Data in Transit
Procore connections are secured using HTTPs protected by Transport Layer Security (TLS). The data in transit is encrypted using the AES256 standard, the secure hash algorithm (SHA-2) for message authentication and RSA as the encryption key exchange mechanism.
Data at Rest
For Data at Rest (DAR), Procore utilises provider managed device encryption services. This includes AWS S3 Server-Side Encryption, Aurora DB Encryption EBS Encryption all utilising Amazon Key Management Service (KMS). All services use one of the strongest block ciphers available, 256-bit Advanced Encryption Standard (AES-256), to encrypt your data. The provider managed encryption services provide that the keys are stored securely and rotated on a regular basis.
AWS KMS is designed so that no one, including AWS employees, can retrieve your plaintext keys from the service. The service uses FIPS 140-2 validated hardware security modules (HSMs) to protect the confidentiality and integrity of your keys regardless of whether you request KMS to create keys on your behalf, create them in an AWS CloudHSM cluster or import them into the service. Your plaintext keys are never written to disk and only ever used in volatile memory of the HSMs for the time needed to perform your requested cryptographic operation. Keys created by KMS are never transmitted outside of the AWS region in which they were created and can only be used in the region in which they were created. Updates to the KMS HSM firmware is controlled by multi-party access control that is audited and reviewed by an independent group within Amazon as well as a NIST-certified lab in compliance with FIPS 140-2. See AWS Key Management Service: Secure .