We respect our customers' privacy and keeping our customers' data protected at all times is our highest priority.
This security policy provides a high-level overview of the security practices put in place to achieve that objective.
Access Control
Employees at Pinpoint are only ever given access to services that are required for them to perform their job. Wherever possible 2 factor authentication is implemented when using external services.
Our internal procedures prevent employees from gaining access to user data. Limited exceptions can be made for customer support.
Backup Policy
We automate our backup process and keep daily backups for the last 30 days. All backups are encrypted at rest.
Disaster Recovery (DR)
Pinpoint is managed at a high level using the Cloud66 PaaS offering, meaning the entire App stack can quickly be cloned to new hardware if the infrastructure within the Digital Oceans AMS3 datacenter becomes unavailable. LON1 is our designated DR site as it is accredited to the same standard as AMS3.
External Security Testing
We perform dynamic application security testing (DAST) via the use of a service called Detectify. Detectify is a web security scanner that works with ethical hackers to perform fully automated tests to identify vulnerabilities on web applications.
GDPR
We're compliant with the General Data Protection Regulations (GDPR) and provide each company with branded page contain detailing their own GDPR privacy notice.
If candidates have actively applied for a role, consent to process their data is implied through GDPR's legitimate interest caveat, however we also include a checkbox on all application forms asking for consent to use their personal data for other purposes.
Candidates are able to exercise their right to erase by using our 'manage my data' functionality at any point.
Infrastructure
All of our infrastructure is cloud based with our service built using infrastructure provided by Digital Ocean and Amazon Web Services (AWS) from UK and European data centres. The application servers are hosted by Digital Ocean, with files and backups being stored and served from the AWS.
All data centres have been accredited under at least:
ISO/IEC 27001:2023 or ISO/IEC 27001:2013
SOC 1,2
Monitoring
We use Sqreen to monitor and protect our infrastructure from automated scanners, bots and targeted attacks. It blocks attacks and alerts in case of critical threats. It also brings additional features like IP blocking, suspicious behavior monitoring, and informs us of any vulnerabilities in dependencies.
Password policy
We hash all passwords using the bcrypt algorithm before saving them to our database. All passwords are obfuscated in logs and are never stored anywhere as plain text.
Payments
We use Stripe as our payment processor, meaning that we never store any credit card information on our servers. Stripe forces HTTPS for all services and is certified as a PCI Level 1 Service Provider.
Secure Development
We adhere to best practices and use static application security testing (SAST) within our development process to ensure that we are at minimum protected against the OWASP top 10. We also manually review our code for security vulnerabilities and require developers to participate in security training to learn about common vulnerabilities and threats.
Service Provision
Most updates to Pinpoint are performed with no downtime at all. In cases where some downtime is required, it is scheduled for off peak hours, usually at around midnight at weekends. All incidents and downtime can be found on our status page.
SSL & Encryption
All traffic sent to our from our infrastructure is forced over SSL, with certificates created using the RSA 4096 bit cipher. You can see our latest SSLLabs report here
Vulnerability Disclosure
At Pinpoint, we are committed to maintaining the trust and safety of our users. We recognise that despite our best efforts, issues may arise that could potentially impact the user experience or data security. We encourage the responsible reporting of any such issues and have established this policy to guide these efforts.
Guidelines for Responsible Reporting
Reporting Channels: If you encounter any issue or irregularity on our platform, please report it via email to security@pinpointhq.com. Include a detailed description of the issue and any relevant information that could help us understand and address it.
Confidentiality: Please keep your findings confidential. Do not disclose them publicly or to third parties until we have had the opportunity to address the issue.
Appropriate Conduct: While investigating issues, please ensure that your actions do not negatively impact Pinpoint, its users, or its data. Do not engage in activities that may be disruptive or harmful such as DDoS, or social engineering of Pinpoint employees.
Legal Compliance: Ensure that your investigation and reporting comply with all applicable laws and regulations.
Our Commitments
Prompt Response: We aim to acknowledge receipt of your report within 72 hours.
Investigation: We take all reports seriously and will investigate them thoroughly.
Communication: We will keep you informed about the status of your report and may reach out if we require further information.
Issue Resolution: We are committed to resolving reported issues in a timely and effective manner.
Protection Against Retaliation: We appreciate your effort in reporting issues responsibly and will not take any form of retaliatory action for reports submitted in good faith.
Policy Updates
This policy is subject to change. We recommend reviewing it periodically for any updates.
Contact Information
For any questions or additional information regarding this policy, please contact support@pinpointhq.com.