Here are the tools and policies we’ve deployed to ensure our users’ data remains secure. Password management, infrastructure, certifications, and more.
Primer uses Google Cloud Identity for Single Sign-On and 1Password for password management.
Employees are required to use a password manager for all internal and third-party user accounts and are encouraged to use strong, frequently changed, random, non-shared passwords.
Passwords to Primer user accounts are salted and hashed using industry-standard encryption algorithms before storage.
A fleet management system is used to maintain a real-time inventory and manage all company laptops, allowing our team to enforce: Software updates and patches * Full hard disk encryption * Local firewall enablement * Password strength and re-use policies * Screen lock / idle timeout guidelines * Prevention of app installation from untrusted sources.
By default we enforce the following policies on all employees and contractors:
- Hard disk encryption (FileVault) enabled
- OS updates required to be installed
- Automatic software updates required
- Screensaver must start after 15 minutes
- Device password required
Primer's services are hosted on AWS (Amazon Web Services), which employs strong physical security practices at its data centers (details of which can be found in this whitepaper). As described in the whitepaper, this includes, but is not limited to:
- Nondescript, unmarked facilities
- Strict physical access controls, including security staff, video surveillance, intrusion detection, and two-factor authentication
- Logging and regular auditing of all employee access
- Fire detection and suppression equipment
- Fully redundant power supply, including the use of an Uninterruptible Power System and backup generators
- Precise climate and temperature controls
- Continuous monitoring and preventative maintenance of critical infrastructure
In addition to AWS’s physical security practices, Primer uses nondescript, unmarked facilities for employee workplace activity. Primer also logs and regularly audits all employee data access using an electronic access control system.
- Sensitive datastores are protected using [AWS Identity and Access Management (IAM)](https://aws.amazon.com/iam/#:~:text=AWS Identity and Access Management (IAM) enables you to manage,offered at no additional charge.)
- Primer uses RDS with access limited to inside VPC, encryption enabled and automatic snapshots enabled
- Primer employs CloudTrail for audit logging and uses Security Group
- All network traffic to Primer services is encrypted via TLS
- Access to production systems and other sensitive services is restricted to authorized employees only
- Access rights are regularly audited and revoked the day an employee or contractor separates from Primer
- The minimal level of access to Primer's production systems required for the performance of an employee’s duties is enabled
- Primer's information security policy is reviewed with all new employees and available to all employees
- Employees are made aware of any information security policy updates and other security-related process updates
- Primer's network and AWS instances are continuously monitored for malicious and unauthorized behavior
- Primer's codebase is continuously and automatically scanned for critical vulnerabilities and other security issues
Primer uses Github for version control with the following policies:
- Protected branches for master and deployment branches
- A PR template
- Reviews for PRs that merge into production
- A CI system to run tests
Amazon Web Services maintains certifications and is audited regularly to maintain SOC 2 and ISO 27001 compliance, as well as other programs (see the full list here: https://aws.amazon.com/compliance). In addition, Primer's credit card payment provider (Stripe) has been independently certified to PCI Service Provider Level 1 compliance and Primer's use of Stripe addresses Primer's PCI compliance obligations under SAQ A. No sensitive credit card data is stored on Primer's services.
Note: Primer is scheduling a PEN test as the next step towards our SOC 2 compliance report.