Security icon


Pactflow takes security seriously, implementing the Center for Internet Security (CIS) IG 1 Standard standard or better. For questions, concerns or information, please contact our security team.

Contact security

Platform Security

Details about our hosting platform security

Physical Access

All of our services run in the cloud. Pactflow does not run its own routers, load balancers, DNS servers, or physical servers.

Cloud Platform

We are hosted entirely within the AWS cloud in ap-southeast-2 region (Sydney, Australia). Read more on the security controls within the AWS data centre.

Encryption Standards

  • Encryption in transit
  • Encryption at rest, including storage in S3, databases and compute file systems
  • Use of AES-256 for data-at-rest
  • Enforcement of TLS1.2+

AWS Services

Our core platform uses the following services, all of which are certified for SOC 1, 2 and 3, ISO27001, PCI and HIPAA:

  • EC2/Fargate/ECS
  • Lambda
  • Cognito
  • KMS
  • Route53
  • Cloudwatch
  • Batch
  • DynamoDB
  • RDS (Postgres)
  • S3

Remote Access

All user accounts are protected by 2FA with least privilege access, any access keys are rotated regularly as are user credentials.


Every action within the platform and within the application is recorded into an immutable audit log.

Intrusion Detection and Thread Protection

We run a number of real-time and retrospective threat detection and analysis tools, connected to our alerting and notifications platform, to proactively monitor suspicious or unusual behaviour.

Application Security

Details about our application-level security, defensive programming and software value chain visibility.

Automated Testing and Build Processes

We have an extensive set of automated testing procedures that are run for every code change. We run regular scans for common vulnerabilities, such as OWASP top 10.

Software Dependencies

Pactflow keeps up to date with software dependencies and our release pipeline includes inline automated security measures designed to detect vulnerabilities in our source code, the runtime or in software dependencies.

Development and QA Environments

These environments are separated physically from Pactflow’s production environment. No customer data is ever used in development or QA environments.

User Logins

We use use AWS Cognito as our authentication and identity platform (refer to this page for the multiple security certifications they hold). We don't store any user credentials in our platform. All sensitive data such as password and API tokens are filtered out of logs and exception trackers.

Penetration Testing

Pactflow performs penetration test audits with a contracted third party, when a significant change is introduced into the system that affects our security posture.

Training and Review

All Pactflow employees are required to undertake security training, and all code is reviewed by a senior engineer prior to release to production

Secure access and administration

Pactflow supports enterprise authentication and entitlement management via SAML2.0 SSO, including SCIM support for automated user, group and role provisioning and deprovisioning.

Data Protection and Backups

Information on how we store, process and move data.

Data storage location

All data, including backups, are stored in AWS managed data centres in Sydney, Australia (ap-southeast-2). Backups access requires root level access with MFA authentication.

Data in Transit

All data transferred in and out of Pactflow is encrypted using hardened TLS. Pactflow is also protected by HTTP Strict Transport Security and is pre-loaded in major browsers. Additionally, data transferred to and from Pactflow’s backend database is encrypted using TLS.


We provide an uptime guarantee of 99.9%, protected by our terms and conditions. In practice, our platform is generally available 99.99% or greater

Recovery objectives

  • Recovery time objective (RTO): 8 hours
  • Recovery point objective (RPO): 1 hour

Policies and Compliance

We comply with policies based on CIS IG 1. All policies are maintained regularly and reviewed at least yearly.

Read more on our policies below

Policies and Standards

  • Systems and Organization Control 2 - Type 1
  • Standard - Information Security Management system (ISMS) Standards
  • Policy - Information Security Risk Management Policy
  • Policy - Access Control Policy
  • Policy - Account Management / Access Control Policy
  • Policy - Identification and Authentication Policy
  • Standard - Remote Access Standard
  • Standard - Encryption Standard
  • Policy - Configuration Management Policy
  • Standard - Configuration Management Standard
  • Standard - Patch Management Standard
  • Standard - Wireless Network Security Standard
  • Standard - Logging Standard
  • Policy - System and Communications Protection Policy
  • Policy - Disaster Recovery Policy
  • Policy - Incident Response Policy
  • Standard - Incident Response Standard
  • Standard - Security Awareness Training
  • Business Continuity Plan

Documentation and Change Control

We manage all our infrastructure as code, allowing us to audit and peer review any changes, and to provide a secure and automated process over what is released to customers.

Employee Access to Data

Pactflow employees will only ever access customer data when it’s required for support related duties. When a customer contacts support, support staff may sign into their account to help debug a problem. When this happens, staff will do their best to respect customer privacy and only access detail required to diagnose and debug the issue.

PCI Obligations

Pactflow is not subject to PCI obligations. All payments processing is outsourced to Chargebee and Stripe.

Vendor Risk Management

How we select our key technology partners and vendors


We categorise all vendors based on the types of data processed and risk to our business. Any new or updated contracts with high-risk suppliers are reviewed by senior management prior to commencement.

High-risk vendors

Suppliers that process personal data (PII), credit card (PCI) or critical infrastructure are required to meet all revelant industry standards such as PrivacyShield, GDPR, PCI-DSS, SOC1/2/3 or ISO27001. We maintain a list of our key suppliers at

arrow-up icon