Training
All employees complete annual security, privacy, and phishing training. Access is revoked immediately upon offboarding.
Security Overview
How we protect your projects
PinPic was built for teams that rely on brand assets and customer data. This page outlines the technical and organizational safeguards we maintain.
Infrastructure
- Cloud hosting: All services run on hardened cloud infrastructure with network segmentation and least-privilege access.
- Encryption: Data is encrypted in transit (TLS 1.2+) and at rest using AES-256. Secrets are stored in a dedicated secrets manager.
- Backups: Encrypted backups run continuously and are tested quarterly for recovery.
Application security
- Role-based access controls, MFA, and session management protect the dashboard.
- Embeds are sandboxed and only load the resources required to render hotspots.
- Automated dependency scanning and manual code reviews precede every release.
- Independent penetration tests are conducted annually; remediation is tracked publicly in the dashboard changelog.
Organizational practices
Vulnerability disclosure
Researchers can report issues to security@pinpic.app. We acknowledge reports within two business days.
Compliance
PinPic maintains SOC 2 Type II controls, GDPR data processing agreements, and supports HIPAA-ready configurations on request.
Customer responsibilities
Security is a shared responsibility. To keep your account safe:
- Use strong passwords and enable multi-factor authentication.
- Limit dashboard access to trusted teammates and review roles regularly.
- Notify us immediately if you suspect unauthorized access.
Incident response
We maintain a 24/7 on-call rotation. If an incident affects your data, we will notify your account owner without undue delay, provide status updates, and share remediation details once resolved.
Report an issue
Email security@pinpic.app or open a ticket from the dashboard. Include reproduction steps, impact, and any logs you can share securely.