PinAppAI

Security & Compliance

Last updated: 2026-05-03

PinAppAI handles feedback that customers and their end users trust us with. This page is the durable answer to “how is our data handled?” — a complete, specific list of the controls we operate and the documents available on request. Updates here track the live system, not aspirations.

1. Compliance posture

GDPR — compliant

PinAppAI complies with the EU General Data Protection Regulation. Our public legal documents, self-serve data subject rights, internal Records of Processing Activities, and breach notification procedure together implement the obligations under Articles 5, 6, 13–15, 17, 28, 30, 32, and 33–34. See the Privacy Policy, Data Processing Agreement, Sub-processors, and Cookie Policy for the public-facing detail.

SOC 2 Type II — controls implemented; audit on engagement

PinAppAI has implemented the technical and policy controls described by the SOC 2 Trust Services Criteria (Security, Confidentiality, Privacy). The control set covers access management, append-only audit logging, multi-factor authentication, change management, vulnerability management, business continuity, vendor management, and a documented incident response plan.

We do not currently hold a SOC 2 Type II report. A Type II report is a deliverable produced by a licensed CPA firm after auditing controls operating over a 6–12 month observation window. We will commence that audit at the request of any customer whose procurement process requires it. Our compliance platform of choice (Drata) is already evaluated, so the audit clock starts the day a customer engages.

Available today on request, under NDA: our information security policy suite, control matrix mapped to the SOC 2 Trust Services Criteria, latest disaster-recovery test log, sub-processor register, breach response procedure, and risk assessment. Email [email protected] to request these.

2. Data protection

  • Encryption in transit. TLS 1.3 across pinappai.com, api.pinappai.com, and app.pinappai.com. HTTPS-only via Cloudflare.
  • Encryption at rest. Cloudflare D1 (database) and Cloudflare R2 (object storage) encrypt data at rest by default. Key management is operated by Cloudflare.
  • Logical multi-tenancy. Every API query is scoped to a workspace at the middleware layer (requireWorkspaceMember). Cross-workspace access is architecturally prevented, not just policy-prevented.
  • No third-party trackers. No analytics, advertising, or cross-site tracking pixels. Strictly-necessary cookies only — see the Cookie Policy.
  • Data minimization. Widget feedback collects only the fields the customer enables. Screenshots are opt-in. Special-category data is forbidden by the DPA.

3. Access control

  • Authentication. Email-OTP for primary sign-in. Optional TOTP-based 2FA for any account; required for workspace owners on paid plans.
  • Backup codes. Issued once at 2FA setup; not recoverable if lost.
  • Production access. Limited to the founder via the Cloudflare dashboard with hardware-key-eligible 2FA enforced.
  • Least privilege. Four-tier workspace RBAC (viewer < editor < admin < owner) enforced server-side. Destructive actions are owner-only.
  • Session security. Sessions expire after 30 days. Users can revoke sessions individually from account settings.
  • Quarterly access review. Documented per Access Control Policy.

4. Data subject rights (GDPR)

  • Self-serve data export (Article 15) — full JSON dump of your account, sessions, workspaces, projects, feedback, and audit history. Available from the profile menu in app.pinappai.com.
  • Self-serve account, workspace, and project deletion (Article 17) — soft-deletion is immediate; permanent deletion runs after a 7-day grace window during which the action can be reversed via in-app banner or signed email recovery link.
  • End-user comment edit and delete via X-Edit-Token, available to widget visitors without an account. The customer who installed the widget can also delete on the visitor’s behalf.
  • Sub-processor opt-out. Customers may terminate without penalty if they object to a new sub-processor we add.

5. Data retention

Each data category has a defined retention period and a deterministic deletion mechanism. Daily housekeeping at 03:00 UTC enforces these schedules.

DataRetentionMechanism
Account profile (email, name)Lifetime of account, then 7 daysSoft-delete + grace window, then daily cron finalizes
Sessions30 daysAuto-purged on expiry
OTP attempts30 daysFor fraud-prevention auditing
Email verificationsUntil consumed or expired (1 hour)Auto-purged
Widget feedback (you = controller)Customer-controlledCustomer deletes via admin or end user via X-Edit-Token
Screenshots in R2Linked to feedback rowCascade-deleted with the row, including project/workspace deletion
Audit log7 yearsSOC 2 evidence retention overlapped with tax-records minimum
Billing records7 yearsLegal obligation (when paid plans are active)

6. Operational security

  • Append-only audit log. Mutating actions (data export, account/workspace/project deletion, role changes, feedback edit and delete) are written to an append-only audit_log table. Never updated or deleted by application code.
  • Workspace audit viewer. Available to Business-tier owners for in-product review and CSV export. The same rows are returned to all users in their personal data export, regardless of plan, for GDPR Article 15 access.
  • 72-hour breach notification. See our DPA § 11. Internal procedure documented in the breach response SOP.
  • Daily housekeeping cron. Removes expired sessions, OTP attempts, email verifications, and finalizes grace-window deletions.
  • Documented incident response plan. Classification (low / medium / high / critical), communication tree, post-incident review template.

7. Software supply chain

  • Dependabot. Weekly grouped dependency update PRs for npm and GitHub Actions.
  • Gitleaks secret scanning on every pull request and push.
  • Pre-commit hook prevents accidental secret leakage to git history.
  • CVE response process documented, including pnpm.overrides for transitive dependency advisories.
  • Code review. Every change to production goes via pull request per the Change Management Policy. Solo-founder waiver until the second engineer joins; two-person review becomes mandatory thereafter.

8. Business continuity and disaster recovery

  • RPO 24 hours / RTO 4 hours per the Business Continuity Plan.
  • Daily D1 snapshots via Cloudflare Time Travel; R2 11-9s durability.
  • Annual restore-from-backup test. Most recent test executed 2026-05-03 with measured wall-clock recovery against the documented RTO.
  • Bus-factor mitigation. Founder credentials are stored in a sealed vault accessible by one trusted contact, per the Business Continuity Plan.

9. Sub-processors and vendor management

  • Public sub-processor register at /sub-processors/, updated whenever it changes.
  • 30-day advance notice for new sub-processors that process personal data, per the DPA.
  • Annual security reassessment of every sub-processor. SOC 2 / ISO 27001 / EU-US Data Privacy Framework certification preferred when available.

10. Hosting and data residency

PinAppAI runs on the Cloudflare global edge network. Compute (Workers), database (D1), and object storage (R2) are operated by Cloudflare; AI inference is operated by Cloudflare Workers AI. Sub-processor regions and the cross-border transfer mechanism (Standard Contractual Clauses with the UK Addendum where applicable) are documented at /sub-processors/ and the DPA.

Region pinning for D1 and R2 (e.g. EU-only) is available on request for enterprise tier workspaces.

11. Documents available on request

Under a mutual NDA, we will share any of the following with prospective customers and auditors. Most are kept current as of the dates noted on each document.

  • Information Security Policy
  • Access Control Policy
  • Change Management Policy
  • Incident Response Plan
  • Vendor Management Policy
  • Business Continuity Plan
  • Risk Assessment and risk register
  • Secure SDLC Policy
  • Personnel Security Policy
  • Internal Acceptable Use Policy
  • Records of Processing Activities (Article 30 ROPA)
  • Breach response SOP
  • Sub-processor change log
  • Disaster-recovery restore test log
  • SOC 2 control matrix mapped to the Trust Services Criteria

12. Reporting a vulnerability

If you believe you have found a security vulnerability in PinAppAI, please email [email protected] with reproduction steps and your preferred contact method. We acknowledge reports within 72 hours and aim to triage within 5 business days. We do not currently operate a paid bug bounty, but we credit coordinated disclosures in release notes when the reporter consents.

Please do not test against production data that is not your own. If you need a test workspace to demonstrate an issue, ask and we will provision one.

13. Contact

Security questions, compliance documentation requests, or vulnerability disclosures: [email protected].

General questions: [email protected].