Security overview

Pipelizo holds SOC 2 Type II and ISO/IEC 27001:2022 certifications. Reports are available under NDA from our security portal.

Pipelizo is HIPAA-ready for Scale customers with a signed BAA, and GDPR / UK-GDPR / CCPA compliant by default.

Customer data is encrypted at rest using AES-256-GCM with per-tenant data encryption keys (DEKs) wrapped by per-region key encryption keys (KEKs) stored in cloud HSM. Keys rotate every 90 days.

Data in transit is encrypted using TLS 1.3 with certificate pinning on our mobile apps.

Customer workspaces support SAML 2.0 SSO, SCIM provisioning, IP allow-listing, hardware-key 2FA enforcement, and granular role-based access control.

Internal Pipelizo employee access to customer data is strictly limited, requires individual just-in-time approval, and is fully logged. Production access requires hardware MFA.

Pipelizo runs on top-tier cloud infrastructure across four regions (EU/UK/US/APAC). Each region is multi-AZ with automated failover.

Daily encrypted backups are retained for 35 days. RPO is <15 minutes; RTO is <1 hour.

Pipelizo undergoes annual third-party penetration testing. We run a public bug bounty program — reports go to support@pipelizo.com.

All code changes pass static analysis, dependency scanning (SCA), and require approval from a different engineer before merge.

We maintain a documented incident response plan tested twice per year. Customer notification SLA: within 72 hours of confirmed security incidents affecting customer data.

Status page: status.pipelizo.com — subscribe via RSS, email, or webhook.

Pipelizo AI does not train on customer workspace data without explicit per-workspace opt-in. Inference is per-tenant isolated.

No customer data is used for marketing or analytics outside the customer's own workspace.

Found a security issue? Email support@pipelizo.com with PGP key 0x4F2DD9. We confirm receipt within 24 hours and pay bounties for valid reports.