authentication to access production systems.
Amazon hosts Procore data in Amazon Web Service’s (AWS) highly secure data centers, which include state-of-the art power supplies and backup generators. Access to AWS data centers requires multi-factor authentication, and all access is logged.
Our employees are continuously trained and re-trained (at least annually) on security best practices.
Procore has a service-level objective for the 99.9% availability of its services. Individuals can email firstname.lastname@example.org with any security-specific concerns or questions, or to identify specific vulnerabilities.
Procore is SSAE 18 (SOC 1 & 2) compliant. The SOC 2 Confidentiality & Trust Principles, developed by the American Institute of CPAs (AICPA) Assurance Services Executive Committee (ASEC) provide our customers with assurance that their data is secure and private. Reports can be shared confidentially.
The National Institute of Standards and Technology Special Publication (NIST) publication 800-171 governs Controlled Unclassified Information (CUI) in Non-Federal Information Systems and Organizations. Procore has received a NIST 800-171 attestation after going through a thorough third-party audit of our security controls against the Basic and Derived Controls.
The International Organization for Standardization 27001 Standard (ISO 27001) is an information security standard that verifies security at Procore, including physical security of facilities, personnel and assets, and IT security for all systems and information. Click here to download a stage 1 recommendation letter.
Procore’s vendors also work to ensure that Procore’s customers’ data is protected. These third-party vendors are audited for compliance with Procore’s security standards.