PipeRich Legal

Security Policy

How PipeRich protects your data through comprehensive security measures

Security Policy

Effective April 1, 2026

Security is a foundational commitment at PipeRich. This policy describes the technical and organizational measures we implement to protect the confidentiality, integrity, and availability of your data.

1. Overview

PipeRich maintains a comprehensive information security program designed to protect our Services and the data entrusted to us. Our security program is built on industry best practices and aligns with recognized frameworks including SOC 2 Type II and ISO 27001.

We take a defense-in-depth approach, implementing multiple layers of security controls across our infrastructure, applications, and organizational processes.

2. Infrastructure Security

2.1 Cloud Infrastructure

Our Services are hosted on Amazon Web Services (AWS), a leading cloud provider with extensive certifications including SOC 1/2/3, ISO 27001, PCI DSS, and FedRAMP. We leverage AWS security features including VPCs, security groups, IAM roles, and encryption services.

2.2 Network Security

  • All traffic to and from our Services is protected by TLS 1.2 or higher
  • Cloudflare provides DDoS protection, WAF filtering, and rate limiting at the network edge
  • Internal services communicate over private networks with no direct public internet exposure
  • Network access is restricted using the principle of least privilege

2.3 Physical Security

PipeRich relies on the physical security controls of AWS data centers, which include biometric access controls, 24/7 security personnel, surveillance systems, and redundant power and cooling infrastructure.

3. Data Encryption

3.1 Encryption in Transit

All data transmitted between clients and our Services is encrypted using TLS 1.2 or higher. We enforce HTTPS on all endpoints and use HSTS to prevent protocol downgrade attacks.

3.2 Encryption at Rest

Customer data stored in our databases and object storage is encrypted at rest using AES-256 encryption. Encryption keys are managed using AWS Key Management Service (KMS) with strict access controls.

3.3 Key Management

Cryptographic keys are rotated regularly and stored securely. Access to encryption keys is restricted to authorized systems and personnel on a need-to-know basis.

4. Access Controls

4.1 Authentication

  • Multi-factor authentication (MFA) is required for all internal systems and administrative access
  • PipeRich employees use SSO for access to internal systems
  • Customer-facing systems support MFA and SAML-based SSO for enterprise customers

4.2 Authorization

We implement role-based access control (RBAC) across our Services. Access is granted based on the principle of least privilege. User permissions are reviewed quarterly and revoked promptly upon employee offboarding.

4.3 Privileged Access

Access to production systems and customer data is strictly limited and requires additional approval. All privileged access is logged and monitored. We use just-in-time (JIT) access controls to minimize standing privileges.

5. Monitoring and Detection

  • Comprehensive logging is enabled across all Services and infrastructure components
  • Security events are aggregated in a centralized SIEM system
  • Automated alerting is configured for anomalous activity and security events
  • Our security team reviews alerts and investigates potential incidents 24/7
  • Regular log reviews and threat hunts are conducted to identify potential threats

6. Incident Response

6.1 Incident Response Plan

PipeRich maintains a documented incident response plan that defines roles, responsibilities, and procedures for detecting, containing, and recovering from security incidents.

6.2 Notification

In the event of a security incident affecting your data, PipeRich will notify affected customers promptly and in accordance with our contractual obligations and applicable law. Notifications will include the nature of the incident, data affected, and steps taken to address it.

6.3 Post-Incident Review

Following any significant security incident, PipeRich conducts a post-incident review to identify root causes, assess the effectiveness of our response, and implement improvements to prevent recurrence.

7. Compliance and Certifications

PipeRich's security controls are independently verified through third-party audits:

  • SOC 2 Type II: Annual audit of security, availability, and confidentiality trust service criteria
  • Penetration Testing: Annual third-party penetration tests of our infrastructure and applications
  • Vulnerability Scanning: Continuous automated scanning for known vulnerabilities

Customers under an enterprise agreement may request copies of our SOC 2 Type II report under NDA.

8. Vulnerability Disclosure

We appreciate responsible disclosure of security vulnerabilities. If you believe you have discovered a security issue in our Services, please report it to:

Email: security@piperich.com

Please provide sufficient detail to allow us to reproduce and address the issue. We will acknowledge your report within 48 hours and work to resolve valid vulnerabilities promptly. We ask that you refrain from publicly disclosing any vulnerability until we have had a reasonable opportunity to address it.

For questions about our security practices, contact us at security@piperich.com.

GDPR Compliance

PipeRich's commitment to EU General Data Protection Regulation compliance

Acceptable Use Policy

Guidelines for acceptable use of PipeRich services and platform

On this page

Security Policy1. Overview2. Infrastructure Security2.1 Cloud Infrastructure2.2 Network Security2.3 Physical Security3. Data Encryption3.1 Encryption in Transit3.2 Encryption at Rest3.3 Key Management4. Access Controls4.1 Authentication4.2 Authorization4.3 Privileged Access5. Monitoring and Detection6. Incident Response6.1 Incident Response Plan6.2 Notification6.3 Post-Incident Review7. Compliance and Certifications8. Vulnerability Disclosure