Prisidio is building a culture of security

The Prisidio Team is made up of professionals who know document storage, sharing, and security – and my background is specific to the latter. I’ve spent my career building highly scalable platforms and working in the intelligence space, so when I heard about the secure digital vault application Prisidio is building, I felt excited for the new challenge.

After working on the forefront of digital security for the UK government, I’m bringing my expertise to the consumer space and helping to change the way people think about safeguarding the documents and information that matter most to them.

In one way or another, this is something organizations of all sizes have to contend with today, but the question of how individuals can secure their own digital assets in one location that’s digitally accessible to them is one I hadn’t asked before. Digital assets can include personal identity documents, financial statements, insurance policies, account information, and even your will.

It’s essentially the same question that inspired Prisidio’s co-founders to create this company: how can we make it easy for people to securely store and share the stuff of their lives?

At Prisidio, we understand that there’s real peace of mind in knowing your most important documents are secured, and it’s my job to ensure you can rest easy and easily access what you need when you need it.

How we think about security at Prisidio

We think about security on four levels, each of which is an integral part of securing your things through our application:

1. Application security. This includes every line of code and feature we’re building into our secure digital vault, in its mobile and web-based iterations.
2. Cloud security. As an application that is built in the cloud, we use third-party tools to ensure that our environments are secured. To this end, our team carries out continuous testing and we work with external penetration test providers to avoid potential vulnerabilities.
3. Enterprise security. As a 100 percent distributed team, we rely on cloud-based tools for everything that we do, so it's vital to ensure that those tools are secure.
4. People. Everyone on our team has been thoroughly vetted, undergone a background check, and trained on the security principles and best practices that ensure the integrity of our systems. We’ve adopted the principle of least privilege to only give users and systems access to the data that they need to have access to and the principle of defense in depth, which means that we use multiple layers of security to prevent a single point of compromise within our organization.

This four-level approach is all in place to support the single key consumer security concern: If I put the keys and map to every important identity, investment and property document in a single place, is that truly a safe move to make? As opposed to now, where there is no single access point to every valuable in your life.

Security isn’t just a talking point at Prisidio – it’s part of the fabric of our products and our organization, and our work on this front will continue to evolve along with the digital landscape.

What a culture of security really means

As the stewards of your digital vault, it’s imperative that we have a robust culture of security within our company.

Internally, security is a component in everything we do. To ensure that it’s top-of-mind for our engineers, in addition to participating in a security training as part of their onboarding, we also provide continuous security training tools, which allow developers to spend time each week on understanding the latest threats and how to protect against them.

On the staff side, we also have strong expertise in this field. We’re very fortunate to have Vanessa Pegueros, the former Chief Information Security Officer (CISO) at DocuSign and a well respected expert in information security and compliance, as a member of our Board of Directors. Additionally, John Heasman, the former deputy CISO at DocuSign and current CISO for Chegg, consulted on the architecture of Prisidio and is a valued formal advisor to the Company. Our current CISO is responsible for enterprise-level and application-level security, and helps keep our team thinking proactively about system-level security.

The external side of our culture of security is all about our clients. We’re currently working toward SOC-2 certification to ensure that we have policies in place to ensure that our systems and customer data remain secure. SOC-2 is a framework which ensures that we're using best practices in all of the ways in which we handle data. It ensures that we have the right policies in place, and we're audited to ensure that we follow those policies. SOC-2 certification is a known standard which allows us to establish trust with our customers and partners.

As part of this process, we are confident in the security provided by policies around how we train our employees, how we control access to systems, and how we manage employee laptops. Then, we have systems in place to ensure that we follow those policies. Additionally, we use external audits carried out by a third party to ensure that we are following those policies.

We also use a tool to continuously evaluate all of our systems so that we have complete real- time visibility into our compliance state.

What we’re doing to secure your data

As we prepare for the public launch of the Prisidio app, we communicate at every step of the way how consumers can confirm that their most important documents are secured once placed in Prisidio. Prisidio has partnered with Auth0, the leading provider for identity management, to ensure your access and the access of those who share your digital assets with is secure. We’re centering our security focus around the framework set out by the Center for Internet Security (CIS), which provides best practices for enterprises to improve their security posture. By using this framework, we’re able to ensure that we have all the key controls in place to protect against current and future threats. As part of this framework, we also conduct regular penetration tests, led by internal teams and external third parties.

As the app rolls out, we’ll share more about our standards for multi-factor authentication, biometric authentication, and Smart Login options.