Security at Pronto
Last updated: January 1, 2020
Security is a top priority at Pronto and we strive to improve our security posture on a daily basis and ensure that we are compliant with the latest security guidelines. To ensure that we protect all your data, we perform comprehensive audits of all our applications, systems and networks. We systematically assess all risks, threats and vulnerabilities to information security as well as maintains strict controls and a management processes to manage risk and meet security needs. All our certifications are carried out by independent third-party auditors to ensure unbiased neutrality.
We employ a holistic and collaborative approach to guarantee the confidentiality, availability and integrity of all data hosted on our platform. The entire Management team of Pronto is accountable for security and ensures that security capabilities and relevant competencies exist in all levels of our business.
Pronto's web application architecture and implementation follow OWASP guidelines.
In addition to extensive testing by Pronto team, we also employ an independent thid-party vendor to perform application penetration testing atleast annually.
Pronto login and user authentication require strong passwords. User passwords are salted, irreversibly hashed and stored in Pronto's database securely.
Login using Pronto provided cloud authentication can be disabled by enabling SSO. Pronto supports SSO using SAML and enables users to authenticate with Pronto platform without requiring them to create Pronto specific login credentials. Pronto supports SSO using SAML (Okta).
- Pronto hosts all its software (Development, testing and production environments) either in Amazon Web Services (AWS) and Google Cloud data center facilities in the USA. Both Amazon and Google Cloud provide an extensive list of compliance and regulatory assurances. Please refer to Amazon and Google Cloud's compliance and security documentation for more detailed information.
- All of Pronto's servers are located within Pronto's own virtual private cloud (VPC), protected by restricted security groups.
- Pronto employs third-party security vendors to conduct independent third-party network vulnerability scans at least annually, if not more frequently.
- All connections to Pronto are encrypted using SSL TLS 2.0, and any attempt to connect over HTTP is redirected to HTTPS.
- All customer data is encrypted at rest and in transit.
- System passwords are encrypted using AWS KMS with restricted access to specific production systems.
- Pronto uses industry-standard PostgreSQL, Elastic Search and Mongo DB data storage systems hosted at AWS and/or by the respective vendors.
- Data access and authorizations are provided on a need-to-know basis, and based on the principle of least privilege. Access to the AWS production system is restricted to authorized personnel.
- Customers data is purged from Pronto systems subsequent to contract termination or when a specific request is made.
- Pronto takes a holistic and personalized approach to compliance and maintaining GDPR compliance.
- Pronto employs data protection and privacy by design, combining enterprise-grade security features with comprehensive audits of our policies, applications, systems, and networks.
- Security compliance certifications such as SOC2 Type I, SOC 2 Type II, ISO 27001, and EU/Swiss-US Privacy Shield are currently in process and current progress reports will be made available to customers upon request.
- Pronto maintains detailed logs for all activity happening in the platform. Logs are streamed from different sources and analyzed to identifying any vulnerabilities or unauthorized access.
- Pronto provides required APIs to download raw dump of customer specific logs.
- Pronto maintains a formal incident response, disaster recovery and business continuity plan in compliance with SOC 2 guidelines.
- Pronto conducts a variety of audits to ensure continuous compliance with industry standards and best practices.
- Pronto is committed to information security at every level of our organization. Our stringent security policies and Infosec program are a clear indicator of our commitment to data privacy and information security.
- Pronto is underway to be SOC2 Type I compliant and provides a third-party progress report covering adherence to security, availability, confidentiality and privacy.