Security & data protection

Pulpstream's SOC 1 and SOC 2 Type II report covers the trust services categories of Security, Confidentiality, and Availability, and is audited annually.

Pulpstream's entire team is HIPAA trained and certified every two years.

We comply with GDPR as a data processor, and manage the transfer data via Standard Contractual Clauses.

We ensure policies, processes, and controls comply with CPRA and CCPA requirements.

We host all of our data in physically secure, U.S.-based Amazon Web Services (AWS) facilities that include 24/7 on-site security, camera surveillance, and more.

All data sent to or from Pulpstream is encrypted using TLS, and all customer data is encrypted using AES-256.

Pulpstream’s infrastructure has been designed to be fault tolerant. All databases operate in a cluster configuration and the application tier scales using load balancing technology that dynamically meets demand.

Pulpstream Database is constantly replicated in multiple AWS Regions across the US. The data is backed up every day and a copy is kept for 90 days.

Access to all Pulpstream systems is managed through our identity provider, which automates user provisioning, enforces 2FA, and logs all activity.

All servers are configured using a documented set of security guidelines, and images are managed centrally. Changes to the company’s infrastructure are tracked, and security events are logged appropriately.

Pulpstream maintains a set of comprehensive security polices that are kept up to date to meet the changing security environment. These materials are made available to all employees during training and through the company’s knowledge base.

Every new hire must pass a thorough background check and attend a “Legal and Security” training course, as well as an InfoSec training course once a year. We instantly disable departing employee’s devices, apps, and access during offboarding via Pulpstream’s IDM and MDM products.

The Pulpstream Security Team provides continuous education on emerging security threats, performs phishing awareness campaigns, and communicates with employees regularly.

Pulpstream manages visitors, office access, and overall office security via a formal office security program.

We regularly run internal pen tests and partner with reputable security firms to run external pen tests. Additionally, our bug bounty program allows anyone to test our system and report bugs.

All app access is logged and audited. We also use a wide variety of solutions to quickly identify and eliminate threats, including a Web App Firewall (WAF) and Runtime App Self Protection Agent (RASP).

Code development is done through a documented SDLC process, and every change is tracked via GitHub. Automated controls ensure changes are peer-reviewed and pass a series of tests before being deployed to production.