Security & Compliance
Enterprise-grade security for organizations that cannot afford to get it wrong
PR.co is trusted by communications teams at listed companies, government organizations, and some of the largest enterprises. We protect that trust through a formal information security program, independent audits, external security assessments, top-notch cloud infrastructure, and enterprise-grade controls across our platform, software, and organization.
Security at PR.co is not a collection of one-off measures. It is managed through policies, processes, technical controls, continuous monitoring, and independent validation.
ISO 27001:2022
PR.co has been ISO/IEC 27001:2022 certified since 9 June 2026 by RvA accredited certification body Brand Compliance B.V.
ISO/IEC 27001 is the internationally recognized standard for information security management. It confirms that an organization has implemented an Information Security Management System (ISMS) designed to identify, assess, treat, monitor, and continually improve how information security risks are managed.
For our customers, this means our ISMS is independently audited by an accredited certification body and built around structured risk management, documented controls, management accountability, continual improvement, and the protection of the confidentiality, integrity, and availability of information.
Download our ISO/IEC 27001 certificate
Learn more about Brand Compliance
Independent annual penetration testing
PR.co works with an independent software cybersecurity partner to conduct annual external grey-box penetration test of our entire software platform.
Our external software security assessments are conducted by Secwatch and are designed to assess our platform from the perspective of a realistic attacker with controlled knowledge of the environment and access to controlled user accounts. The goal is not just to identify technical vulnerabilities, but to prioritize risk, validate remediation, educate the PR.co technical staff, and strengthen the platform over time.
Our penetration-testing program includes:
Annual grey-box testing of the PR.co software platform
Clear reporting of findings, risk levels, and remediation priorities
Internal ownership and follow-up on all relevant findings
Retesting or validation of important remediations where appropriate
Continued improvement of our application, infrastructure, and development practices
Security reports generated through this process are available to customers and prospective enterprise customers on request, subject to appropriate confidentiality arrangements.
In addition, some of our largest enterprise and government customers have performed their own recurring penetration tests and vendor security assessments of PR.co for more than a decade as part of their internal assurance processes.
Hosted on AWS cloud infrastructure
PR.co is hosted on Amazon Web Services, one of the world’s leading cloud infrastructure platforms for highly regulated, security-sensitive, and enterprise workloads.
AWS operates global infrastructure, security, compliance, and resilience programs at a scale that would be impossible for most individual software vendors to reproduce independently. pr.co builds on this foundation while remaining responsible for the security of our own application, configurations, data, access controls, monitoring, and operational procedures under the AWS shared-responsibility model.
AWS maintains a broad compliance program covering many global security and privacy standards. AWS states that it supports 143 security standards and compliance certifications, including PCI DSS, HIPAA/HITECH, FedRAMP, GDPR, FIPS 140-3, and NIST 800-171. AWS also maintains certifications for ISO/IEC 27001, ISO/IEC 27017, ISO/IEC 27018, ISO/IEC 27701, ISO 22301, ISO/IEC 20000-1, ISO 9001, and CSA STAR CCM.
PR.co uses AWS to support:
High availability across resilient cloud infrastructure
Managed services that reduce operational risk
Redundant networking, compute, storage, and database layers
Encryption, access-control, logging, and monitoring capabilities
Security hardening at infrastructure, network, and application levels
Scalable infrastructure that can respond to changing traffic patterns
Secure payments with PCI compliance
Any direct payments (i.e. via credit card or SEPA) made to PR.co are fully facilitated through our PCI compliant partner ChargeBee. Chargebee is PCI DSS Level 1 certified – the highest standard of PCI compliance, and is listed on the VISA Global Registry of Service Providers.
Enterprise security features in the PR.co platform
Security must also be practical for the teams using PR.co every day. Our platform includes enterprise controls that help customers protect access, reduce risk, and align pr.co with their internal security policies.
Available platform security features include:
Mandatory two-factor authentication
Enforce stronger account protection across your team.Single Sign-On
Connect to your organization’s central identity provider and authentication policies.IP allowlisting
Restrict access to approved office, VPN, or corporate network ranges.Restricted session control
Apply stricter session behavior and reduce exposure from inactive or unmanaged sessions.Custom Content Security Policies
Configure additional browser-level protections for customer-hosted newsroom environments.Custom domain hosting
Host your newsroom and PR infrastructure under your own trusted domains.Custom DMARC compatibility
Align email domain usage with your organization’s email authentication policies.Custom SSL certificates
Support for customer-specific certificate requirements for branded domains and enterprise deployments.
Additional controls and implementation options are available depending on your setup and contract.
Platform security, availability, and resilience
The PR.co platform is designed to remain secure, available, and resilient under changing traffic, operational, and threat conditions.
Our infrastructure uses distributed systems that can scale based on traffic and recover from incidents. Where possible, we use managed AWS services that benefit from AWS-managed operational controls, security patching, and infrastructure maintenance.
Our security and availability measures include:
Fully distributed systems designed for scalability and resilience
Auto-scaling and auto-healing infrastructure patterns
Encryption of data in transit using TLS
Encryption of data at rest using industry-standard encryption such as AES
Centralized monitoring and logging across critical systems
Smart anomaly detection and alerting for operational and security events
Escalation procedures for incidents that require human intervention
Automated vulnerability scanning at codebase and CI/CD level
Web Application Firewall protection
Load-balancing layers that help absorb and route traffic safely
Protections designed to mitigate malicious requests, bot traffic, and DDoS-related availability risks
Multiple redundancy layers, backups and multi-AZ configurations
Infrastructure as code to keep environments consistent, reviewable, and controlled
Serverless and managed fleet components to reduce operational risk
We maintain a live platform status page so customers can view current and historical availability information.
Secure development and change management
Security is built into how we design, review, test, and deploy the PR.co platform.
Our development process combines automated checks, human review, and AI-assisted safeguards to reduce the likelihood of introducing security, privacy, or availability issues into production.
Our secure development practices include:
Human code reviews and QA sessions before production deployments
Automated vulnerability scanning in development and CI/CD workflows
Dependency monitoring and patching policies
Controlled deployment workflows and acceptance testing environments
Security-aware engineering practices and training
AI-assisted checks where they help identify risks or inconsistencies
24/7 monitoring and response to any incidents or anomalies
This layered approach helps ensure that changes are reviewed, traceable, and aligned with our security and compliance obligations.
Organizational security and access governance
Security at pr.co extends beyond the application. We maintain organizational controls designed to protect customer data, internal systems, and company operations.
Our internal security controls include:
Company-issued encrypted endpoint devices
Centralized mobile device management, XDR protection and monitoring
24/7 centralized monitoring and incident response for endpoint devices
Secured networking based on Zero-Trust Network Access principles
Centralized controls for company inboxes and web access
Centrally managed authentication, access based on the principle of least privilege
Periodic access level reviews and checklists
Filtering for phishing, malware, malicious links, and unsafe traffic
Security awareness and data privacy training for staff
Background checks appropriate to role and responsibility
Role-based competence requirements
Confidentiality obligations in staff contracts
Non-disclosure agreements and contractual clauses covering data security, privacy, and confidentiality
Disciplinary provisions for violations of security, privacy, or confidentiality obligations
Only authorized personnel with a legitimate business need may access systems or data required for their role.
Privacy and regulatory compliance
PR.co is based in the Netherlands and operates with a strong focus on European privacy, security, and regulatory expectations.
Our privacy and compliance program is designed to support applicable obligations under relevant privacy, cybersecurity, and technology regulations, including the GDPR, UK GDPR, CCPA, ePrivacy Directive, NIS2-related cybersecurity requirements as implemented in applicable jurisdictions, the EU AI Act as it progressively applies, and other relevant laws and regulations applicable to our activities in the Netherlands and the European Union.
Our privacy and compliance measures include:
A published Privacy Policy
A Data Processing Agreement available for customers
Technical and organizational measures for protecting personal data
Access controls and confidentiality procedures
Data export support for customers
Review of relevant subprocessors
Security and privacy training
Contractual safeguards for staff and suppliers
Governance around AI-related product capabilities and customer data use
Security documentation and enterprise assessments
We understand that enterprises, listed companies, public-sector organizations, and regulated teams often need detailed security documentation before selecting a software vendor.
Upon request, we can provide relevant security and compliance materials, including:
ISO/IEC 27001 certificate
Security whitepaper
Technical and organizational measures
Data Processing Agreement
Penetration-test report or executive summary
Security questionnaire responses
Details on platform controls and enterprise configuration options
Information about subprocessors and hosting setup
Please contact your pr.co account representative or email dpo@pr.co to request security documentation.
Vulnerability disclosure
We take security reports seriously. If you believe you have identified a vulnerability in PR.co, please contact us responsibly at: security@pr.co
Please include enough detail for our team to understand, reproduce, and assess the issue. We review reported issues, prioritize them based on risk, and take appropriate remediation steps. Urgent high-severity findings will be eligible for a reward.
That said, although we carefully review and respond to every report that get sent our way, we can't promise any guaranteed rewards or bounties simply because of duplicates, too low severity, inability to reproduce or then being out-of-scope.