Security and data governance standards
See how our best-in-class security program safeguards your data, manages risk, and helps you meet compliance standards—without compromising productivity.
Report on Fairness—internal control over financial reporting.
Trust Service Principles—security and confidentiality.
Information Security Management System (ISMS) for any kind of digital information.
Procore’s trusted platform offers reliable, high performance with built-in security at every level. Scale confidently with global compliance designed to support your growth.
Procore for Government helps you streamline the management and oversight of federal projects. It’s FedRAMP Moderate Authorized and built to help support DoD contractors who may have CMMC Level 2 obligations and U.S. government entities, so you can focus on building—knowing your data is secure.
Procore values the trust our customers place in us. We are committed to providing transparency on how we safeguard your data so you can develop and deploy secure, intelligent AI solutions.
Get visibility into what AI models Procore uses, how data flows into and out of models, and the security controls in place to protect your data.
Trusted cloud infrastructure
Trust in a global partner that supports you wherever you are, powered by a platform with world-class infrastructure, security, and privacy built into every layer.
Data encryption at rest and data in transit
Rely on 16 secure global file storage locations
Stay up and running with 99.9% uptime for Procore's services
See detailed information about Procore's current system status
Learn more
Enterprise-grade security
Take advantage of a robust set of security and data protection platform features that give you the tools you need to manage your security.
Secure authentication and password protection
Enable Single Sign-On (SSO) via Security Assertion Markup Language (SAML)
Configure role-based permissions to control access to project data
Data privacy & governance standards
Get the flexibility you need to control the contents of your Procore account(s) and extract data without custom code. Comply with global privacy standards including:
California's Consumer Privacy Act (CCPA)
General Data Protection Regulation (GDPR)
Australia's Privacy Act of 1988
See Privacy Notice
Automated security protection
To meet new challenges and demands, Procore continues to invest in broad initiatives that help ensure optimal security across our platform.
All Procore applications are scanned for vulnerabilities and patched, including but not limited to, vulnerabilities identified in the Open Web Application Security Project Top 10
Procore employs countermeasures and technologies to prevent and dissuade attackers
Strict access control policies
Ongoing security training program to keep our teams current on the latest security innovations throughout the industry
For documents, photos, and attachments that users upload, Procore leverages Amazon Web Service's (AWS) highly secure data centers, S3 (Amazon Simple Storage Service). Amazon Web Services provides enterprise-class tools that have been proven to be both reliable and secure for today's web-based applications.
Procore employs many of the same data encryption standards, which are widely used by large online banking services. Data at rest is encrypted and stored in a secure, private cloud infrastructure.
Procore relies on the Transport Layer Security TLS v1.2 protocol for ensuring user interaction with Procore over the internet occurs securely without transmissions being vulnerable to outside entities. The cipher suite uses: ECDHE for key exchange, RSA for authentication, AES 128 for encryption, and SHA256 for hashing.
Procore maintains a robust “high-availability” strategy to protect our customers against software problems, hardware failure, and even large-scale natural disasters. Procore maintains several replicas of the application software on each server. All data are copied to off-site storage regularly. Replication distributes this offline snapshot across the United States. We maintain the software on dozens of servers and remote copies are maintained in different secure data centers. This diversity protects against hardware failure and local service issues.
Procore employs what many consider the industry standard for API authorization - OAuth 2.0. The OAuth 2.0 authorization framework provides a secure means of authorizing and authenticating access to user data for third-party applications. OAuth 2.0 relies on SSL (Secure Sockets Layer) to ensure data transfer between the web server and browsers remains private and is kept safe. OAuth 2.0 is designed to protect Procore user data by providing access without revealing the identity of the user. Third-party applications make requests on behalf of the user without accessing passwords and other sensitive information.
Procore secures 3rd party application access to customer data with 3 methods:
Applications can only be installed by a user who has authenticated successfully and has the correct permissions of company administrator as defined by the RBAC model for the account.
When an application is installed, an OAUTH2 token is generated to authorize a specific scope for data access based on what the application needs to function.
Data transfers via API are secured with TLS 1.2 as described above.
Any data being transferred is encrypted, which means the information is converted to a code that can only be understood at the other end, at its intended destination. Procore follows some of the strongest industry standards for encryption. We use firewalls, which block unauthorized access to information while enabling outward communication. Data is encrypted when it is stored on servers, as well.
Ensuring access to business information is one of the greatest benefits to using a cloud-based service. Backup copies of information are kept in alternate locations in case of a disaster, which is known as redundancy. And the software is scanned for any anomalies to detect coded threats, without actually reading the information. We have a dedicated team to monitor and respond to network threats, rather than a customer trying to do it all on their own. Procore has a set of procedures to follow called an Incident Response Plan to help ensure business continuity to our users.
First, there are IT security management standards, which you could compare to the kinds of standards you see around building or manufacturing. (ISO) 27001:2013 Is a framework for confidentiality, integrity and availability of information as well as legal compliance. SSAE18 SOC 2 Speaks to how we maintain confidentiality and security of data. Procore also engages third parties to review our program through an exercise called Penetration and Vulnerability Testing, as well as auditing and ensuring compliance with a number of industry standards. Next, Procore helps Customers meet their data protection regualtory requirements around what personal information can be collected, how it can be used, and who can access it.
The Procore for Government solution is now FedRAMP Moderate Authorized. This formal designation means that Procore for Government successfully completed the FedRAMP authorization process and is authorized at the FedRAMP “Moderate” impact level.
U.S. federal, state, local, tribal, and territorial entities, as well as U.S. government contractors working with those entities, can purchase Procore for Government.
A wide range of core solutions include:
Analytics & Reporting
Bid Management
BIM
Design Coordination
Financials
Invoice Management
Project Management
Quality & Safety
We will continue to evaluate the U.S. public sector's needs and may add more products and features to our Procore for Government offering in the future.
There is a limited number of approved apps currently in the Procore for Government Marketplace, and we aim to add more in the future.
For the latest news on Procore for Government, please visit our Government webpage or contact our sales team at sales@procoregov.com.
