Security at Pinwheel
Pinwheel recognises that your company's data is valuable, and protecting it effectively is our mission. We are committed to openness and transparency with all our customers. This document aims to help you to understand our standards and processes.
Our policies, standards and procedures cover areas including Data Protection, Access Control, Asset & Risk Management, Physical Security, Operational & Cryptographic Security and Significant Incident & Disaster Recovery. We have documented policies covering acceptable use, information security & physical security which employees are required to sign and abide by.
Pinwheel is continually developing our internal Information Security Management System (ISMS) to align to ISO/IEC 27001 standards. Our Senior Security Team is led by our Chief Financial Officer, with support provided by our Chief Product Officer and Head of Engineering.
Pinwheel’s platform is a cloud service utilising two hosting providers. Amazon Web Services and Vercel. Amazon Web Services has the highest level of certifications, including ISO 27001, PCI Certification, and SOC. For more compliance information, you can visit AWS Security and AWS Compliance. For information on Vercel’s security certifications and compliance, you can visit Vercel Security.
We only provide detailed architectural information on request. To request more information about Pinwheel's platform architecture please contact us via your assigned account representative.
Data Security, Encryption & Authentication
Data in Transit
All data transmitted between Pinwheel’s servers and a client is encrypted. All connections with Pinwheel’s services are encrypted and served through SSL. You cannot access our service without using HTTPS. All certificates are verified on both sides with third party authorities. Pinwheel supports the latest encryption protocols, standards and signatures (e.g. TLS 1.2, AES256 and SHA2).
Data at Rest & End-User Authentication
Customer data is encrypted when at rest. All of Pinwheel’s data storage is provided by Amazon Web Services. Each of our customers’ data is logically separated from other customers’ data. Passwords are both hashed and salted using one-way encryption, which protect them even in the unlikely event of unauthorized database access.
Application credentials are stored separate from the code base. Clients authenticate with Pinwheel’s API using a session-based system. All of Pinwheel’s endpoints are protected against CSRF attacks and appropriately rate-limited to mitigate against brute-force attacks.
Pinwheel delivers secure authentication via SSO. We support multiple SSO providers (e.g. Microsoft, Google etc.) Pinwheel supports SSO via industry-standard OAuth2 flows, so we don’t store or process passwords on our systems. Users registered through SSO use JIT provisioning. Pinwheel possesses verified partner status for all relevant SSO providers.
All of Pinwheel’s application servers and data centres are based in the UK and EU but may be accessed internationally via the internet. Depending on the location of the requesting client we may process data in transit in other global locations.
Network Security & Hardening
All of Pinwheel’s servers are hardened using industry-standard processes, e.g. removing default passwords, disabling root access and unnecessary ports etc.). We utilise standard configuration files to provision servers and environments, ensuring consistency.
Pinwheel engages independent companies to conduct platform penetration testing every year or during the process of releasing a major feature with significant architecture revisions. Results of these tests are shared with our Senior Security Team. We are happy to share summary results from penetration testing on request from a client or prospective client.
Pinwheel is happy to help enable customer-mandated assessment or penetration tests of Pinwheel’s operations and environment. Please note that depending on the terms of your contract we will assess time involved from our teams in scheduling and executing these activities and may charge for time spent.
New features, performance improvements, and bugfixes are deployed multiple times per week. While agile, our development cycle relies heavily on a system for code quality and security. All code is peer reviewed and requires multiple levels of acceptance on test/staging environments prior to deployment on production. Changes are checked for security and errors via extensive unit, integration, and static analysis tests. Production data is separated from development environments.
Uptime and Reliability
We constantly monitor our service performance and have automatic notifications to ensure rapid response for service interruptions. All code is audited and peer reviewed before deploying to production servers. Our entire codebase is automatically monitored and continually checked for vulnerabilities. We also monitor updates from the security community and immediately update our systems when vulnerabilities are discovered.
Application and customer data is stored redundantly at multiple availability zones within AWS data centres. Customer data is backed up daily and snapshots taken to reduce maximum data loss to a 5-minute period. Backups are retained for 30 days to recover in the event of a disaster. Our application source code is hosted on a cloud provider and continually backed up in multiple availability zones.
Employee Access Control
All access to data across Pinwheel is based on role-based permissions, with the least privilege principle enforced. Employees only have access to data required to fulfil responsibilities. Production access is only provisioned to users where absolutely required.
We have a strict policy that Pinwheel employees with production access only access our customers’ data when necessary to ensure account functionality. The only acceptable reason for an employee to access an individual customer’s account is to reproduce and debug errors that cannot be debugged in testing environments, and permission must be gained.
Pinwheel’s employees are required to use dual-factor passwords whenever a service we use has the ability. An approved authentication application must be utilised to generate access codes.
We have policies that require employees to never store production data on any device.
We maintain automatic access and security logs across our platform and cloud services. Logs are stored for a minimum of 12 months.
All machines and mobile phones issued to Pinwheel employees are standard issue, with configurations designed to meet minimum security standards. All of our devices maintain a consistent security architecture. Devices encrypt data at rest and where available are protected by biometric security.
All devices are updated, location-tracked and monitored by our endpoint security solution. All machines must be locked when not in use. All devices must be enrolled in our mobile device management (MDM) system.
Physical Security Policy
Our office building is secured by the building management and their agents, who provide general security with a central control to monitor and survey all entrances, exits and Common Parts.
Our office operates a card access system to the workplace areas. Photographic electronic cards are issued to each employee to enable access. Employees are required to accompany all visitors around workplace areas and to not leave them unsupervised.
In the event of a security breach, a member of our Senior Security Team will promptly notify any customer of unauthorized access to your data. We are currently developing a service availability incident page which will carry public notifications of platform status and additional incident information.
All employees are governed by documented strict security policies, as covered in the introduction to this document. Copies of these policies can be made available on request.
Everyone at Pinwheel is fully committed to securing your data. If you have further questions we are happy to discuss them. This page contains information which is redacted in parts, to discuss any item in detail please contact us via your account representative.