✨ Join us June 25th, 4:00 PM (CET) for our live session: Getting Cited by AI: A New Playbook for Content Teams

Security

Last updated Jun 11, 2026

Security & Compliance Features

API Security

Prismic content is distributed through an API that can be configured as private. In private mode, the API requires the client application to authenticate itself to query, retrieve and display any content stored in a Prismic repository. Each data-consuming client application may use a distinct set of authentication credentials.

Permissions

User management is strictly isolated from one Prismic repository to another. Isolation allows for granular control over permissions across Prismic repositories delivering content to client applications. More information on user roles here.

Content and API versioning

Prismic keeps track of content version history and provides restoring capability to previously published versions. Additionally, any new publication creates a new identifiable version of the API. More about the API here.

SSO & 2FA

Prismic integrates with most Enterprise identity federation and Single-Sign-On standards or services (AD, Okta) through the OAuth2 standard. This integration with SSO allows you to implement and enforce an existing centralized Access Management Policy such as password enforcement rules, multi-factor authentication, etc.

Specifications and support for integrating your Enterprise SSO are available upon request for Enterprise clients.

Environments

Development teams typically need separate environments for safely iterating on the content model. The ability to clone a Prismic repository into a development or staging environment is available on the Platinum and Enterprise tiers. Beyond being convenient for development workflows, this feature eliminates the risk of impacting the client's production website when the development team is making changes to the content model. More about Environments here.

Application Security

Data hosting and storage

Prismic services and customer data are hosted on Amazon Web Services (AWS) infrastructure in the us-east-1 region (Northern Virginia, USA).

AWS is widely recognized as a global leader in cloud infrastructure, with its data centers and services certified against multiple internationally recognized security and compliance standards, including ISO/IEC 27001, ISO/IEC 27017, ISO/IEC 27018, PCI-DSS Level 1, SOC 1, SOC 2, SOC 3, and CSA STAR Levels 1–3.

Security policies

Prismic maintains a set of internal security policies and guidelines that are communicated to employees and form part of our information security framework. These policies cover key areas including access control (e.g. password management), physical security, secure development and operational practices, as well as data protection, privacy, and confidentiality requirements.

These policies are reviewed and updated periodically to reflect changes in our security practices and adapt to the evolving risk landscape.

Secure Development Lifecycle

Security is enforced throughout the whole release cycle. Quality assurance processes for each release involve code peer-reviews and verifying a list of security checks and/or tests to be successfully passed. Extensive non-regression testing is done and subject to approval before releasing into production.

Third-party suppliers

Prismic maintains a list of its services and software suppliers. Prismic performs a risk-analysis on third-party suppliers, reviews their security posture and security tracks, and ensures they follow mandatory compliance laws and certifications (such as PCI compliance for payment providers, SOC2, ISO 27001 for business-critical services).

Infrastructure Security

Prismic is running on AWS infrastructure.  AWS is responsible for providing a secured data center facility with environmental control systems. AWS is responsible for providing space, power, cooling, and physical security for the servers, data storage, and networking equipment as part of their service offering. AWS provides Prismic connectivity to a variety of telecommunications and network service providers. AWS also provides Prismic with environmental control systems including fire suppression systems, cooling systems, uninterruptible power supply (UPS) systems, and generators.

"AWS is continuously innovating the design and systems of their data centers to protect them from man-made and natural risks by implementing controls, build automated systems, and undergo third-party audits to confirm security and compliance. AWS provides multiple Availability Zones that are separate, yet interconnected data centers within the major regions." Learn more about AWS security.

Audit Logging / Intrusion Detection

Prismic has tooling and processes in place for monitoring account activity related to actions across the infrastructure.

Segregation and firewalls

Prismic uses AWS' Network Security Groups rules. Additionally, Prismic reviews and adapts these rules at least once a year. A virtual firewall between tenants, as well as an environment protection by firewall is provided by the AWS / EC2 services.

Vulnerability scanning

Prismic continuously performs vulnerability scanning using industry standards and tools.

Security audits

Prismic performs periodic internal evaluation of its peripheral and in-depth services. Audits are performed by external and independent contractors specializing in web application cybersecurity.

Penetration tests

Penetration tests are performed on a yearly basis. A remediation plan is scheduled according to the criticality of the issues found, including additional tests for the resolved vulnerabilities.

System and Network Monitoring

System and Network availability, performance and capacity are routinely monitored to ensure that potential issues are detected, reported, logged, and resolved in a timely manner.

Business Continuity & Operational Resilience

Business Continuity

Prismic’s business continuity strategy is designed to maintain and restore critical SaaS services during disruptive events. It combines high-availability architecture, disaster recovery procedures, incident governance, and workforce continuity measures.

Prismic’s SaaS continuity model is structured around two resilience layers:

  • Architectural Resilience: Prismic services are deployed redundantly across three Availability Zones within a single AWS region. This architecture is designed to mitigate Availability Zone-level failures through pre-provisioned redundant capacity, automated failover, and traffic re-routing. Under supported failure scenarios, this layer is intended to minimize disruption and limit data loss to in-flight transactions.
  • Operational Recovery: Where architectural resilience is insufficient, not applicable, or has failed, Prismic relies on structured operational recovery procedures. These procedures cover component redeployment, infrastructure reprovisioning, database restoration, configuration recovery, and service-level recovery actions.

Some key points in the strategy can be highlighted :

  • Multi-Availability Zone deployment for core production services, with redundancy and automated failover where applicable ,
  • Recovery prioritisation for critical services, including content delivery and authoring capabilities ,
  • Automated data protection mechanisms, including backups, snapshots, replication, and point-in-time recovery capabilities ,
  • Documented recovery procedures and runbooks, governed by predefined roles and responsibilities to reduce decision latency during disruptive events ,
  • Infrastructure-as-Code and version-controlled configuration to support repeatable redeployment and reduce configuration drift during recovery ,
  • Incident coordination through a dedicated incident management process, including incident declaration, action tracking, stakeholder communication, and post-incident documentation ,
  • Fallback communication channels to preserve incident coordination if primary collaboration or incident tooling is degraded ,
  • Controlled return-to-service validation, including functional checks, service health verification, data integrity checks, monitoring review, and formal incident closure ,
  • Logical and physical separation between backend services and API-facing services to reduce blast radius and maximise API availability ,
  • A cloud-native operating model supported by remote work capabilities, reducing dependency on physical office premises for continuity of SaaS operations.

Disaster Recovery

Prismic implements and yearly tests runs for Disaster Recovery procedures to rapidly recover and restore both its infrastructure and clients' data:

  • Hot "standby" environments enabling
  • Rapid failover at scale
  • Data backup and archiving
  • Restoring databases from backups

Uptime and SLAs

General availability of the API and Writing Room uptime monitoring is available here using a third-party Performance and Availability Monitoring service.

Data Protection

Encryption and data transfer

All communication between the user's web browser or your middleware and Prismic servers is done using HTTPS and encrypted using Transport Layer Security (TLS) version 1.2. Data transferred within Prismic, for instance between EC2 instances and S3 storage facilities, is secured via SSL endpoints using the HTTPS protocol.

Customer backups

Customers are free to comply to additional backup requirements beyond what Prismic provides by using the Export module or by querying their Repository API endpoint.

Backups and data recovery

Prismic ensures backups through snapshots and retains them on a pre-established rule set in Amazon S3 buckets (Amazon's highly available cloud storage). Backups are used to restore a customer’s content Repository in the case of multiple disk failures or total data center loss. Amazon S3 repositories are distributed amongst multiple Availability Zones (datacenters) and multiple devices within each Availability Zone for redundancy. From here, Prismic is able to perform granular level recovery.

Incident Response Plan

Prismic implements and maintains appropriate incident response measures and procedures for systems that handle or hold Customer Data, including, but not limited to: Operational problems and all security incidents being detected, reported, logged, and resolved in a timely manner.

Prismic’s Incident Response Plan incorporates tenant specific information security contacts for each Enterprise customer, and incident response procedure best-practices from international standards or regulations which meets a wide range of customer requirements.

GDPR

Prismic fulfils its obligations and maintains transparency about how it processes personal data.

Data Processing Addendum (DPA)

Prismic is in the process of making a DPA available online, in the meantime, customers with an Enterprise written agreement may reach out to their Account Manager to extend their written agreement with a DPA.

Data portability

Prismic customers can export all content created by users in the Prismic interface. This data set export includes the content itself (images, texts, link, etc. input by users) as well as metadata generated by the application such as first publication and last updated dates. This data set can be exported through the tenant API endpoint.

Personal data processed by the Prismic application is limited to the name and email of business users that have access to a Prismic repository. More personal data can be processed by Intercom (learn more about Intercom’s Security Posture) which Prismic uses for Sales, Marketing and Support operations. Users can reach out to dataprivacy@prismic.io to request an export of their personal data.

Permanent data deletion

Permanent data deletion request should be addressed directly to dataprivacy@prismic.io, or made through one of our support channels. Prismic users are required to delete the content repositories they own (or transfer their ownership) before their user account can be permanently deleted.

Data security breach

Prismic’s DPA and Master Service Agreements enforce that any data privacy breach would prompt a communication toward its customers in a timely manner. Prismic Data security policy complies with EU data privacy laws (GDPR).

Compliance certifications & policies

Internal auditing

Prismic’s security team is responsible for ensuring that controls are designed and are operating effectively. This consists of auditing our processes to ensure they operate according to management's intentions.

Legal compliance

Prismic's Security Officer ensures, in coordination with its legal counsel, a watch on legal issues and regulations for any emerging regulatory requirements to better anticipate and align with new legal requirements.

Security training

Prismic employees complete a Security and Awareness training on an annual basis.

PCI obligations

All payment instrument processing is outsourced to Stripe. Stripe has been audited by a PCI-certified auditor and is certified as a PCI Service Provider Level 1. More info: https://stripe.com/docs/security/stripe

Anything else you'd like to know – about security or else? Send us an email.