Our position on data privacy and security
Since our founding days in 2014, Prolific has integrated rigorous cybersecurity and data privacy protocols into every stage of building and maintaining software and processes. We uphold strict commitments to our customers and participants when it comes to our use of their data and, in turn, their business-critical uses of Prolific.
Certifications and compliance
Prolific holds ISO 27001 and Cyber Essentials certifications which are regularly audited, and has a SOC 2 Type 1 compliance report. Plans to obtain a SOC 2 Type 2 report are underway. These are the highest standards recommended for a business of our type.
The EU’s GDPR, widely regarded as the best-in-class data privacy framework, serves as our baseline for data protection worldwide.
The EU’s GDPR, widely regarded as the best-in-class data privacy framework, serves as our baseline for data protection worldwide.
Infrastructure and platform stability
Our platform delivered 99.95% uptime in a recently measured span of 6 months (to End of Year 2025). Disaster recovery is tested every year, and we have built high availability and redundancy into all our applications. Gold standard encryption is maintained across all platforms.
Firewalls provide network-level protection. We run real-time automated monitoring for code vulnerabilities across both our tech stack and provisioned assets / software, and fix issues under strict SLA.
Our observability stack, built on granular real-time monitoring and alerting, gives comprehensive visibility across every tier of the architecture, from our databases and servers through to queues and caches.
Firewalls provide network-level protection. We run real-time automated monitoring for code vulnerabilities across both our tech stack and provisioned assets / software, and fix issues under strict SLA.
Our observability stack, built on granular real-time monitoring and alerting, gives comprehensive visibility across every tier of the architecture, from our databases and servers through to queues and caches.
Access controls and endpoint security
We operate a least-privilege access model with multi-factor authentication enforced across all critical systems, including VPN, developer applications, and cloud infrastructure. Production access is granted to privileged users on a “just-in-time” basis.
Access authorisations are reviewed at least annually against job functions, with access to critical systems reviewed quarterly. Generic and group logins are prohibited. Removable storage devices are disabled where possible.
We operate a clean-desk policy, provision centrally asset-managed hardware, and all employees and contractors regularly re-certify in data protection and security training.
Access authorisations are reviewed at least annually against job functions, with access to critical systems reviewed quarterly. Generic and group logins are prohibited. Removable storage devices are disabled where possible.
We operate a clean-desk policy, provision centrally asset-managed hardware, and all employees and contractors regularly re-certify in data protection and security training.
Penetration testing and incident response
Penetration tests are carried out annually by accredited external third parties. All advisories are remediated in line with our Vulnerability Management policy and SLAs, and retested.
Incident response runs 24/7 via an on-call rota with both automated and manual triggers. Response time SLAs are defined against all severity levels. The development team runs regular open-source vulnerability scanning and routinely remediates findings.
Incident response runs 24/7 via an on-call rota with both automated and manual triggers. Response time SLAs are defined against all severity levels. The development team runs regular open-source vulnerability scanning and routinely remediates findings.
Governance
Our ISMS provides a comprehensive framework for the entire security posture. Twenty-five governance and policy documents cover everything from information security policy and acceptable use through to disaster recovery and system access controls.
External validation
A 2025 external audit examined our full ISMS, all governance and policy documents, penetration test results, certifications, incident management processes, disaster recovery plans, and data protection policies. This concluded that Prolific maintains a best-in-class cybersecurity posture, with no material security gaps identified, and resulted in ISO 27001:2022 certification. Further annual surveillance visits by our external auditors ensure we remain compliant with standards.
We are proud to uphold a best-in-class security posture at Prolific. We are also aware that cyber-threats are constantly evolving, so we work round the clock to keep our systems and our users safe.
We are proud to uphold a best-in-class security posture at Prolific. We are also aware that cyber-threats are constantly evolving, so we work round the clock to keep our systems and our users safe.
