We value your privacy
We use cookies to improve your experience, analyze site traffic, and personalize content. By clicking "Accept All" you consent to our use of cookies. You can manage your preferences at any time. Privacy Policy
Security & Compliance
Pypestream is trusted by leading companies in insurance, telecom, and travel, industries where a single compliance gap ends the deal. Here's everything your InfoSec team needs.
Third-party audited and certified across the frameworks your procurement team requires.
SOC 2 Type II
Annual third-party audit of our security controls covering access management, encryption, incident response, and availability SLAs.
AICPA
Security, Availability, Confidentiality
HIPAA
Full Business Associate Agreement available. PHI never transits Pypestream infrastructure without explicit customer configuration and consent.
HHS
PHI Safeguards & BAA
GDPR
Data Processing Agreement available. EU data residency options in Frankfurt and Dublin. Right-to-erasure workflows built into the platform.
EU Regulation 2016/679
EU Data Residency & DPA
ISO 27001
Certified information security management system covering risk assessment, asset management, access control, and business continuity.
ISO/IEC
Information Security Mgmt
PCI DSS
Level 1 PCI DSS compliance for deployments that handle payment card data. Tokenization and out-of-scope architectures available.
PCI Security Standards Council
Payment Card Data
FedRAMP
FedRAMP authorization in progress for US federal agency deployments. GovCloud deployment available today for civilian agencies.
US Federal Government
Federal Cloud Services
Defense-in-depth across every layer of the stack.
AES-256 encryption for all data at rest. TLS 1.3 for all data in transit. Customer-managed encryption keys (CMEK) available for enterprise deployments.
Dedicated VPC per enterprise customer. No shared compute or storage between tenants. All traffic encrypted in transit with TLS 1.3 and enforced mutual authentication.
Every API call, user action, and conversation event logged with immutable timestamps. Native SIEM integrations with Splunk, Datadog, and AWS CloudTrail.
SSO via SAML 2.0 and OIDC. SCIM provisioning for automated user lifecycle management. Role-based access control with custom permission sets.
Continuous automated scanning via Snyk and Dependabot. Annual penetration testing by independent third parties. CVE response SLA: critical patches within 24 hours.
24/7 security operations monitoring. Defined incident classification and escalation procedures. Customer notification within 72 hours of confirmed breach per GDPR requirements.
Everything your InfoSec and legal teams need to complete their vendor risk assessment.
SOC 2 Type II Report
Full audit report, available under NDA
Business Associate Agreement (BAA)
Standard HIPAA BAA template
Data Processing Agreement (DPA)
GDPR-compliant DPA template
Penetration Test Summary
Executive summary of annual pentest
Security Questionnaire (SIG Lite)
Pre-filled SIG Lite questionnaire
Vendor Risk Assessment
Completed CAIQ / CSA STAR questionnaire
Subprocessor List
Full list of third-party subprocessors
Privacy Policy
Full privacy policy and data handling practices
Documents marked "Under NDA" require a signed mutual NDA before delivery. "On Request" documents are available within 1 business day.
We take security seriously and welcome responsible disclosure of vulnerabilities. If you've discovered a potential security issue, please contact our security team directly. We commit to acknowledging your report within 24 hours and resolving critical issues within 72 hours.
Visit our Trust CenterOur security team responds within 1 business day. All documentation shared under NDA where required.
Book a 30-minute call with our security team to walk your InfoSec reviewers through our architecture, controls, and compliance posture.