Security at Port
Port’s founding team is made up of DevSecOps engineers, cybersecurity experts, and ex-military service members. Security is important to us, and as such, it is embedded into the core of our development process from day one.
Trust and security are of vital importance to us and we’re dedicated to meet and exceed all security standards, since our customers, partners and the industry as a whole deserve the best.
Port maintains active SOC 2 Type II compliance. It is also compliant with various data protection laws and regulations that are applicable to its services.
Data Security & Governance
Port offers industry-standard data controls for data security. These include
- Encryption-in-transit and at-rest: Port uses SSL (TLS v1.2+ where applicable) for all of its requests and implements industry standard encryption, authorization and authentication.
- Blocklisting and PII data redaction: you can completely exclude code segments and redact PII if needed.
- Single Sign-On (SSO) using Auth0 as the login provider and supporting all major IdPs such as Okta, Onelogin, Azure AD and more.
- Role-Based Access Control (RBAC): Port supports granular RBAC.
- Audit logs to secure access to its platform and prevent access to unauthorized data. Port activity and changes are logged and auditable in Port.
- In addition, Port makes use of rotating access tokens, credentials and secrets to guarantee the long-term safety of user data.
Port does not store any customer credentials or private information. The only data stored in Port is the metadata customers decide to ingest into the catalog using the different applications, exporters, or using the API. All data that is collected is explicitly chosen by the customer; Port doesn’t automatically collect anything on its own. Data processing is performed by the customer before it reaches Port, so that fields, formats etc can be redacted before the data is sent to Port. The data ingested to Port is in push and doesn’t require inbound networking for integration; Port does not collect any data on its own. You can also adjust the permissions given to Port according to your preferences, and the data retention period is configurable by the customer.
- Data extraction - customer has full control over what is being extracted, for example when integrating GitHub, Kubernetes, AWS, or any other 3rd-party service.This can always be modified by the customer.
- Data transformation - data is transformed before it is sent to Port, allowing redaction of sensitive data
- Data loading - data is encrypted at transit and rest.
- Data retention - Full control over the retention of the data on different levels of granularity
Port’s event subscription model
Submissions of self-service actions or workflow automation flows are built on top of an event subscription model. We chose event subscriptions for the following reasons:
- Port is loosely coupled with the underlying DevOps automation responsible for automating a task
- This ensures that Port does not hold keys/secrets to customer on-premise infrastructure or customer cloud environments
- This avoids opening an inbound network path to customer premises
When Port creates an event that needs to be acted upon (e.g. workflow automation or triggering a self-service action), there are two options:
- Implement a secure webhook which uses industry standard encryption to transport data. Access to that data is only possible when one provides the correct credentials, which are unique to each customer.
- Subscribe to a dedicated message queue that is provided on a single tenant basis and is fully encapsulated from other customers. The dedicated queue uses industry standard encryption algorithms. Furthermore, every customer is provided with separate credentials.
Since Port is loosely coupled and doesn’t orchestrate the action, Port doesn’t directly access the customer's cloud environment.
Periodic penetration testing
Independent external third parties perform periodic penetration tests on Port infrastructure, web applications and APIs, so that any vulnerabilities can be fixed immediately.
All information stored by Port is backed up multiple times per day. Backups are stored in AWS S3 buckets for maximum backup resilience and availability. All backed up data is encrypted at rest using AES-256 encryption using AWS encryption keys.
Port monitors its critical infrastructure for security-related events by using industry standard tools and services such as Sentry, AWS CloudWatch, AWS X-Ray and OpenTelemetry providers.
Access to data
All data submitted to Port is considered confidential and stays in the production environment except in limited circumstances such as to support a customer request. Strict access controls are enforced for all data access. Data retention is one year at most and can be controlled by the customer.
Port offers Data Processing Agreements to verify compliance with privacy standards.
We have integrated security into our Software Development Lifecycle, with controls such as Code scanning, library vulnerability detection, mediation and alerting.
Physical and corporate security
Port’s production runs on AWS and therefore access is restricted to authorized Port employees and is enabled securely. Port has strict security and controls for all endpoints and personnel and conducts regular security training to employees.
Security & Compliance
Port’s information security team, led by CTO Yonatan Boguslavskli, is tasked with keeping up to date with the numerous legal and regulatory requirements applicable to Port’s customers and Port itself. To make sure those requirements are met, Port works with employees, customers, legal counsel, auditors, investors, and other advisors.
For up-to-date information on Port’s compliance and more certifications, write to us at firstname.lastname@example.org.