Compliance you can verify.
Pact is the consent-native CRM. Security and privacy aren’t a checkbox we bolt on — they’re the architecture. Every status below is backed by code that actually runs in production: 6 of 7 frameworks map to a live subsystem.
Certifications & frameworks
SOC 2 Type II
AICPA TSC 2017
Continuous evidence collection across the five Trust Services Criteria.
Pact runs an automated SOC 2 evidence engine that turns the live state of tenant isolation, RBAC, encryption, audit logging, sub-processor management and data deletion into dated, hash-stamped artifacts. Monthly bundles and an auditor package are generated on demand.
Backed by codeISO/IEC 27001:2022
ISO/IEC 27001:2022
Annex A control matrix, risk register and Statement of Applicability.
All 93 Annex A:2022 controls are modelled in code. Controls Pact discharges technically — encryption, access control, logging, deletion — are pre-populated as implemented in the Statement of Applicability with the implementing subsystem cited.
Backed by codeHIPAA
Self-serve Business Associate Agreement and PHI-grade safeguards.
A standard HIPAA Business Associate Agreement (45 CFR §§164.502(e), 164.504(e), 164.314(a)) is generated on demand, hash-stamped for verification, and ready for counter-signature. ePHI is encrypted in transit and at rest with tenant-scoped keys.
Backed by codePCI DSS
PCI DSS v4.0 — SAQ A
Pact never stores, processes or transmits cardholder data.
Payment card data is handled entirely by Stripe, a PCI DSS Level 1 service provider. Pact's systems never touch primary account numbers, so the platform is eligible for the SAQ A self-assessment with the smallest possible card-data scope.
SOC 3
Public-facing general-use report derived from SOC 2 evidence.
A SOC 3 report is the freely-distributable summary of the SOC 2 examination. Pact generates the public-safe subset of its SOC 2 evidence as a SOC 3 summary.
Backed by codeGDPR
Consent-native by design; DSR workflow with a 30-day statutory clock.
Consent, lawful basis and suppression are first-class. Data Subject Requests (access, portability, deletion, rectification) run through a tracked workflow with auto-collection and tamper-evident erasure manifests. Standard Contractual Clauses are generated for EU transfers.
Backed by codeCCPA / CPRA
Consumer rights honored through the same DSR workflow as GDPR.
Access, deletion and opt-out rights under the CCPA/CPRA and the newer state privacy laws (VCDPA, CPA, CTDPA) are served by the unified Data Subject Request workflow and the consent ledger.
Backed by codeSecurity capabilities
Encryption everywhere
AES-256 at rest with tenant-scoped keys and customer-managed KMS (BYOK); TLS 1.2+ in transit.
Tenant isolation
Every query is tenant-scoped at the data layer; a static CI gate fails the build on a leak.
Role-based access control
RBAC, SSO (SAML 2.0 / OIDC), SCIM provisioning and optional MFA.
Append-only audit log
Security-relevant events are recorded immutably with retention for forensic review.
Data subject requests
Access / portability / deletion / rectification with a 30-day clock and erasure receipts.
Consent-native
Consent, lawful basis and suppression are enforced before any send — not bolted on after.
Sub-processors
The infrastructure providers Pact relies on to deliver the service. Each is bound by a data-processing agreement with terms at least as protective as ours.
| Provider | Purpose | Location | Certifications |
|---|---|---|---|
| Microsoft Azure | Primary application & database hosting | United States / EU | SOC 2ISO 27001ISO 27018HIPAA |
| Fly.io | Edge application runtime | United States / Global | SOC 2 |
| Neon | Serverless Postgres (demo & staging) | United States | SOC 2 |
| Cloudflare | CDN, DNS & DDoS protection | Global edge | SOC 2ISO 27001 |
| Stripe | Payment processing | United States | PCI DSS Level 1SOC 2 |
| Anthropic | AI model inference (no training on customer data) | United States | SOC 2 |
| Sentry | Error monitoring (PII-scrubbed) | United States | SOC 2 |
Your data is portable
Your data is portable on every plan — including the Free plan, after a downgrade, and after cancellation. There is no export paywall and no lock-in.
Security & uptime events
1 incident in the last 90 days, all resolved. See the live status page.
Elevated API latency on sequence send (demo)
minorresolvedInvestigating elevated p95 latency on /v1/sequences/* writes.
5/21/2026 · resolved 5/22/2026
Bug bounty & disclosure
Coordinated disclosure is open to everyone; a paid bounty program is running in private beta and expanding. Email security@pact.place to request an invite or to report an issue.
Safe harbor. Good-faith research that respects these rules is authorized: no data exfiltration beyond what's needed to prove an issue, no service degradation, no access to other tenants' data, and a reasonable disclosure window before going public. We will not pursue legal action against researchers who follow them.
In scope
- *.pact.place application and API surfaces
- Authentication, tenant isolation (IDOR), and access-control flaws
- Data exposure and injection vulnerabilities
Out of scope
- Denial of service / volumetric testing
- Social engineering and physical attacks
- Findings that require a rooted device or a compromised browser
- Reports from automated scanners without a working proof of concept
Vulnerability disclosure
Pact welcomes coordinated disclosure of security issues. Report to security@pact.place; we acknowledge within 2 business days and do not pursue good-faith researchers.
security@pact.placeDocumentation
The SOC 2 Type II auditor package and ISO 27001 Statement of Applicability are available to customers and prospects under NDA. Healthcare buyers can request a HIPAA Business Associate Agreement directly from their Pact admin console.
Powered by Pact — the consent-native CRM. Statuses are read live from Pact’s control registry.