Security icon

Security

For questions, concerns or information, please contact our security team

Contact security

Platform Security

Details about our hosting platform security

Physical Access

All of our services run in the cloud. Pactflow does not run its own routers, load balancers, DNS servers, or physical servers.

Cloud Platform

We are hosted entirely within the AWS cloud in ap-southeast-2 region (Sydney, Australia). Read more on the security controls within the AWS data centre.

Encryption Standards

  • Encryption in transit
  • Encryption at rest, including storage in S3, databases and compute file systems
  • Use of AES-256 for data-at-rest
  • Enforcement of TLS1.2+

AWS Services

Our core platform uses the following services, all of which are certified for SOC 1, 2 and 3, ISO27001, PCI and HIPAA:

  • EC2/Fargate/ECS
  • Lambda
  • Cognito
  • KMS
  • Route53
  • Cloudwatch
  • Batch
  • DynamoDB
  • RDS (Postgres)
  • S3

Remote Access

All user accounts are protected by 2FA with least privilege access, any access keys are rotated regularly as are user credentials.

Auditability

Every action within the platform and within the application is recorded into an immutable audit log.

Intrusion Detection and Thread Protection

We run a number of real-time and retrospective threat detection and analysis tools, connected to our alerting and notifications platform, to proactively monitor suspicious or unusual behaviour.

Application Security

Details about our application-level security, defensive programming and software value chain visibility.

Automated Testing and Build Processes

We have an extensive set of automated testing procedures that are run for every code change. We run regular scans for common vulnerabilities, such as OWASP top 10.

Software Dependencies

Pactflow keeps up to date with software dependencies and our release pipeline includes inline automated security measures designed to detect vulnerabilities in our source code, the runtime or in software dependencies.

Development and QA Environments

These environments are separated physically from Pactflow’s production environment. No customer data is ever used in development or QA environments.

User Logins

We use use AWS Cognito as our authentication and identity platform (refer to this page for the multiple security certifications they hold). We don't store any user credentials in our platform. All sensitive data such as password and API tokens are filtered out of logs and exception trackers.

Penetration Testing

Pactflow performs penetration test audits with a contracted third party, when a significant change is introduced into the system that affects our security posture.

Training and Review

All Pactflow employees are required to undertake security training, and all code is reviewed by a senior engineer prior to release to production

Data Protection and Backups

Information on how we store, process and move data.

Data storage location

All data, including backups, are stored in AWS managed data centres in Sydney, Australia (ap-southeast-2). Backups access requires root level access with MFA authentication.

Data in Transit

All data transferred in and out of Pactflow is encrypted using hardened TLS. Pactflow is also protected by HTTP Strict Transport Security and is pre-loaded in major browsers. Additionally, data transferred to and from Pactflow’s backend database is encrypted using TLS.

Policies and Compliance

We maintain security policies that cover: Passwords, BYOD, Confidential Data, Incident Response, Technology Disposal, Acceptable Use and Remote Access. All policies are reviewed at least yearly.

Documentation and Change Control

We manage all our infrastructure as code, allowing us to audit and peer review any changes, and to provide a secure and automated process over what is released to customers.

Employee Access to Data

Pactflow employees will only ever access customer data when it’s required for support related duties. When a customer contacts support, support staff may sign into their account to help debug a problem. When this happens, staff will do their best to respect customer privacy and only access detail required to diagnose and debug the issue.

PCI Obligations

Pactflow is not subject to PCI obligations. All payments processing is outsourced to Chargebee and Stripe.

Vendor Risk Management

How we select our key technology partners and vendors

Categorisation

We categorise all vendors based on the types of data processed and risk to our business. Any new or updated contracts with high-risk suppliers are reviewed by senior management prior to commencement.

High-risk vendors

Suppliers that process personal data (PII), credit card (PCI) or critical infrastructure are required to meet all revelant industry standards such as PrivacyShield, GDPR, PCI-DSS, SOC1/2/3 or ISO27001. We maintain a list of our key suppliers at https://pactflow.io/gdpr-dpa/.

arrow-up icon