Security & Compliance

Organization Security

SOC 2 standard

Prey has undergone a voluntary Service Organization Controls audit and achieved SOC 2, a framework for the proper handling of user data. This certification demonstrates our ongoing commitment to the necessary controls in place to mitigate any data breach risk.

• Proven trust and credibility: SOC 2 accreditation demonstrates the importance that Prey places on data security and that we have solid controls and procedures. The objective is to deliver a trusted solution to secure their device fleet.
• Regulatory Compliance: Helps us meet regulatory requirements. Some regulations and security standards, such as GDPR, require strict security practices. SOC 2 certification can demonstrate that we comply with these standards.
• Improving Internal Security: Preparing for SOC 2 certification involves reviewing and improving internal security controls and practices. This process also helps strengthen the company's stance on overall security.
• Protection of Sensitive Data: We demonstrate a commitment to the protection of our users' sensitive data, which is fundamental in an environment where privacy and information security are critical.
• Risk Reduction: By implementing robust security controls and demonstrating their effectiveness through SOC 2 certification, we reduce the risk of security incidents, which can have a significant impact in terms of cost and reputation.

Regulations

HIPPA

Prey offers clients a Business Associate Agreement (BAA) stating compliance with the Health Insurance Portability and Accountability Act (HIPAA) rules for as long as data processing/storage occurs. The BAA guarantees:

1. Non-disclosure or unauthorized use of protected health information.
2. Implementation of appropriate safeguards for electronic protected health information.
3. Prompt reporting of any unauthorized use or disclosure of protected health information.
4. Subcontractors handling protected health information must agree to the same conditions.
5. Maintenance and availability of information required for accounting of disclosures.
6. Risk assessment and measures to address identified risks, including pseudonymization and encryption of personal health information, ensuring confidentiality, integrity, accessibility, and robustness of systems, timely data restoration in case of incidents, and periodic testing and evaluation of safety measures.

Data collection

Prey’s Privacy Policy

We only request the minimum amount of data to create your account, this includes your name and country; however, it is important to highlight that the only way for us to identify you as a user is through the e-mail you used to register, which will be the official channel of communication between us. Under the General Data Protection Regulation (GDPR), the basis for our processing of personal data is the provision of a service. For more information, visit our Privacy page.

CCPA

Prey complies with the California Consumer Privacy Act of 2018 (CCPA). Your consumer data rights are laid out in the “DATA RIGHTS AND REQUESTS” sections.  As laid out there, you can exercise your data rights on your user panel.  If you want to exercise them through other means, a verifiable consumer request will require us to verify your identity. For more information, visit our Privacy page.

GDPR

Any user concerned about Prey's compliance with its privacy policy has the option to file a complaint with the Federal Trade Commission (FTC) in the USA. The FTC oversees privacy matters and investigates complaints related to deceptive or unfair business practices, ensuring consumer protection and upholding privacy standards.

Data Privacy Framework (DPF)

Prey complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and its UK Extension. The US Department of Commerce certifies that the company adheres to the EU-US Data Privacy Framework Principles (EU-U.S. DPF Principles) concerning the processing of personal data received from the European Union and the United Kingdom (UK including Gibraltar) in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles, the Principles shall govern. To learn more about the DPF program, and to review the certification, please visit www.dataprivacyframework.gov

Cookies

Our website, including the user panel of Prey, uses first and third-party cookies to obtain anonymous usage statistics to provide you with a better service. We do not do tracking outside our website nor do we install these cookies without your prior consent. The other cookies used on our website are essential to its operation and their objective is to facilitate its usability and configuration, they don’t track any Personally Identifiable Information (PII) whatsoever. Please see our Cookies page for further information.

Organizational confidentiality

At Prey, we believe that words must translate into actions. Our desire to protect your data is at the core of our business. We are made up of a team of highly trained, multi-disciplinary and multi-national professionals, who are all contractually bound by non-disclosure agreements and confidentiality clauses to protect the information of our users. Access to our servers has state-of-the-art encryption and compartmentalization; none of our employees has access to the information of your account information or your passwords. The support service is limited to be used solely for such purposes and it requires due confirmation of the identity of our users.

Data rights and requests

At Prey, we respect your ownership over your personal data; therefore, you can exercise your right to access, modify and remove it easily from the Panel. If you wish to cancel the processing of your personal data, you only have to uncheck your devices as lost because Prey does not make passive tracking of your devices, unless you expressly require it. If you decide to remove the personal data associated with your Prey account, you can do so in the Panel. If you wish to request the removal of all your personal data, you can request a full data deletion by sending an email to privacy at preyhq dot com. Such requests can only be made once every five (5) months.

You have the right to access your personal and the portability of such information. If you request it, we will send you all the personal data you may have shared with us in a machine-readable format. You can exercise this right once every three (3) months; through the user panel or by sending a request to privacy at preyhq dot com.

If you decide to close an account, we delete all your data. Nevertheless, we keep a record of payment history, data deletion and portability requests as a backup for legal reasons. The lawfulness of these backups is based on the compliance of a legal obligation.

Marketing communications: Newsletters

Currently, we have two mailing lists, one for updates from our Blog with security and technology news and another one for commercial information for clients. You can unsubscribe in the footer of any email we have sent. These lists are intended solely for our exclusive use and we do not disclose any information to third parties.

We will provide an individual opt-out or opt-in choice before we share your data with third parties other than our agents, or before we use it for a purpose other than which it was originally collected or subsequently authorized.

For any inquiries with regards to the use and disclosure of your personal information, please submit a written request to privacy at preyhq dot com.

Business continuity

Vulnerability management

We have a resolution protocol in place for vulnerabilities that may appear in our open-source components:

• Vulnerability Reporting: Anyone who discovers a vulnerability in Prey agents can responsibly report it to the development team.
• Dependabot Monitoring: GitHub checks on open-source dependencies used in Prey agents and notifies about updates and known vulnerabilities.
• Resolution Deadlines: Prey establishes defined timelines for resolving reported vulnerabilities, ensuring a timely and effective response to security issues.

The defined problem resolution times are:

When new software projects start, security defaults are configured promptly. This protects your code from external threats.

• Software development: 14 days

When vulnerabilities are detected within your infrastructure, ensure that they are triaged and remediated on time. This allows you to prioritize possible threats and prevent harm or loss to your environment.

• Critical Vulnerabilities: 45 days
• High Vulnerabilities: 60 days
• Medium Vulnerabilities: 75 days
• Low Vulnerabilities: 90 days

We provide Live System Status Information here.

‍

Product Security

User and account information

Permissions & data access

All sensitive information, such as device location, user credentials, and payment information is isolated from Prey’s open-source components. This guarantees the privacy and security of users. This information can only be accessed through the web control panel or the public API after authentication.

Authorized use and multi-user accounts

Prey is a security application aimed at facilitating the search for and access to lost devices of our users. The purpose of Prey is not to register or track people down, and according to our terms and conditions, you agree to such limitations. Likewise, you may only install Prey in devices you are legally authorized to do so.

In the case of our multi-user accounts, you should be aware that all administrators may enable your devices as lost. At any time, you can know who the administrators of your account are by checking your account’s information in the application’s panel. If you have any problems with this functionality or you would like access to administrators to be removed contact us at privacy at preyhq dot com.

Open Source

Prey agents are responsible for collecting general device information and triggering actions requested by users. These agents communicate with the server by implementing security mechanisms to ensure a secure connection, including encryption and authentication protocols to protect the integrity of the transmitted data.

Other security layers

• Two Factor Verification: Prey supports this protocol to increase your account's security by using a unique, randomly generated security code in addition to your password.
• SAML & SSO: Prey supports this protocol that allows identity providers (IdPs) to pass login credentials to Prey (your service provider).
• SSL: Prey is SSL certified, making SSL/TLS encryption possible.

Feature Transparency

Actions that an admin can perform on the device using Prey

These actions can only be executed on-demand from the Prey account and, except for wipes and encryption, will not modify any of the device’s settings.

• Sound alarms on the device
• Remotely lock its screen
• Send messages to the device
• Recover files of up to 25MB (one at a time)
• Fully or partially encrypt Windows devices
• Partially wipe disks in laptops and desktops
• Perform Factory reset on Windows and macOS devices

Information from the device that an admin can see using Prey

• Connection status (connected, disconnected, last connection date and time)
• Operating System
• Hardware information
• Active User
• Battery status (laptops)
• Used internet connection name WiFi signal
• Current Location
• Location history for the last month

Information that is obtained for Missing Reports only

• Integrated camera photos (opt-out)
• Device screenshots (opt-out)
• Nearby WiFi signals
• MAC Address
• Public, Private, and Gateway IP

Privacy regarding the File Retrieval feature

Under no circumstance, does our File Retrieval feature constitute a back-up or administration system in the Cloud. We do not check nor do we have access to the files you retrieve, and we will never check their content. If you use the Retrieval feature, the files will be hosted in Google Cloud Storage and we do not have access to that information. Your files will be available for thirty (30) days from the retrieval request.