Security & privacy at Port

At Port, we understand that the security of your developer platform data and internal tooling is fundamental to your trust in us.
That's why Port continuously invests in rigorous security practices and upholds the highest standards across our technologies, processes, systems, and teams. As part of our dedication to developer platform security best practices, we've made our security documents available for you in our docs.

See our privacy policy

Certifications & compliance

Port has obtained the following compliance certifications:

In addition to the below security and privacy certifications, Port follows OWASP best practices.

  • SOC 2 Type 2 Certified
  • GDPR Compliant
  • ISO 27001 Compliant
  • CCPA Compliant
  • OWASP Top Ten

Data security and privacy

This section focuses on Port’s data usage and handling policies. View our DPA and Sub-processors pages for more on those subjects.

  • Data encryption

    All data in Port's servers is encrypted at rest using AES-256bit encryption. AWS stores and manages data cryptography keys in its redundant and globally distributed Key Management Service (AWS KMS). So, if an intruder were ever able to access any of the physical storage devices, the Port data contained therein would still be impossible to decrypt without the keys.

    Encryption at rest also enables continuity measures like backup and infrastructure management without compromising data security and privacy.

    Port exclusively sends data over HTTPS transport layer security (TLS) encrypted connections for additional security as data transits to and from the application, Port enforces TLS v1.2+ wherever applicable.

  • Data segregation

    Every Port account receives its own dedicated database for data storage, access to an account's database is possible only using a token generated from the account's API credentials, the generated token has permissions only to the database of the customer.

    Customer data is never transferred or stored on employee machines or devices.

  • Data retention

    Data ingested into Port by its users is managed by them, and if not deleted by the user, will be retained indefinitely.

    Port's audit log which tracks any catalog, data model, action, automation and configuration changes has a data retention of 1 year by default.

    Sign-in and account access logs are retained for 30 days.

  • Data removal

    When a customer terminates their contract or explicitly asks for a deletion of their account and its data, all data related to the account including blueprints, entities, actions, automations, runs, users, teams and more is deleted along with the account itself and becomes inaccessible to the customer. The data is retained for 14 days as part of the backup process utilized by Port, after 14 days the data is also removed from the backups, and can no longer be retrieved.

    Data can also be deleted upon request and via Port’s REST API and UI.

  • Handling PII

    Port is meant to store infrastructure metadata, and as such does not collect or utilize any PII.

    The only PII Port requires for its operation is:

    • First name

    • Last name

    • Email address

    These pieces of information are required to authenticate users and sign them in to the Port system, and are not used except for user authentication.

Report a vulnerability

Anyone can report a vulnerability or security concern with Port by contacting security@port.io.

  • How to report a vulnerability

    If you believe you’ve discovered a security vulnerability in a Port.io service, please report it by emailing security@port.io with the following:

    • A clear and descriptive summary of the issue

    • Steps you took to reproduce it

    • The potential security impact of the issue

  • Responsible testing guidelines

    To protect our users and systems, please:

    • Do not access, modify, or delete data that does not belong to you

    • Do not disrupt Port.io services

    • Conduct testing only on accounts or systems you own or are authorized to use

    • Comply with all applicable laws and regulations

  • No reward program

    Port.io does not operate a paid reward program. We do not offer financial compensation for vulnerability disclosures. However, we value your contribution and may acknowledge significant reports at our discretion.

  • Out of scope

    The following types of issues are not covered under this policy

    • Denial of service (DoS) or brute-force attacks

    • Automated or scanner-generated reports without demonstrated impact

    • Social engineering or phishing

    • Physical security vulnerabilities

    • Bugs unrelated to security (e.g., UI or usability issues)

    • Vulnerabilities in third-party services not operated by Port.io

  • Legal notice

    By submitting a vulnerability report, you agree to:

    • Act in good faith

    • Avoid unauthorized access or disruption

    • Not disclose the vulnerability publicly without Port.io’s written consent

    We thank you for helping us protect our users and systems. For any questions, contact us at security@port.io.

Still need help?