We respect our customers' privacy and keeping our customers' data protected at all times is our highest priority.
This security policy provides a high-level overview of the security practices put in place to achieve that objective.
Employees at Pinpoint are only ever given access to services that are required for them to perform their job. Wherever possible 2 factor authentication is implemented when using external services.
Our internal procedures prevent employees from gaining access to user data. Limited exceptions can be made for customer support.
We automate our backup process and keep daily backups for the last 30 days. All backups are encrypted at rest.
Disaster Recovery (DR)
Pinpoint is managed at a high level using the Cloud66 PaaS offering, meaning the entire App stack can quickly be cloned to new hardware if the infrastructure within the Digital Oceans AMS3 datacenter becomes unavailable. LON1 is our designated DR site as it is accredited to the same standard as AMS3.
External Security Testing
We perform dynamic application security testing (DAST) via the use of a service called Detectify. Detectify is a web security scanner that works with ethical hackers to perform fully automated tests to identify vulnerabilities on web applications.
We're compliant with the General Data Protection Regulations (GDPR) and provide each company with branded page contain detailing their own GDPR privacy notice.
If candidates have actively applied for a role, consent to process their data is implied through GDPR's legitimate interest caveat, however we also include a checkbox on all application forms asking for consent to use their personal data for other purposes.
Candidates are able to exercise their right to erase by using our 'manage my data' functionality at any point.
All of our infrastructure is cloud based with our service built using infrastructure provided by Digital Ocean and Amazon Web Services (AWS) from UK and European data centres. The application servers are hosted by Digital Ocean, with files and backups being stored and served from the AWS.
All data centres have been accredited under at least:
ISO/IEC 27001:2023 or ISO/IEC 27001:2013
We use Sqreen to monitor and protect our infrastructure from automated scanners, bots and targeted attacks. It blocks attacks and alerts in case of critical threats. It also brings additional features like IP blocking, suspicious behavior monitoring, and informs us of any vulnerabilities in dependencies.
We hash all passwords using the bcrypt algorithm before saving them to our database. All passwords are obfuscated in logs and are never stored anywhere as plain text.
We use Stripe as our payment processor, meaning that we never store any credit card information on our servers. Stripe forces HTTPS for all services and is certified as a PCI Level 1 Service Provider.
We adhere to best practices and use static application security testing (SAST) within our development process to ensure that we are at minimum protected against the OWASP top 10. We also manually review our code for security vulnerabilities and require developers to participate in security training to learn about common vulnerabilities and threats.
Most updates to Pinpoint are performed with no downtime at all. In cases where some downtime is required, it is scheduled for off peak hours, usually at around midnight at weekends. All incidents and downtime can be found on our status page.
SSL & Encryption
All traffic sent to our from our infrastructure is forced over SSL, with certificates created using the RSA 4096 bit cipher. You can see our latest SSLLabs report here
You can report vulnerabilities by contacting firstname.lastname@example.org