The Pipe Platform Achieves Security and Compliance Milestone with SOC 2 Type I Attestation. Learn More

Compliance

SOC 2 Type | Compliant

SOC 2 is a framework used to evaluate and validate an organization’s information security practices. It’s widely used in North America, particularly in the SaaS industry. Pipe has undergone SOC 2 assessments by an independent third-party auditing firm and achieved SOC 2 Type | compliance, which means we have demonstrated that our security controls and protocols are designed effectively at a specific point in time.

GDPR Ready

If you’re from the EU, or you’re not from the EU, but you’re processing data of EU data subjects, you can rest assured that our platform will help you comply with GDPR requirements. We’ve gone through the compliance process several times in relation to both the data we process for you as processors (recordings, metadata, snapshots) and the data we hold as controllers.

You should check out our GDPR overview page for more information on how we can help you comply, and feel free to email us any GDPR-related questions at contact@addpipe.com.


Infrastructure Security

Encryption at rest

The Pipe Platform encrypts the data at rest. Our database, ingestion, and processing servers utilize LUKS to encrypt data at rest, while the complimentary storage buckets, hosted on Amazon S3, encrypt data at rest using Amazon S3-managed keys (SSE-S3). The single exception is our complimentary storage bucket, hosted by Scaleway for the EU2 region, due to the provider’s limitations.

System Hardening

We harden our servers using industry best practices. This includes disabling unnecessary services, applying security patches, and configuring firewalls to restrict access to only necessary ports and protocols by specific IP addresses from our infrastructure.

Continuous Backups

We make daily backups of our database and store them in two different secure locations. This ensures that we can quickly restore the database in the event of a failure or data loss. We regularly test our database recovery procedure.

Monitoring and Logging

We continuously monitor our infrastructure for anomalous activity and log all access to our systems. This helps us detect and respond to potential security incidents in a timely manner.

Email Security with DKIM, SPF, and DMARC

We use DKIM, SPF, and DMARC to ensure that our emails are secure and not spoofed. This helps protect our users from phishing attacks and ensures that our communications are legitimate.


Product Security

Encryption in Transit

Pipe encrypts the data in transit using TLS 1.3 and TLS 1.2 connections in conjunction with industry-standard strong ciphers:

  • Secure Recording Client Delivery Our recording client will be embedded in your website or app and delivered to your users securely via HTTPS.
  • Secure Recording Our recording client uses secure WSS or HTTPS connections to stream or upload recordings to our ingestion media servers.
  • Secure Transfer Recordings are pulled from the ingestion server to the processing server as soon as possible. The data is encrypted in transit through HTTPS.
  • Secure Push to Storage The recordings are securely pushed to our EU, US & CA S3 buckets, to your website (through SFTP or FTPS), to your Amazon S3 bucket, or to your Dropbox.
  • Secure Playback Playback & download from our US & CA Amazon S3 storage buckets or from our EU Scaleway S3 storage bucket is done securely through HTTPS.

Secure API

All API requests to the Pipe Platform are made over HTTPS, ensuring that data is encrypted in transit.

Whitelisted Hosts

Pipe allows you to specify a list of hosts on which the Pipe recorder can be embedded. Such a list helps prevent abuse from malicious users who could embed your Pipe recording client embed code on other websites.

Authenticated Webhooks

Pipe automatically signs all webhooks, allowing you to verify on your end that the data originates from the Pipe Platform and not a third party.


Organizational Security

Access Control

We implement strict access control measures to ensure that only authorized personnel have access to sensitive data. This includes role-based access controls, multi-factor authentication, and regular access reviews.

Security Awareness Training

We provide regular security awareness training to our employees and contractors to ensure they are aware of the latest security threats and best practices.

Background Checks

We conduct background checks on all employees and contractors who have access to sensitive data. This helps us ensure that we hire trustworthy individuals who will handle data responsibly.

Endpoint Security

We provide our employees and contractors with secure devices and enforce endpoint security measures via specific software. Workstations have disk encryption enabled.


Secure Development Practices

We implement a stringent change management system that helps promote best practices in our development process, including:

  • Code reviews to ensure that all changes are reviewed by at least one other developer before being merged
  • Changes are implemented and tested in a development environment and afterwards tested additionally in a staging environment before being deployed to production.
  • Branch protection rules to prevent direct commits to the main branch

Vulnerability Scanning

We perform regular vulnerability scans on our infrastructure to identify and resolve potential security issues. This involves scanning our servers and network for known vulnerabilities and misconfigurations. Critical and high-priority vulnerabilities are tracked for remediation.


Bug Bounty

Pipe invites security researchers and ethical hackers to help us identify security vulnerabilities in our platform. The program offers rewards for valid security reports based on the severity of the vulnerability. Security issues can be reported to us via email at security@addpipe.com.


Data Collection

We provide the controls needed to minimize data collection & retention.

Do Not Collect PII Data

You have transparency over what data we touch and control over what data we collect from your users with each recording.

Do Not Store Recordings & Data

Once we successfully process a recording and send the files and data to your storage, we immediately delete local files and data on our servers. Furthermore, you can choose to not use our complimentary storage at all, and instead use only your own storage options, such as Amazon S3, Dropbox, SFTP or FTPS.

Data Lifecycle

We provide you with the ability to set a data lifecycle for your recordings, allowing you to automatically delete recordings after a certain period of time. This can be configured through the Pipe account dashboard.