Security at Port

How Port handles your data

Port’s founding team is made up of DevSecOps engineers and cybersecurity experts. 

We fully understand your privacy and security needs, and the following information is provided to transparently provide you with an understanding as to how and what data is accessed, transferred, and stored by Port.

Core principles

We put a lot of thought into Port’s design to make it secure. As a result, Port’s product doesn’t store secrets or credentials, and doesn't require whitelisting of IPs. Port can not make any inbound network calls into our customers’ networks. Port uses an open-source broker (either one of our exporters or a broker created using Port’s Ocean extensibility framework). All communication between the Port broker and Port is one-way, initiated from the Port broker, and encrypted with TLS. Port’s broker is stateless and requires no database migrations, no rollback concerns and doesn’t create downtime. 

Common data types in Port

The only data stored in Port is the metadata customers decide to ingest into the catalog using either Port brokers or the API. All data that is collected is explicitly chosen by the customer; Port doesn’t automatically collect anything on its own. Data processing is performed by the customer before it reaches Port, so that anything can be redacted before the data is sent to Port. The data ingested to Port is in push and doesn’t require inbound networking for integration; Port does not collect any data on its own. You do not need to give any permission to Port. You can adjust permissions to the open source broker, which means giving him permission only for the necessary metadata that you want to ingest into Port, and the data retention period is configurable by the customer.

Ingesting data into Port

Port’s Ocean broker is open-source, supporting simple security audits and runs on-prem, eliminating the need to provide Port with access to keys and secrets. There is no need to configure firewall rules, since brokers can only be accessed within your network. Brokers act as a proxy between Port and your environment, securely handling outbound connections, encrypting data during transit and deliberately controlling the access Port has to your data. Sensitive credentials stay behind your firewall.

Certifications

Port is SOC2 and ISO/IEC 27001:2022 compliant.

Periodic penetration testing

Independent external third parties perform periodic penetration tests on Port infrastructure, web applications and APIs, so that any vulnerabilities can be fixed immediately.

Backups

All information stored by Port is backed up multiple times per day. Backups are stored in AWS S3 buckets for maximum backup resilience and availability. All backed up data is encrypted at rest using AES-256 encryption using AWS encryption keys.

Monitoring

Port monitors its critical infrastructure for security-related events by using industry standard tools and services such as Sentry, AWS CloudWatch, AWS X-Ray, AWS CloudTrail, AWS WAF and OpenTelemetry providers. 

Access to data 

All data submitted to Port is considered confidential and stays in the production environment except in limited circumstances such as to support a customer request (in these circumstances a manual approval from an authorized manager is required and the access is logged internally). Strict access controls are enforced for all data access. Data retention is one year at most and can be controlled by the customer. 

‍Product security

We have integrated security into our Software Development Lifecycle, with controls such as Code scanning, library vulnerability detection, mediation and alerting.

Physical and corporate security

Port’s production runs on AWS and therefore access is restricted to authorized Port employees and is enabled securely. Port has strict security and controls for all endpoints and personnel and conducts regular security training to employees. 

Security & Compliance

Port’s information security team, led by CTO Yonatan Boguslavskli, is tasked with keeping up to date with the numerous legal and regulatory requirements applicable to Port’s customers and Port itself. To make sure those requirements are met, Port works with employees, customers, legal counsel, auditors, investors, and other advisors.

For up-to-date information on Port’s compliance and more certifications, write to us at security@getport.io.

Policies

Can I deploy Port on-premise?

Port is a SaaS product, with on-premise, open-source brokers. While we had considered requests for an on-premise Port in the past, we ended up choosing SaaS since it allows us to deliver features quickly and provide the best product. We also believe SaaS doesn’t mean compromised security, but rather the opposite.

Let us walk you through the platform and catalog the assets of your choice.

I’m ready, let’s start