Security

Security at pinpole

PinPole handles architecture blueprints, infrastructure state, and direct AWS account access. We treat that responsibility seriously. This page describes the controls, certifications, and practices in place — and the certification roadmap we are committed to completing.

Last updated: March 2026

Audit in progress

SOC 2 Type I — Audit Commenced at Launch

PinPole began its SOC 2 Type I audit engagement at go-live. Target report date: July 2026. SOC 2 Type II is on the roadmap for Q2–Q3 2027. Customers in regulated environments can request a copy of the in-progress audit scope and our pre-audit control evidence package from security@pinpole.cloud.

Controls documented Auditor engaged Type I audit — in progress Type I report — July 2026 Type II — 2027

PinPole is a young company with a serious security posture. We have not yet accumulated the observation period required for SOC 2 Type II — that is a function of time, not intent or practice. What we have done is build the controls, processes, and evidence collection infrastructure from day one so that our audit record is clean when the Type I observation window closes.

Here is an honest summary of where we stand:

Certification / Standard
Relevance to PinPole
Status
SOC 2 Type I
AICPA Trust Services Criteria — design of controls
Validates that security controls are suitably designed at a point in time. Required by many regulated enterprises before sharing architecture data in a SaaS tool.
In Progress
SOC 2 Type II
AICPA Trust Services Criteria — operating effectiveness over time
Validates that controls operated effectively over a minimum 6-month observation period. The gold standard for enterprise procurement.
Q2–Q3 2027
AWS Well-Architected
AWS Well-Architected Framework — five pillars
PinPole's own infrastructure is designed against the AWS Well-Architected Framework. Security pillar review conducted at launch.
Completed
Privacy Act 1988
Australian Privacy Principles (APPs)
PinPole processes personal data in accordance with the Australian Privacy Act and is subject to the Notifiable Data Breaches (NDB) scheme.
Compliant
ISO 27001
International information security management
Not yet in scope. SOC 2 Type II is the priority for our customer profile. ISO 27001 will be evaluated post-2027 based on enterprise demand.
Evaluating

For security review teams: We can provide our current security controls documentation, SOC 2 audit scope letter, pre-audit evidence package, and answers to standard vendor security questionnaires (VSQs). Email security@pinpole.cloud with your organisation name and the review timeline.

PinPole's entire production infrastructure runs on Amazon Web Services (AWS) in the Asia Pacific (Sydney) — ap-southeast-2 region. There are no co-located servers, no third-party data centres, and no infrastructure outside of AWS managed services.

AWS ap-southeast-2 (Sydney)

All customer data — canvas designs, simulation outputs, account records — is stored and processed exclusively within Australia. No data is replicated to international regions by default.

Encryption at rest & in transit

All data at rest is encrypted using AES-256 managed through AWS KMS. All data in transit is encrypted using TLS 1.2 minimum. There are no unencrypted data pathways.

Tenant data isolation

Each customer's canvas data and simulation outputs are stored in isolated data stores. There is no shared storage layer across tenants. Isolation is enforced at the application and infrastructure level.

High availability & DR

Production services are deployed across multiple Availability Zones within ap-southeast-2. Defined RTO and RPO targets. Quarterly disaster recovery tests. Automated failover for all primary data stores.

Centralised audit logging

All API calls, data access events, administrative actions, and deployment operations are logged to a centralised, tamper-evident log system. Logs are retained for a minimum of 12 months.

AWS-managed service security

PinPole uses AWS managed services (RDS, DynamoDB, Lambda, API Gateway, S3) that inherit AWS's physical and infrastructure security controls, including AWS's own SOC 2 and ISO 27001 certifications.

What data PinPole holds

PinPole holds three categories of customer data:

  • Account and identity data: Name, email, organisation, billing information, subscription status.
  • Architecture and canvas data: Canvas definitions, service configurations, connection topology, workload profiles, simulation parameters — the intellectual content of your infrastructure designs.
  • Simulation and deployment records: Simulation run results, cost estimates, recommendation outputs, execution history, and deployment event logs.

What PinPole does not do with your data

  • PinPole does not sell, rent, or trade customer data to any third party.
  • PinPole does not use your architecture designs or simulation outputs as training data for AI or machine learning models without your explicit written consent.
  • PinPole does not share your architecture data with other customers under any circumstances.
  • PinPole support personnel do not have standing access to canvas content or simulation outputs. Any access for support purposes requires your explicit in-session permission.

Retention and deletion

  • Canvas and simulation data: Retained for the duration of your active subscription. Deleted within 30 days of account closure.
  • Account data: Retained for 90 days after account closure, then securely deleted.
  • Billing records: Retained for 7 years to satisfy Australian taxation obligations.
  • Audit and access logs: Retained for 12 months, then purged.

Data residency: Architecture data, simulation outputs, and account records are stored exclusively within AWS ap-southeast-2 (Sydney, Australia) and are not replicated to international infrastructure. Some ancillary service providers (analytics, support tooling, payment processing) may process limited account metadata in other regions under appropriate data processing agreements.

Internal access

Access to production systems and customer data within PinPole is governed by the following controls:

  • Least privilege: All internal roles are scoped to the minimum access required. Production database access is restricted to a small set of senior engineers.
  • MFA required: Multi-factor authentication is mandatory for all employees accessing production environments, identity systems, and cloud management consoles.
  • Access review: Internal access rights are reviewed quarterly. Access is revoked immediately upon role change or termination.
  • No standing production access: Engineers do not hold persistent access to production data stores. Just-in-time (JIT) access is required for any direct data access and is logged to the audit trail.
  • Password policy: All internal accounts follow NIST 800-63B password guidelines. Passwords for critical systems are managed through a secrets manager.

Customer-facing RBAC

Enterprise plan customers can configure role-based access control (RBAC) within PinPole to govern which users can perform design, simulation, deployment, and administrative actions:

  • Viewer: Read access to canvases and simulation results only. Cannot initiate simulations or deployments.
  • Editor: Full canvas design and simulation rights. Cannot initiate AWS deployments.
  • Deployer: Editor rights plus the ability to initiate deployment to connected AWS accounts.
  • Admin: Full platform rights including user management, AWS account connections, and billing.

PinPole's deployment feature gives it access to customer AWS accounts. This is the highest-sensitivity capability in the platform and is governed by the following security architecture.

1
Customer provisions a least-privilege IAM role

Customer runs a PinPole-provided CloudFormation stack in their own AWS account. This creates a cross-account IAM role scoped to only the AWS services and actions required for the architectures PinPole will deploy. No role is created by PinPole; only the customer controls provisioning.

2
Customer provides the Role ARN to PinPole

The ARN of the cross-account role is registered in PinPole. PinPole stores the ARN reference only — no IAM keys or access credentials are stored at any point.

3
Temporary credentials via AWS STS — no long-lived secrets

When a deployment is initiated, PinPole calls AWS STS AssumeRole to obtain short-lived session credentials (maximum 1-hour TTL). These credentials are used only for the duration of that deployment operation and are never stored.

4
Explicit customer confirmation required for every deployment

PinPole will never initiate a deployment without an explicit, in-platform confirmation action by an authorised user with the Deployer or Admin role. Every deployment is recorded to the Execution History audit log with the user, timestamp, canvas snapshot, and resulting AWS resource ARNs.

5
Customer retains full control at all times

The customer can revoke PinPole's cross-account role at any time by deleting or modifying the IAM role directly in their AWS account. This immediately and permanently prevents any further PinPole access, independent of the PinPole platform state.

No long-lived secrets stored: PinPole never stores IAM access keys, secret access keys, or session tokens. The only AWS credential PinPole holds is the customer-controlled Role ARN, which is a non-sensitive identifier. All actual AWS access uses short-lived STS session credentials that expire within 1 hour.

PinPole operates a structured vulnerability management program covering the full stack:

  • Dependency scanning: Automated scanning of all application dependencies on every code commit and nightly. Critical vulnerabilities block deployment to production.
  • Static application security testing (SAST): Static analysis is applied to the application codebase as part of the CI/CD pipeline.
  • Infrastructure vulnerability assessment: Periodic automated scanning of production infrastructure configuration against CIS benchmark controls.
  • Annual penetration testing: PinPole engages an independent third-party security firm to conduct annual penetration testing of the production environment, including the AWS deployment pipeline and authentication surfaces.
  • Remediation SLAs: Critical vulnerabilities are remediated within 72 hours. High-severity vulnerabilities within 7 days. Medium within 30 days.

Responsible disclosure

If you have discovered a potential security vulnerability in PinPole, please report it to security@pinpole.cloud. We aim to acknowledge reports within 24 hours and will communicate progress on a fix within 7 business days. We do not pursue legal action against researchers who act in good faith.

PinPole maintains a documented Security Incident Response Plan covering detection, containment, eradication, and recovery. Key commitments:

  • 24-hour detection target: PinPole's monitoring infrastructure is designed to detect anomalous access and potential breaches within 24 hours of occurrence.
  • Customer notification: In the event of a confirmed security incident affecting Customer Data, PinPole will notify affected customers as quickly as practicable and in accordance with obligations under the Privacy Act 1988 (Cth) Notifiable Data Breaches (NDB) scheme — within 30 days of becoming aware that an eligible data breach has occurred.
  • Breach notification content: PinPole will provide customers with a description of the breach, the data affected, the remediation steps taken, and recommendations for any actions customers should take.
  • Post-incident review: A root cause analysis and lessons-learned review is conducted after every significant security incident, with findings shared with affected customers on request.

PinPole's compliance programme is aligned with its product and commercial roadmap. The following milestones are committed targets, not aspirations:

Milestone
Description
Target
SOC 2 Type I report
Point-in-time assessment that controls are suitably designed. Provides a reportable artefact for enterprise security reviews.
July 2026
Compliance canvas validation
Real-time compliance posture scoring for PCI-DSS, SOC 2, and HIPAA control sets directly on the design canvas — surfacing violations before a single resource is provisioned.
Q2–Q3 2027
SOC 2 Type II report
Operating effectiveness of controls over a minimum 6-month observation period. The gold standard for enterprise procurement requirements.
Q2–Q3 2027
ISO 27001
International information security management standard. Will be evaluated following SOC 2 Type II based on enterprise customer demand and regional requirements.
Post-2027

If your organisation requires a security review before approving PinPole as a vendor, here is what we can provide and how to request it.

Available documentation

  • Security controls summary: A written overview of PinPole's security architecture, controls, and data handling practices — suitable for inclusion in a vendor risk register.
  • SOC 2 audit scope letter: A letter from our auditor confirming that a SOC 2 Type I engagement is in progress, including the scope of systems under audit and the expected report date.
  • Pre-audit evidence package: Our internal control documentation — policies, access control matrices, encryption configuration evidence, and incident response plan — for customers who cannot wait for the Type I report.
  • AWS architecture overview: A description of PinPole's production infrastructure architecture, including network topology, data flow diagrams, and service boundaries.
  • Vendor security questionnaire (VSQ) responses: We will complete standard security questionnaires (SIG Lite, CAIQ, or your organisation's proprietary format) within 5 business days.
  • Sub-processor list: A current list of all third-party service providers with access to customer data, including their data processing role and certification status.
  • Data Processing Addendum (DPA): Available on request for customers with specific data processing agreement requirements.

How to request: Email security@pinpole.cloud with your organisation name, the specific documents required, and your review timeline. We aim to respond within 1 business day and deliver requested documentation within 5 business days.

Bridging the certification gap

We understand that for some organisations, a completed SOC 2 Type I report is a hard procurement requirement. If that is your situation, here are three paths forward:

  • Wait for July 2026: Our Type I report is on track for July 2026. If your evaluation timeline permits, we can hold a slot and provide the report as soon as it is issued.
  • Pre-audit evidence review: Many security teams can approve a vendor with an in-progress audit and a documented control set. We can walk your security team through our controls in a live review session.
  • Conditional approval: Some organisations approve vendors conditionally on receipt of the Type I report within a specified period. We are happy to commit to this in writing.

No. PinPole accesses your AWS account exclusively through a cross-account IAM role that you provision and control. PinPole uses AWS STS to assume that role only when you initiate a deployment action within the platform. No background or automated access occurs outside of explicit, customer-confirmed actions.

You can revoke PinPole's access at any time by deleting or modifying the IAM role in your own AWS account. This takes effect immediately and permanently, with no action required on the PinPole side.

No. PinPole does not use your architecture designs, simulation configurations, or simulation outputs as training data for any AI or machine learning model without your explicit written consent. Your architecture data is treated as confidential — it is used only to provide you with the platform features you have subscribed to.

All canvas data, simulation outputs, and account records are stored in AWS ap-southeast-2 (Sydney, Australia). This is the default and currently the only region. Data is not replicated internationally.

Ancillary service providers — support tooling, analytics, payment processing — may process limited account metadata (not architecture data) in other regions. Our sub-processor list is available on request.

PinPole does not yet have a completed SOC 2 report. Our SOC 2 Type I audit commenced at launch, with a target report date of July 2026. SOC 2 Type II is on our roadmap for Q2–Q3 2027.

For organisations that need something in hand now, we can provide:

  • An audit scope letter from our engaged auditor confirming the Type I engagement is in progress
  • Our internal security controls documentation and evidence package
  • A live walkthrough of our security controls with your security team
  • A written commitment to deliver the Type I report upon issuance

Email security@pinpole.cloud to request any of the above.

In the event of a business discontinuation, PinPole's Customer Agreement provides a 30-day data retrieval window during which you can export all canvas data and IaC outputs. Following that window, data is securely deleted.

In the event of an acquisition, you will receive 30 days' written notice and the right to terminate your subscription without penalty if the acquisition materially affects your rights under the agreement.

PinPole's IaC export feature means your infrastructure designs are never locked in — any canvas state can be exported as Terraform HCL or AWS CDK at any time, giving you a vendor-independent artefact you can take with you.

Yes. PinPole's standard Data Processing Addendum (DPA) is available on request. For Enterprise plan customers with specific legal or regulatory requirements, we are willing to review and negotiate custom security addenda within reason. Contact legal@pinpole.cloud with your requirements.

You can request deletion of your data at any time by emailing privacy@pinpole.cloud. Canvas and simulation data is deleted within 30 days of a verified deletion request. Account data is deleted within 90 days. Billing records are retained for 7 years as required by Australian taxation law.

For security reviews, vendor questionnaires, vulnerability reports, or any other security enquiry:

PinPole Pty Ltd — Security Team

ABN 75 631 505 694

Security & compliance: security@pinpole.cloud

Privacy & data: privacy@pinpole.cloud

Legal & DPA: legal@pinpole.cloud

Website: www.pinpole.cloud

We aim to respond to all security enquiries within 1 business day and to deliver requested documentation within 5 business days.

Last updated March 2026  ·  © 2026 PinPole Pty Ltd. All rights reserved.