Security & Compliance

Security is built into our products, infrastructure, and processes from the ground up. We maintain a comprehensive Information Security Management System (ISMS) with periodic independent review to ensure our controls remain effective.

GDPR

GDPR

General Data Protection Regulation

Data protection program aligned with EU GDPR — data subject rights, privacy-by-design, and records of processing.

CCPA

CCPA

California Consumer Privacy Act

Privacy program addressing CCPA — no sale of personal information, consumer rights honored, and strong data protection safeguards.

CSA STAR

CSA STAR Level 1

CAIQ v4.1 Assessment

Publicly listed in the CSA STAR Registry with a CAIQ v4.1 self-assessment covering all CCM control domains.

View CSA STAR Registry listing →
ISO

ISO/IEC 27001:2022

Information Security Management

ISMS aligned with ISO/IEC 27001:2022 covering the full Annex A control set with regular management review.

SOC2

SOC 2

Security, Availability & Confidentiality

Controls designed against SOC 2 Trust Services Criteria — security, availability, and confidentiality.

REVIEW

Independent Review

External Validation

Independent industry practitioner reviews our ISMS and controls on a regular cadence for external validation.

Data Residency

Customer data at rest

All customer data is stored encrypted at rest in Germany (EU). Encrypted backups remain within the same region.

AI model providers

For code review, pull request content is transmitted to the LLM provider you configure. These providers may process content outside the EU. You control provider selection and may choose providers with EU processing regions where available. See our DPA for details on international transfers and SCCs.

Public Disclosure Program

We operate a public disclosure program for security researchers and the wider community. If you discover a potential security vulnerability in our products or infrastructure, we encourage responsible disclosure. We investigate all credible reports and aim to acknowledge receipt promptly.

Report vulnerabilities through our support portal (select the Security ticket type). Please include a detailed description, steps to reproduce, and any relevant supporting material. We request that you refrain from publicly disclosing the issue until we have had a reasonable opportunity to address it.

We do not currently operate a bug bounty or monetary reward program. We gratefully acknowledge researchers who report issues responsibly.

Controls

Production access restricted

The company restricts privileged access to production systems, databases, and operating systems to authorized users with a business need.

Multi-factor authentication enforced

The company's production systems can only be remotely accessed by authorized personnel possessing a valid multi-factor authentication method.

Remote access encrypted

The company's production systems can only be remotely accessed via an approved encrypted connection.

Environment segregation enforced

The company separates development, test, and production environments to reduce the risk of unauthorized changes.

Infrastructure as code deployed

The company manages all infrastructure through version-controlled configuration with automated security gates before deployment.

Configuration drift monitored

The company detects deviations from secure baseline configurations and either corrects or formally approves them.

Centralized logging enabled

The company utilizes a log management tool to identify events that may have a potential impact on security objectives.

Infrastructure performance monitored

An infrastructure monitoring tool is utilized to monitor systems and performance and generates alerts when specific predefined thresholds are met.

DDoS protection enforced

Network-level DDoS protection and traffic filtering are configured at the network edge.

Subprocessors

We engage the following third-party subprocessors to deliver the PURA Service. Each subprocessor is assessed for security and compliance before engagement and monitored on an ongoing basis. Data processing agreements are in place where required.

SubprocessorServiceData Residency
NetcupCloud hosting & infrastructureEU (Germany)
PostHogProduct analytics & session replayEU (Germany)
EmailLabs (Vercom S.A.)Transactional email deliveryEU (Poland)
BackblazeEncrypted backup storageEU
CloudflareCDN, DNS & network securityGlobal
Atlassian (Jira Service Management)Support & issue trackingGlobal
GitHubSource code hosting & GitHub App platformUSA
Polar.shPayment processing & Merchant of RecordUSA

AI model providers (such as OpenAI, Anthropic, and Google) are not listed above because they are configured by you under your own bring-your-own-key (BYOK) account. Their data handling is governed by your agreement and settings with each provider.

Questions about security?

For security inquiries, GDPR or data subject requests, or to request compliance documentation, contact us at security@pura.sh.

All assessments and reviews on this page are self-assessments or independent peer reviews — not accredited third-party certifications. Our alignment with ISO/IEC 27001, SOC 2, GDPR, and CCPA reflects internal compliance posture; we do not hold an accredited ISO/IEC 27001 certificate or SOC 2 attestation report. The CSA STAR Level 1 listing is a CAIQ v4.1 self-assessment. The independent review is performed by a neutral industry practitioner — not a certified ISMS audit.