Getting Started
Terms
Policies
Security
Security Measures Overview
At Procore, we’re serious about protecting our customers’ data, and have implemented numerous security measures to achieve that goal. In the spirit of transparency, some of those measures are described below.
Configurable User Permissions
Procore utilizes access controls that enable customers to control access to projects. The access control levels include (1) administrators, (2) standard users, and read-only users. Administrators can manage projects and add users with custom permission levels to projects. Standard users have permissions assigned to them by the administrator. Read-only users have read-only access to areas of Procore designated by the administrator.
Data Protection
Procore has implemented measures to protect data transmitted to/from and stored on its secure cloud, including:
Password Protection
- Procore uses hashing with salt when storing and transmitting passwords
- Procore's API supports the OAuth 2.0 protocol
- Procore supports single-sign-on (SSO) using SAML 2.0, which provides customers with flexibility in implementing their own security standards
Encryption of Data
For data-at-rest, Procore utilizes provider managed device encryption services. This includes AWS S3 Server-Side Encryption for all data objects, and Amazon EC2 EBS Encryption for EBS volumes. Procore connections are secured using HTTPs protected by Transport Layer Security (TLS). The data in transit is encrypted using the AES256 standard, the secure hash algorithm (SHA-2) for message authentication and RSA as the encryption key exchange mechanism.
Automated Vulnerability Detection
All Procore applications are scanned weekly for vulnerabilities, including (but not limited to) vulnerabilities identified in the Open Web Application Security Project Top 10.
Application Attack Protection
Procore employs countermeasures and technologies to prevent and dissuade attackers.
Secrets Management
Encryption keys are managed and stored using industry standard processes.
Infrastructure Security
Procore implements numerous policies on its infrastructure to protect customers’ information, including:
File-Type Limits
Files uploaded to Procore can be restricted to certain pre-approved file extensions.
Access Control Policies
Procore restricts access to its premises and to customer data, and protects its source code repositories by using, among other measures, multi-factor authentication to access production systems.
Data Hosted by Amazon Web Services
Amazon hosts Procore data in Amazon Web Service’s (AWS) highly secure data centers, which include state-of-the art power supplies and backup generators. Access to AWS data centers requires multi-factor authentication, and all access is logged.
Procore Employee Training
Our employees are continuously trained and re-trained (at least annually) on security best practices.
Best-In-Class Service
Procore has a service-level objective for the 99.9% availability of its services. Individuals can email security@procore.com with any security-specific concerns or questions, or to identify specific vulnerabilities.
Compliance
SSAE 18 Type 2 Compliant
Procore is SSAE 18 (SOC 1 & 2) compliant. The SOC 2 Confidentiality & Trust Principles, developed by the American Institute of CPAs (AICPA) Assurance Services Executive Committee (ASEC) provide our customers with assurance that their data is secure and private. Reports can be shared confidentially.
NIST 800-171
The National Institute of Standards and Technology Special Publication (NIST) publication 800-171 governs Controlled Unclassified Information (CUI) in Non-Federal Information Systems and Organizations. Procore has received a NIST 800-171 attestation after going through a thorough third-party audit of our security controls against the Basic and Derived Controls.
ISO 27001/2 Stage 1
The International Organization for Standardization 27001 Standard (ISO 27001) is an information security standard that verifies security at Procore, including physical security of facilities, personnel and assets, and IT security for all systems and information. Click here to download a stage 1 recommendation letter.
Third-Party Vendor Compliance
Procore’s vendors also work to ensure that Procore’s customers’ data is protected. These third-party vendors are audited for compliance with Procore’s security standards.