Security at PullPush

Your integration credentials are the keys to your business. We treat them accordingly.

Credential encryption

✓AES-256-GCM envelope encryption with per-tenant data encryption keys

✓Master key encrypts per-tenant DEKs; DEKs encrypt connection credentials

✓Plaintext credentials never exist in the database

✓Credential rotation supported without downtime

Data protection

✓TLS 1.2+ for all data in transit

✓Encrypted storage at rest in PostgreSQL

✓Webhook signature verification (HMAC-SHA256) to prevent tampering

✓Redis data is ephemeral — no credentials in cache

Multi-tenancy isolation

✓Isolated encryption keys per tenant

✓Row-level data isolation in the database

✓Independent rate limits and circuit breakers

✓Separate audit logs per tenant

Operational security

✓Nightly backups with tested restore procedures

✓Immutable audit logging for all significant actions

✓Automated alerting on authentication failures

✓Principle of least privilege for all service accounts

Privacy & compliance

✓GDPR compliant by design — data minimization, right to erasure

✓Plausible Analytics — privacy-friendly, cookie-free

✓No data selling or sharing with third parties

✓Data processing agreements (DPA) available for Enterprise

Compliance roadmap

SOC 2 Type II

In progress

ISO 27001

Planned

GDPR

Compliant

Responsible disclosure

Found a security vulnerability? We appreciate responsible disclosure. Please contact us at security@pullpush.ai. See our security.txt for our PGP key and full disclosure policy.