PondralTrust report.
A summary of Pondral's security, privacy, and reliability posture. Refreshed quarterly.
Security posture
Encryption at rest (AES-256) for all data stores. TLS 1.2+ enforced in transit; HSTS preloaded. Secrets managed via AWS KMS with annual rotation.
Access is least-privilege and audit-logged. Production access requires hardware-backed MFA. Quarterly access reviews; immediate revocation on departure.
Privacy posture
GDPR and CCPA/CPRA compliant. EU data residency available on Scale plans. Standard Contractual Clauses (Module 2) executed for all EU-to-US transfers.
No third-party trackers or ad pixels on the product surface. We do not sell or share Customer Data. Data subject requests are honored within 30 days.
Reliability
99.97% uptime over the trailing 90 days. Zero P1 incidents in Q1 2026.
Multi-region deployments with cross-region replication. RTO 4 hours, RPO 1 hour. Quarterly disaster-recovery exercises with documented results.
Vendor management
Subprocessors reviewed quarterly. New subprocessors require security review and DPA execution before production access. 30-day customer notice for any addition.
Vulnerability management
Annual third-party penetration test (most recent: February 2026 — see Penetration Test Summary). Continuous dependency scanning with same-day patches for critical CVEs.
Responsible disclosure policy at /security.txt. We acknowledge receipt within one business day and triage within five.