Security at Pinnnng

Pinnnng maintains an active information security program aligned with industry standards.

• SOC 2 Type II — reports available on request under NDA. Latest report covers July 2025 – December 2025.
• ISO/IEC 27001:2022 — certified. Certificate number available on request.
• GDPR — DPIAs on file for high-risk processing; EU data residency available on Enterprise.
• PCI DSS — out of scope: payments are processed by Stripe; Pinnnng systems do not store card data.
• HIPAA — BAAs available for healthcare deployments with appropriate configuration.

Pinnnng runs on AWS in multiple regions. Production traffic is isolated from development; staging environments never hold customer data.

• Network — All traffic in transit uses TLS 1.2+. Internal service-to-service traffic uses mTLS.
• Encryption at rest — Databases and object storage are AES-256 encrypted. Customer-managed keys available on Enterprise via AWS KMS.
• Secrets — Managed in AWS Secrets Manager with rotation. No secrets in code repositories; enforced by pre-commit hooks and CI scanning.
• Backups — Databases snapshotted every 6 hours with 35-day retention and quarterly restore drills.

We follow the principle of least privilege across every system.

• SSO for employees — Google Workspace + Okta with MFA required.
• Production access — Requires a ticketed request, role-based approval, and a time-bounded session. Every command is logged.
• Customer SSO — SAML 2.0 and OIDC supported on Business and Enterprise plans, with SCIM 2.0 for user provisioning.
• Audit log — Every login, permission change and publication event is recorded, immutable for 13 months, exportable to your SIEM.

Our engineering process is designed to catch security issues before they reach production.

• SSDLC — Code review is required for every change. Security-sensitive changes require a second senior reviewer.
• Dependency scanning — Snyk and Dependabot run on every pull request; critical vulnerabilities block merge.
• Static analysis — Semgrep rules for known class of bugs run on every build.
• Penetration testing — Annual third-party pentest; summary report available on request.
• Bug bounty — Coordinated disclosure at security@pinnnng.com. We respond within 48 hours.

We maintain a written Incident Response Plan, tested quarterly, that covers detection, containment, investigation, notification and post-mortem.

In the event of a confirmed personal-data breach, we notify affected customers without undue delay and, where possible, within 72 hours of confirmation. Our status page publishes outage communications in real time.

Every Pinnnng employee and contractor goes through background checks appropriate to their role and signs a confidentiality agreement. Security awareness training is delivered at onboarding and annually thereafter, with role-specific training for engineers, support, and data-handling teams.

Sub-processors are reviewed against our security, privacy and resilience criteria before any customer data can flow. Material changes to our sub-processor list are announced at least 30 days in advance.

Our architecture is multi-AZ with active-passive failover across regions for Enterprise customers. Our stated recovery objectives are:

• RTO (recovery time objective): 4 hours for a full regional failure.
• RPO (recovery point objective): 15 minutes for database state.

DR tests are run quarterly; reports are shared with Enterprise customers under NDA.

For security questionnaires, SOC 2 reports, ISO certificates, penetration test summaries, and DPA templates, visit our trust center at trust.pinnnng.com (NDA required for some documents).

Contact security@pinnnng.com for custom reviews or to coordinate an enterprise security assessment.