Security & compliance

In production today

• SOC 2 Type II data layer

  Our cloud-managed Postgres provider holds SOC 2 Type II attestation. The attestation report is available to enterprise customers under NDA on request.

• HIPAA-ready data layer

  The managed Postgres tier supports the HIPAA controls required for storing PHI under a Business Associate Agreement (BAA). Customers handling PHI should request a BAA before loading clinical data — contact sales.

• 99.95% uptime SLA

  Multi-AZ managed Postgres with autoscaling compute (0.25 – 8 CU on the primary; never scales to zero). Instant read replicas isolate heavy analytics reads from the write path.

• Encryption at rest + in transit

  AES-256 at rest across compute and storage. TLS 1.2+ on every public endpoint, with the same on database connections (sslmode=require). Tenant-managed keys for BYOK PII fields.

• Private networking

  In our primary region (us-east-1), application↔database traffic stays on the cloud-provider private network — it does not transit the public internet. Public ingress is locked to a published allow-list.

• IP allow-listing

  Public database access is restricted to the Pact application's egress CIDR and operator IPs. Preview environments use isolated branches with their own connection strings.

• Per-PR database isolation

  Every code change in our pipeline gets its own isolated database branch via our managed Postgres provider's branching primitive. Test data and migrations are never run against production state.

• Tenant isolation

  Every query carries a tenant_id check at the substrate level. Cross-tenant reads are structurally impossible, not just policy-blocked. Verified by an integration-test invariant on every PR.

• Append-only audit log

  Every mutation produces an immutable event. Nothing is deleted — only superseded. Operators can search the log; tenants can export it.

• Consent matrix per contact

  Per-jurisdiction (GDPR / CCPA / CASL / others) consent state per contact per channel, with point-in-time history. Sends route through core.consent + core.frequency_caps before egress.

• DSAR fulfilment

  Right-to-access, right-to-rectification, right-to-erasure, and right-to-portability requests are first-class data-flow objects, not a quarterly compliance scramble. SLA-tracked from receipt.

• Hourly managed database telemetry

  Compute utilization, replication lag, branch count, active time, and data transfer are sampled hourly and pushed to our observability backend. Replication lag > 5s pages oncall.

In progress

• Pact's own SOC 2 attestation

  We're working with an auditor on Pact's own SOC 2 Type II report (covering the application tier, not just the data layer). Target: late 2026. Until then, we only claim SOC 2 on the substrate.

• Penetration test reports

  The first external pen-test is scheduled. Reports will be available to enterprise customers under NDA once the report and remediations land.

• ISO 27001

  Scoping discussion underway with a 27001-certified auditor. We'll publish a target date once the scope is locked.

Sub-processors

The complete sub-processor schedule — specific providers, certifications, DPA-on-file dates, and change-notification subscription — is published on our Trust Center or available on request at legal@pact.place. AI features (where enabled for your tenant) use Anthropic by default; no data is sent to any AI provider unless the feature is explicitly enabled for your tenant.

Retention & deletion

By default we retain customer data for the term of the contract plus 30 days for recovery. Tenants can request earlier deletion at any time; the same DSAR machinery that handles end-user erasure handles tenant-wide deletion. Backups roll out of point-in-time history within 7 days.

Reporting a vulnerability

Found something? Email security@pact.place. We'll acknowledge within one business day and keep you updated through remediation. Coordinated disclosure timeline is 90 days from acknowledgement; we will of course move faster if the issue is critical.