Tested. Trusted. Assured.

PumpCX Trust Center

Transparency into PumpCX's security practices, compliance certifications, and the controls that protect customer data. Access audit reports by registering below.

Request Access to ReportsView Certifications

Compliance

Our Certifications

PumpCX maintains industry-leading certifications to ensure your data is handled with the highest standards of security and privacy.

πŸ›‘οΈ

SOC 2 Type II

Active

Audited Nov 2025

πŸ₯

HIPAA

In Progress

Hover over a certification for details

Independent security assessments validate PumpCX's controls and compliance. Access full audit reports and penetration test summaries by registering below.

πŸ₯

HIPAA & Business Associate Agreements

PumpCX supports HIPAA-compliant deployments and will enter into a Business Associate Agreement (BAA) with customers handling Protected Health Information (PHI). The BAA is available for signing via the Reports page.

Need our compliance reports?

Register with your business email and sign our NDA to access and download SOC 2 reports, penetration test results, Security Architecture Overview, HIPAA Compliance Overview & Business Associate Agreement.

Register for Access

Security

Data Protection Overview

Protecting customer data is fundamental to PumpCX's platform design and operations.

PumpCX applies a defense-in-depth approach to safeguard customer data across infrastructure, application, and operational layers. Security controls are continuously monitored and regularly reviewed as part of our compliance and security program.

Encryption

  • All data is encrypted in transit using TLS 1.2 or higher (TLS 1.3 preferred).
  • Customer data stored on AWS storage volumes is encrypted at rest using AES-256 disk encryption.

Access Control

  • Access to production systems is restricted to authorized personnel on a least-privilege basis.
  • Multi-factor authentication (MFA) is enforced for administrative access.
  • Access reviews are conducted regularly to ensure permissions remain appropriate.

Monitoring and Detection

  • Security logs and system activity are continuously monitored.
  • Intrusion detection and vulnerability monitoring tools are used to identify potential threats.
  • Infrastructure and applications are regularly assessed for vulnerabilities.

Operational Security

  • Security awareness training is provided to employees.
  • Background checks are performed where permitted by law.
  • Changes to production systems follow formal change-management procedures.

Data Governance

  • Customer data is processed solely for the purpose of providing the PumpCX service.
  • Data retention policies are applied according to operational and contractual requirements.
  • Customer data can be deleted or exported in accordance with contractual obligations.

PumpCX maintains a formal security program aligned with industry standards and undergoes independent third-party assessments.

Data Residency

Data Residency

PumpCX infrastructure is hosted on Amazon Web Services (AWS) in secure cloud environments.

Customer data is stored and processed within PumpCX-managed cloud infrastructure. AWS provides physical, environmental, and network security controls that support the protection of customer data. The customer's data is retained in a single data storage location as agreed during onboarding.

Current Deployment Locations

πŸ‡¦πŸ‡Ί
Australia – Sydneyap-southeast-2
πŸ‡¨πŸ‡¦
Canada – Centralca-central-1
πŸ‡ΈπŸ‡¬
Singaporeap-southeast-1
πŸ‡¬πŸ‡§
United Kingdom – Londoneu-west-2
πŸ‡ΊπŸ‡Έ
United States – Oregonus-west-2

Access Controls

Identity and Authentication

PumpCX enforces strong identity controls to protect access to systems and data.

  • Multi-factor authentication (MFA) is required for administrative access.
  • Access permissions follow the principle of least privilege.
  • Access reviews are conducted regularly.
  • Authentication and authorization controls protect access to production systems.

Resilience

Business Continuity

PumpCX maintains documented business continuity and disaster recovery plans designed to ensure service resilience and rapid recovery from operational disruptions.

Plans are tested periodically and reviewed as part of our security and compliance program.

Testing

Security Testing

PumpCX regularly evaluates the security of its platform through:

  • Independent third-party annual penetration testing
  • Continuous vulnerability scanning
  • Security reviews integrated into development workflows

Identified issues are tracked and remediated through formal engineering processes.

Overview

Security Program Overview

PumpCX maintains a comprehensive information security program designed to protect customer data and ensure the reliability and integrity of our services. Our security program is built around industry best practices and is supported by formal policies, technical safeguards, and ongoing monitoring.

The program covers governance, infrastructure security, application security, operational processes, and third-party risk management.

Governance and Compliance

PumpCX operates a formal information security program aligned with recognized industry standards. Security controls are continuously monitored and assessed as part of our compliance program.

Our security program includes:

  • Documented security policies and procedures
  • Defined roles and responsibilities for security governance
  • Ongoing risk assessment and mitigation processes
  • Continuous monitoring of security controls
  • Independent third-party assessments and audits

PumpCX maintains compliance with recognized security frameworks including SOC 2 and HIPAA.

Infrastructure Security

PumpCX infrastructure is hosted within industry-leading cloud environments that provide strong physical and environmental protections.

Security controls include:

  • Network isolation and segmentation
  • Firewalls and access restrictions
  • Infrastructure hardening
  • Continuous monitoring of system activity
  • Regular vulnerability assessments

Access to production systems is tightly restricted and managed according to the principle of least privilege.

Application Security

Security is integrated throughout the PumpCX software development lifecycle.

Our development practices include:

  • Secure coding practices and internal development standards
  • Peer code review for production changes
  • Automated testing and security scanning
  • Vulnerability management and patching processes

Security issues are tracked and remediated through formal engineering workflows.

Monitoring and Incident Response

PumpCX maintains monitoring systems designed to detect and respond to security events.

Key capabilities include:

  • Centralized logging and monitoring
  • Automated alerting for suspicious activity
  • Documented incident response procedures
  • Security event investigation and remediation processes

Our incident response program ensures that security events are evaluated, contained, and addressed in a timely manner.

Third-Party Risk Management

PumpCX evaluates third-party vendors that support our service delivery to ensure they meet appropriate security and privacy standards.

Vendors with access to customer data are assessed as part of our vendor risk management process and are listed in our Subprocessor Register.

Continuous Improvement

Security is an ongoing process. PumpCX regularly reviews and improves its security controls through:

  • Independent penetration testing
  • Continuous compliance monitoring
  • Security control reviews
  • Feedback from customers and security researchers

Our goal is to maintain a strong security posture while continuously improving the protection of our platform and customer data.

Controls

Security Controls

PumpCX maintains a comprehensive set of security controls that are continuously monitored as part of our compliance program.

Infrastructure Security

6/6 passing
  • Service infrastructure maintained
  • Remote access MFA enforced
  • Unique production database authentication

+ 3 more controls

Organizational Security

4/4 passing
  • Employee background checks performed
  • Security awareness training implemented
  • Confidentiality agreement acknowledged

+ 1 more controls

Internal Security Procedures

4/4 passing
  • Vulnerabilities scanned and remediated
  • Continuity and disaster recovery plans tested
  • Incident response plan tested

+ 1 more controls

Product Security

3/3 passing
  • Penetration testing performed
  • Vulnerability and system monitoring
  • Secure SDLC implemented

Data And Privacy

4/4 passing
  • Privacy policy established
  • Data retention procedures established
  • Privacy compliant procedures established

+ 1 more controls

Ai Security & Compliance

3/3 passing
  • AI system impact assessment
  • AI management scope defined
  • AI objectives and planning

24 of 24 controls passing β€” updated less than 1 minute ago via Vanta.

Framework Mapping

Compliance Coverage

See how PumpCX's security controls map to SOC 2 Trust Service Criteria and HIPAA safeguard requirements.

πŸ›‘οΈ SOC 2 Trust Service Criteria

CriteriaDescriptionPumpCX Controls
CC1 – Control EnvironmentOrganizational commitment to integrity and securitySecurity governance, policies & procedures, employee training, background checks
CC2 – Communication & InformationInternal and external security communicationSecurity awareness training, Trust Center, incident communication procedures
CC3 – Risk AssessmentIdentification and analysis of risksRisk assessments, vulnerability scanning, penetration testing, vendor risk management
CC4 – Monitoring ActivitiesOngoing evaluation of controlsContinuous compliance monitoring (Vanta), security control reviews, audit logging
CC5 – Control ActivitiesPolicies and procedures to mitigate risksChange management, code reviews, infrastructure security controls, automated deployments
CC6 – Logical & Physical AccessAccess restrictions to systems and dataMFA, least-privilege access, access reviews, encryption at rest (AES-256) & in transit (TLS 1.2+)
CC7 – System OperationsDetection and response to anomaliesIDS, centralized logging, vulnerability assessments, incident response procedures
CC8 – Change ManagementControlled changes to infrastructure and softwareVersion control, code reviews, automated CI/CD pipelines, change approval processes
CC9 – Risk MitigationRisk mitigation through business processesVendor management, insurance, business associate agreements, contractual safeguards
AvailabilitySystem availability for operation and useBusiness continuity & disaster recovery plans, infrastructure redundancy, uptime monitoring
ConfidentialityProtection of confidential informationEncryption (AES-256 / TLS 1.2+), access controls, data classification, NDA enforcement

πŸ₯ HIPAA Safeguards

SafeguardRequirementPumpCX Controls
Administrative Safeguards (Β§164.308)
Security ManagementPolicies to prevent, detect, contain, and correct security violationsRisk assessments, security policies, Vanta continuous monitoring, vulnerability management
Assigned Security ResponsibilityDesignated security officialDesignated security officer, defined security roles and responsibilities
Workforce SecurityAppropriate access for workforce membersBackground checks, onboarding/offboarding procedures, least-privilege access
Information Access ManagementAuthorized access to ePHIRole-based access control, access reviews, least-privilege enforcement
Security Awareness & TrainingSecurity awareness program for workforceSecurity awareness training, phishing simulations, ongoing education
Security Incident ProceduresIncident identification, response, and mitigationIncident response plan, IDS, centralized logging, post-incident reviews
Contingency PlanData backup, disaster recovery, and emergency operationsBusiness continuity & disaster recovery plans, data backups, periodic plan testing
EvaluationPeriodic technical and non-technical evaluationAnnual penetration testing, security control reviews, SOC 2 audits
Business Associate AgreementsContracts with business associates handling ePHIBAA execution and management, vendor risk assessments, subprocessor oversight
Physical Safeguards (Β§164.310)
Facility Access ControlsPhysical access limitations to facilitiesAWS data center physical security (SOC 2 certified), no on-premise data storage
Workstation & Device SecurityWorkstation use policies and device controlsEndpoint security policies, device encryption, remote wipe capabilities
Technical Safeguards (Β§164.312)
Access ControlTechnical policies limiting access to ePHIMFA, unique user IDs, automatic session timeouts, role-based access
Audit ControlsRecording and examination of system activityCentralized audit logging, log monitoring, access activity tracking
Integrity ControlsProtection of ePHI from improper alteration or destructionData validation, checksums, version control, database integrity checks
Transmission SecurityProtection of ePHI during electronic transmissionTLS 1.2+ encryption in transit, encrypted API communications, secure file transfers

Third Parties

Sub-Processors

The following third-party vendors process data on behalf of PumpCX.

VendorPurpose
Amazon Web Services (AWS)Infrastructure hosting and data storage
Atlassian (Jira)Customer issue tracking and support ticket management
Microsoft (Office 365 / Exchange Online)Email delivery and communication
VantaSecurity compliance monitoring

Subprocessor changes will be communicated to customers 30 days in advance.

FAQ

Security FAQ

Where is customer data stored?

PumpCX infrastructure is hosted on AWS.

How is data encrypted?

Data is encrypted in transit using TLS 1.2+. Data is encrypted at rest using AWS-managed disk encryption with AES-256.

Do you perform penetration testing?

Yes. PumpCX undergoes annual independent third-party penetration testing.

Do you monitor security controls continuously?

Yes. Controls are continuously monitored via our compliance platform.

Contact

Security Contact

PumpCX welcomes security-related questions from customers, partners, and researchers.

For security concerns, vulnerability reports, or inquiries regarding our security program, please contact:

security@pump.cx

Our security team reviews all submissions and will respond as appropriate.

For general support or product inquiries, please use our standard customer support channels.

Vulnerability Reporting

Responsible Disclosure

PumpCX supports responsible disclosure of security vulnerabilities.

If you believe you have discovered a security issue affecting PumpCX systems or services, please report it to our security team at security@pump.cx

When submitting a report, please include:

  • β€’A description of the vulnerability
  • β€’Steps to reproduce the issue
  • β€’Any relevant supporting information

We request that researchers:

  • β€’Avoid accessing or modifying customer data
  • β€’Refrain from actions that could disrupt service availability
  • β€’Allow reasonable time for investigation and remediation before public disclosure

PumpCX investigates all legitimate reports and works to resolve confirmed issues in a timely manner.

PumpCX appreciates the efforts of the security research community in helping keep our systems secure.

Need our compliance reports?

Register with your business email and sign our NDA to access and download SOC 2 reports, penetration test results, Security Architecture Overview, HIPAA Compliance Overview & Business Associate Agreement.

Register for Access