Security & Compliance
Security is built into our products, infrastructure, and processes from the ground up. We maintain a comprehensive Information Security Management System (ISMS) with periodic independent review to ensure our controls remain effective.
GDPRGDPR
General Data Protection Regulation
Data protection program aligned with EU GDPR — data subject rights, privacy-by-design, and records of processing.
CCPACCPA
California Consumer Privacy Act
Privacy program addressing CCPA — no sale of personal information, consumer rights honored, and strong data protection safeguards.
CSA STARCSA STAR Level 1
CAIQ v4.1 Assessment
Publicly listed in the CSA STAR Registry with a CAIQ v4.1 self-assessment covering all CCM control domains.
View CSA STAR Registry listing →ISO/IEC 27001:2022
Information Security Management
ISMS aligned with ISO/IEC 27001:2022 covering the full Annex A control set with regular management review.
SOC 2
Security, Availability & Confidentiality
Controls designed against SOC 2 Trust Services Criteria — security, availability, and confidentiality.
Independent Review
External Validation
Independent industry practitioner reviews our ISMS and controls on a regular cadence for external validation.
Data Residency
Customer data at rest
All customer data is stored encrypted at rest in Germany (EU). Encrypted backups remain within the same region.
AI model providers
For code review, pull request content is transmitted to the LLM provider you configure. These providers may process content outside the EU. You control provider selection and may choose providers with EU processing regions where available. See our DPA for details on international transfers and SCCs.
Public Disclosure Program
We operate a public disclosure program for security researchers and the wider community. If you discover a potential security vulnerability in our products or infrastructure, we encourage responsible disclosure. We investigate all credible reports and aim to acknowledge receipt promptly.
Report vulnerabilities through our support portal (select the Security ticket type). Please include a detailed description, steps to reproduce, and any relevant supporting material. We request that you refrain from publicly disclosing the issue until we have had a reasonable opportunity to address it.
We do not currently operate a bug bounty or monetary reward program. We gratefully acknowledge researchers who report issues responsibly.
Controls
Production access restricted The company restricts privileged access to production systems, databases, and operating systems to authorized users with a business need. | |
Multi-factor authentication enforced The company's production systems can only be remotely accessed by authorized personnel possessing a valid multi-factor authentication method. | |
Remote access encrypted The company's production systems can only be remotely accessed via an approved encrypted connection. | |
Environment segregation enforced The company separates development, test, and production environments to reduce the risk of unauthorized changes. | |
Infrastructure as code deployed The company manages all infrastructure through version-controlled configuration with automated security gates before deployment. | |
Configuration drift monitored The company detects deviations from secure baseline configurations and either corrects or formally approves them. | |
Centralized logging enabled The company utilizes a log management tool to identify events that may have a potential impact on security objectives. | |
Infrastructure performance monitored An infrastructure monitoring tool is utilized to monitor systems and performance and generates alerts when specific predefined thresholds are met. | |
DDoS protection enforced Network-level DDoS protection and traffic filtering are configured at the network edge. |
Subprocessors
We engage the following third-party subprocessors to deliver the PURA Service. Each subprocessor is assessed for security and compliance before engagement and monitored on an ongoing basis. Data processing agreements are in place where required.
| Subprocessor | Service | Data Residency |
|---|---|---|
| Netcup | Cloud hosting & infrastructure | EU (Germany) |
| PostHog | Product analytics & session replay | EU (Germany) |
| EmailLabs (Vercom S.A.) | Transactional email delivery | EU (Poland) |
| Backblaze | Encrypted backup storage | EU |
| Cloudflare | CDN, DNS & network security | Global |
| Atlassian (Jira Service Management) | Support & issue tracking | Global |
| GitHub | Source code hosting & GitHub App platform | USA |
| Polar.sh | Payment processing & Merchant of Record | USA |
AI model providers (such as OpenAI, Anthropic, and Google) are not listed above because they are configured by you under your own bring-your-own-key (BYOK) account. Their data handling is governed by your agreement and settings with each provider.
Questions about security?
For security inquiries, GDPR or data subject requests, or to request compliance documentation, contact us at security@pura.sh.
All assessments and reviews on this page are self-assessments or independent peer reviews — not accredited third-party certifications. Our alignment with ISO/IEC 27001, SOC 2, GDPR, and CCPA reflects internal compliance posture; we do not hold an accredited ISO/IEC 27001 certificate or SOC 2 attestation report. The CSA STAR Level 1 listing is a CAIQ v4.1 self-assessment. The independent review is performed by a neutral industry practitioner — not a certified ISMS audit.