Security
7min
We take security here at Pin very seriously. Here's an overview of what we do to ensure that your data is safe.
- All requests to Pin including interim connections within Pin's internal infrastructure is encrypted HTTPS, TLS, and/or SSL. Any connection or request using unsecured protocols, like HTTP, are redirected to its counterpart or terminated.
- Pin uses HSTS to let well-known browsers like Google Chrome know and enforce that our website uses HTTPS and that HTTP should be ignored.
- All customer data is encrypted at rest and encrypted in transit.
- All secret keys and customer keys (e.g. integrations) are encrypted with hardware security modules (HSM) for extra protection.
- Credit cards are stored and processed security with Stripe, which is PCI Level 1 compliant.
- All data is hosted in a private environment using Amazon Web Services. All public facing endpoints and IP addresses are monitored and firewalled.
- Access to our private environment requires two-factor authentcation and is allowed only by well-known, company-issued devices. All access attempts are logged and audited in real-time.
- We utilize denial of service (DOS) protection and web application firewalls (WAF) to sensure our services are protected from attacks.
- Our infrastructure is audited automatically and patched automatically where possible. Our team follows a strict 30-day SLA policy to patch all known vulnerabilities.
- Pin uses your inbox to send and receive emails to candidates you choose to get in contact with.
- We require this access to know when candidates respond back to you and stop email automation.
- Pin only stores copies of emails with candidates that were first initiated with Pin. All other emails are discarded.
- Pin uses your calendar to know when you are available and display your calendar in Pin's app.
- We also use your calendar to automatically schedule interviews with candidates when Pin's scheduling automation feature is turned on.
- When enabled, Pin uses Merge to facilitate communicating with your ATS. Merge is highly regarded in the industry and has all the necessary certifications to keep your data safe.
- Pin uses your ATS to know if you've reached out to a candidate in the past and also sync candidates sourced with Pin back to your ATS.
- All employee accounts are protected using 2FA.
- We utilize a password manager to secure online accounts and share across team members.
- We go through annual security testing with our partners.
- We are SOC 2 Type 1 compliant.
- All employees and contracts sign a non-disclosure agreement.
To obtain a copy of our reports, please email [email protected] or email your Pin representative.
We ask that all security researches report security exploits to [email protected]. Reports will be answered within 5 business days. We currently do not issue rewards at this time but we'll be more than happy to advertise your name on this page.
We ask that you do not send reports for the following:
- DOS;
- Automated scripts;
- Mix-content scripts;
- Social engineering;
- Regular bugs;
- Email flooding;
- Input;
- Or not adhering to "best practices"
When submitting a report, reproducable step-by-step instructions and/or video would be greatly appreciated.
