Tested. Trusted. Assured.
PumpCX Trust Center
Transparency into PumpCX's security practices, compliance certifications, and the controls that protect customer data. Access audit reports by registering below.
Compliance
Our Certifications
PumpCX maintains industry-leading certifications to ensure your data is handled with the highest standards of security and privacy.
HIPAA
ActiveUnited States (US) regulation to secure Protected Health Information (PHI). Mandatory for US companies that process, transmit, or store PHI data.
SOC 2
ActiveSOC 2 (System and Organization Controls 2) is a compliance framework that evaluates an organization's information security practices. It's a must-have for building trust with stakeholders by demonstrating robust security measures. Ideal for SaaS companies and IT service providers, SOC 2 helps unlock business opportunities by assuring clients of your security posture.
Hover over a certification for details
Independent security assessments validate PumpCX's controls and compliance. Access full audit reports and penetration test summaries by registering below.
HIPAA & Business Associate Agreements
PumpCX supports HIPAA-compliant deployments and will enter into a Business Associate Agreement (BAA) with customers handling Protected Health Information (PHI). The BAA is available for signing via the Reports page.
Need our compliance reports?
Register with your business email and sign our NDA to access and download SOC 2 reports, penetration test results, Security Architecture Overview, HIPAA Compliance Overview & Business Associate Agreement.
Register for AccessSecurity
Data Protection Overview
Protecting customer data is fundamental to PumpCX's platform design and operations.
PumpCX applies a defense-in-depth approach to safeguard customer data across infrastructure, application, and operational layers. Security controls are continuously monitored and regularly reviewed as part of our compliance and security program.
Encryption
- All data is encrypted in transit using TLS 1.2 or higher (TLS 1.3 preferred).
- Customer data stored on AWS storage volumes is encrypted at rest using AES-256 disk encryption.
Access Control
- Access to production systems is restricted to authorized personnel on a least-privilege basis.
- Multi-factor authentication (MFA) is enforced for administrative access.
- Access reviews are conducted regularly to ensure permissions remain appropriate.
Monitoring and Detection
- Security logs and system activity are continuously monitored.
- Intrusion detection and vulnerability monitoring tools are used to identify potential threats.
- Infrastructure and applications are regularly assessed for vulnerabilities.
Operational Security
- Security awareness training is provided to employees.
- Background checks are performed where permitted by law.
- Changes to production systems follow formal change-management procedures.
Data Governance
- Customer data is processed solely for the purpose of providing the PumpCX service.
- Data retention policies are applied according to operational and contractual requirements.
- Customer data can be deleted or exported in accordance with contractual obligations.
PumpCX maintains a formal security program aligned with industry standards and undergoes independent third-party assessments.
Data Residency
Data Residency
PumpCX infrastructure is hosted on Amazon Web Services (AWS) in secure cloud environments.
Customer data is stored and processed within PumpCX-managed cloud infrastructure. AWS provides physical, environmental, and network security controls that support the protection of customer data. The customer's data is retained in a single data storage location as agreed during onboarding.
Current Deployment Locations
Access Controls
Identity and Authentication
PumpCX enforces strong identity controls to protect access to systems and data.
- Multi-factor authentication (MFA) is required for administrative access.
- Access permissions follow the principle of least privilege.
- Access reviews are conducted regularly.
- Authentication and authorization controls protect access to production systems.
Resilience
Business Continuity
PumpCX maintains documented business continuity and disaster recovery plans designed to ensure service resilience and rapid recovery from operational disruptions.
Plans are tested periodically and reviewed as part of our security and compliance program.
Testing
Security Testing
PumpCX regularly evaluates the security of its platform through:
- Independent third-party annual penetration testing
- Continuous vulnerability scanning
- Security reviews integrated into development workflows
Identified issues are tracked and remediated through formal engineering processes.
Overview
Security Program Overview
PumpCX maintains a comprehensive information security program designed to protect customer data and ensure the reliability and integrity of our services. Our security program is built around industry best practices and is supported by formal policies, technical safeguards, and ongoing monitoring.
The program covers governance, infrastructure security, application security, operational processes, and third-party risk management.
Governance and Compliance
PumpCX operates a formal information security program aligned with recognized industry standards. Security controls are continuously monitored and assessed as part of our compliance program.
Our security program includes:
- Documented security policies and procedures
- Defined roles and responsibilities for security governance
- Ongoing risk assessment and mitigation processes
- Continuous monitoring of security controls
- Independent third-party assessments and audits
PumpCX maintains compliance with recognized security frameworks including SOC 2 and HIPAA.
Infrastructure Security
PumpCX infrastructure is hosted within industry-leading cloud environments that provide strong physical and environmental protections.
Security controls include:
- Network isolation and segmentation
- Firewalls and access restrictions
- Infrastructure hardening
- Continuous monitoring of system activity
- Regular vulnerability assessments
Access to production systems is tightly restricted and managed according to the principle of least privilege.
Application Security
Security is integrated throughout the PumpCX software development lifecycle.
Our development practices include:
- Secure coding practices and internal development standards
- Peer code review for production changes
- Automated testing and security scanning
- Vulnerability management and patching processes
Security issues are tracked and remediated through formal engineering workflows.
Monitoring and Incident Response
PumpCX maintains monitoring systems designed to detect and respond to security events.
Key capabilities include:
- Centralized logging and monitoring
- Automated alerting for suspicious activity
- Documented incident response procedures
- Security event investigation and remediation processes
Our incident response program ensures that security events are evaluated, contained, and addressed in a timely manner.
Third-Party Risk Management
PumpCX evaluates third-party vendors that support our service delivery to ensure they meet appropriate security and privacy standards.
Vendors with access to customer data are assessed as part of our vendor risk management process and are listed in our Subprocessor Register.
Continuous Improvement
Security is an ongoing process. PumpCX regularly reviews and improves its security controls through:
- Independent penetration testing
- Continuous compliance monitoring
- Security control reviews
- Feedback from customers and security researchers
Our goal is to maintain a strong security posture while continuously improving the protection of our platform and customer data.
Personnel
Employee Security
Background Checks
All employees and contractors undergo background checks prior to joining PumpCX, where permitted by applicable law. Checks include identity verification, criminal history, and employment history validation.
Security Training
All new hires complete security awareness training within 14 days of their start date. Training covers data handling, phishing awareness, incident reporting, and acceptable use. Annual refresher training is mandatory for all staff.
Code of Conduct
All employees acknowledge and agree to PumpCX's Code of Conduct and Acceptable Use Policy upon hire. These policies set expectations for professional behavior, data handling responsibilities, and the consequences of non-compliance.
Offboarding
Upon departure, all system access is revoked within 24 business hours. Equipment is returned, credentials are deactivated, and access reviews confirm complete removal from all systems and services.
Artificial Intelligence
Responsible Use of AI
PumpCX uses artificial intelligence technologies to support certain product capabilities, including automated test generation, conversation analysis, and natural language processing. We are committed to responsible and secure use of AI systems.
Customer Data Protection
Customer data submitted to PumpCX is not used to train foundation models.
PumpCX uses the enterprise AI service Amazon Bedrock, which provides contractual assurances that prompts and model outputs are not used to train or improve the underlying models. Upon customer agreement, PumpCX also self-hosts AI services within AWS, which also are not used to train or improve the underlying models.
Customer data processed by AI services is used only for the purpose of generating responses requested by the customer.
Data Handling
When AI features are used:
- Customer prompts are processed only to generate the requested output
- Data is encrypted in transit and at rest
- Model responses are not retained by AI providers for training
PumpCX maintains strict controls to prevent unauthorized access to customer data processed by AI systems.
Human Oversight
AI-generated outputs are intended to assist users, not replace human judgment. Customers remain responsible for reviewing AI-generated outputs before relying on them in production environments.
Transparency
PumpCX will clearly identify product features that use AI technologies and will continue to evolve our governance practices as AI technology and regulatory expectations develop.
Controls
Security Controls
PumpCX maintains a comprehensive set of security controls that are continuously monitored as part of our compliance program.
Infrastructure Security
7/7 passing- Production inventory maintained
- Asset disposal procedures utilized
- Data retention procedures established
+ 4 more controls
Business Continuity & Disaster Recovery
11/11 passing- Continuity and Disaster Recovery plans established
- Continuity and disaster recovery plans tested
- Cybersecurity insurance maintained
+ 8 more controls
Configuration Management
1/1 passing- Configuration management system established
Internal Security Procedures
6/6 passing- Change management procedures enforced
- Production deployment access restricted
- Development lifecycle established
+ 3 more controls
Compliance
3/3 passing- SOC 2 - System Description
- Whistleblower policy established
- Security controls evaluated
Cryptographic Protections
9/9 passing- Unique production database authentication enforced
- Portable media encrypted
- Unique account authentication enforced
+ 6 more controls
Data Classification & Handling
3/3 passing- Data classification policy established
- Customer data deleted upon leaving
- Data retention and time limit
Endpoint Security
2/2 passing- Anti-malware technology utilized
- Workstation security implemented
Security & Privacy Governance
17/17 passing- Backup processes established
- Management roles and responsibilities defined
- Organization structure documented
+ 14 more controls
Human Resources Security
7/7 passing- Employee background checks performed
- Code of Conduct acknowledged by contractors
- Code of Conduct acknowledged by employees and enforced
+ 4 more controls
Identification & Authentication
14/14 passing- Production application access restricted
- Access control procedures established
- Production database access restricted
+ 11 more controls
Information Assurance
2/2 passing- Control self-assessments conducted
- Penetration testing performed
Incident Response
3/3 passing- Incident response plan tested
- Incident response policies established
- Incident management procedures followed
Mobile Device Management
1/1 passing- MDM system utilized
Continuous Monitoring
3/3 passing- Log management utilized
- Intrusion detection system utilized
- Infrastructure performance monitored
Network Security
5/5 passing- Data transmission encrypted
- Network segmentation implemented
- Network firewalls reviewed
+ 2 more controls
Security Operations
1/1 passing- Vulnerability and system monitoring procedures established
Physical & Environmental Security
3/3 passing- Physical access processes established
- Data center access reviewed
- Visitor procedures enforced
Project & Resource Management
3/3 passing- Company commitments externally communicated
- External support resources available
- Service description communicated
Security Awareness & Training
1/1 passing- Security awareness training implemented
Third-Party Management
2/2 passing- Third-party agreements established
- Vendor management program established
Vulnerability & Patch Management
2/2 passing- Service infrastructure maintained
- Vulnerabilities scanned and remediated
106 of 106 controls passing β updated 2 minutes ago via Vanta.
Framework Mapping
Compliance Coverage
See how PumpCX's security controls map to SOC 2 Trust Service Criteria, HIPAA safeguard requirements, and ISO 27001 Annex A controls.
π‘οΈ SOC 2 Trust Service Criteria
| Criteria | Description | PumpCX Controls |
|---|---|---|
| CC1 β Control Environment | Organizational commitment to integrity and security | Security governance, policies & procedures, employee training, background checks |
| CC2 β Communication & Information | Internal and external security communication | Security awareness training, Trust Center, incident communication procedures |
| CC3 β Risk Assessment | Identification and analysis of risks | Risk assessments, vulnerability scanning, penetration testing, vendor risk management |
| CC4 β Monitoring Activities | Ongoing evaluation of controls | Continuous compliance monitoring (Vanta), security control reviews, audit logging |
| CC5 β Control Activities | Policies and procedures to mitigate risks | Change management, code reviews, infrastructure security controls, automated deployments |
| CC6 β Logical & Physical Access | Access restrictions to systems and data | MFA, least-privilege access, access reviews, encryption at rest (AES-256) & in transit (TLS 1.2+) |
| CC7 β System Operations | Detection and response to anomalies | IDS, centralized logging, vulnerability assessments, incident response procedures |
| CC8 β Change Management | Controlled changes to infrastructure and software | Version control, code reviews, automated CI/CD pipelines, change approval processes |
| CC9 β Risk Mitigation | Risk mitigation through business processes | Vendor management, insurance, business associate agreements, contractual safeguards |
| Availability | System availability for operation and use | Business continuity & disaster recovery plans, infrastructure redundancy, uptime monitoring |
| Confidentiality | Protection of confidential information | Encryption (AES-256 / TLS 1.2+), access controls, data classification, NDA enforcement |
π₯ HIPAA Safeguards
| Safeguard | Requirement | PumpCX Controls |
|---|---|---|
| Administrative Safeguards (Β§164.308) | ||
| Security Management | Policies to prevent, detect, contain, and correct security violations | Risk assessments, security policies, Vanta continuous monitoring, vulnerability management |
| Assigned Security Responsibility | Designated security official | Designated security officer, defined security roles and responsibilities |
| Workforce Security | Appropriate access for workforce members | Background checks, onboarding/offboarding procedures, least-privilege access |
| Information Access Management | Authorized access to ePHI | Role-based access control, access reviews, least-privilege enforcement |
| Security Awareness & Training | Security awareness program for workforce | Security awareness training, phishing simulations, ongoing education |
| Security Incident Procedures | Incident identification, response, and mitigation | Incident response plan, IDS, centralized logging, post-incident reviews |
| Contingency Plan | Data backup, disaster recovery, and emergency operations | Business continuity & disaster recovery plans, data backups, periodic plan testing |
| Evaluation | Periodic technical and non-technical evaluation | Annual penetration testing, security control reviews, SOC 2 audits |
| Business Associate Agreements | Contracts with business associates handling ePHI | BAA execution and management, vendor risk assessments, subprocessor oversight |
| Physical Safeguards (Β§164.310) | ||
| Facility Access Controls | Physical access limitations to facilities | AWS data center physical security (SOC 2 certified), no on-premise data storage |
| Workstation & Device Security | Workstation use policies and device controls | Endpoint security policies, device encryption, remote wipe capabilities |
| Technical Safeguards (Β§164.312) | ||
| Access Control | Technical policies limiting access to ePHI | MFA, unique user IDs, automatic session timeouts, role-based access |
| Audit Controls | Recording and examination of system activity | Centralized audit logging, log monitoring, access activity tracking |
| Integrity Controls | Protection of ePHI from improper alteration or destruction | Data validation, checksums, version control, database integrity checks |
| Transmission Security | Protection of ePHI during electronic transmission | TLS 1.2+ encryption in transit, encrypted API communications, secure file transfers |
π ISO 27001:2022 Annex A Controls
PumpCX is not currently ISO 27001 certified. The mapping below shows how our existing security controls align with ISO 27001:2022 Annex A domains.
| Control Domain | Objective | PumpCX Controls |
|---|---|---|
| Organisational Controls (A.5) | ||
| A.5.1 β Policies for Information Security | Management direction and support for information security | Documented security policies, annual policy reviews, management-approved security program |
| A.5.2β5.6 β Roles & Responsibilities | Defined security roles, segregation of duties, management responsibilities | Designated security officer, defined roles and responsibilities, segregation of duties in production access |
| A.5.7 β Threat Intelligence | Collection and analysis of threat information | Vulnerability scanning, AWS security advisories, continuous compliance monitoring via Vanta |
| A.5.10β5.14 β Information Handling | Classification, labelling, transfer, and deletion of information | Data classification policy, encryption in transit (TLS 1.2+) & at rest (AES-256), data retention & deletion procedures |
| A.5.15β5.18 β Access Control | Access policies, identity management, authentication, access rights | RBAC, least-privilege access, MFA for all privileged access, quarterly access reviews, 24-hour offboarding revocation |
| A.5.19β5.22 β Supplier Relationships | Security in supplier agreements and monitoring | Vendor security due diligence, contractual data protection obligations, annual vendor reviews, subprocessor oversight |
| A.5.24β5.28 β Incident Management | Incident response planning, reporting, and learning | Documented incident response plan, IDS, centralized logging, post-incident reviews, breach notification procedures |
| A.5.29β5.30 β Business Continuity | ICT readiness and continuity planning | BC/DR plans, 1-hour RTO, daily backups with 14-day retention, annual DR testing, telephony failover |
| A.5.31β5.36 β Compliance | Legal, regulatory, and contractual requirements | SOC 2 compliance, HIPAA safeguards, privacy policy, data residency controls, independent audits |
| People Controls (A.6) | ||
| A.6.1 β Screening | Background verification prior to employment | Background checks (identity, criminal, employment history) for all employees and contractors |
| A.6.2 β Terms & Conditions | Employment agreements with security responsibilities | Code of Conduct, Acceptable Use Policy, confidentiality agreements acknowledged upon hire |
| A.6.3 β Awareness & Training | Security awareness education and training | Security training within 14 days of hire, annual refresher training, secure development training |
| A.6.5 β Termination Responsibilities | Security duties upon termination or change of employment | Access revoked within 24 business hours, equipment return, credential deactivation, access review confirmation |
| Physical Controls (A.7) | ||
| A.7.1β7.4 β Physical Security | Physical security perimeters, entry controls, and monitoring | AWS data center physical security (SOC 2 certified), no on-premise data storage |
| A.7.9β7.14 β Asset Security | Security of assets off-premises, storage media, and equipment | Endpoint security policies, device encryption, remote wipe capabilities, secure media disposal |
| Technological Controls (A.8) | ||
| A.8.1β8.5 β Endpoint & Access | User devices, privileged access, and source code security | Endpoint protection, MFA, privileged access management, source code in version control with access controls |
| A.8.7β8.8 β Malware & Vulnerabilities | Protection against malware and management of technical vulnerabilities | Endpoint protection, continuous vulnerability scanning, annual penetration testing, 30-day critical remediation SLA |
| A.8.9β8.10 β Configuration & Data | Configuration management and data handling | Infrastructure as code, automated deployments, data classification, retention & deletion policies |
| A.8.15β8.16 β Logging & Monitoring | Logging of activities and monitoring of anomalies | Centralized audit logging, activity tracking, IDS, 30-day log retention minimum |
| A.8.20β8.22 β Network Security | Network controls, segmentation, and web filtering | AWS VPC network segmentation, security groups, WAF, TLS enforcement |
| A.8.24β8.28 β Cryptography & Development | Use of cryptography, secure development lifecycle, and testing | AES-256 at rest, TLS 1.2+ in transit, secure SDLC, code reviews, change management, environment segregation |
Third Parties
Sub-Processors
The following third-party vendors process data on behalf of PumpCX.
| Vendor | Purpose |
|---|---|
| Amazon Web Services (AWS) | Infrastructure hosting and data storage |
| Atlassian (Jira) | Customer issue tracking and support ticket management |
| Microsoft (Office 365 / Exchange Online) | Email delivery and communication |
| Vanta | Security compliance monitoring |
Subprocessor changes will be communicated to customers 30 days in advance.
Payment Card Data
PCI DSS
PCI DSS Scope
PumpCX is a telephony assurance platform and is not designed to process payment transactions.
PumpCX does not store, process, or transmit payment card data (cardholder data) as part of its normal operation and therefore falls outside the scope of PCI DSS.
Use of Payment Test Cases
Some customer test scenarios may simulate payment workflows (for example IVR credit card balance checks).
For these scenarios:
- β’Customers should use synthetic or test card numbers only
- β’Synthetic or test card numbers can be further protected within the platform by utilizing PumpCX secrets and private test cases
- β’PumpCX does not require or request real payment card numbers
Card Number Detection and Redaction
To prevent accidental storage of cardholder data, PumpCX implements automated safeguards including:
- β’Detection of card number patterns
- β’Luhn checksum validation
- β’Automatic masking or redaction in logs and transcripts
These controls are designed to ensure that potential card numbers are not stored within the PumpCX platform.
Customer Responsibility
Customers are responsible for ensuring that real payment card data is not submitted to the PumpCX platform unless explicitly supported by a PCI DSS validated payment environment.
Availability
System Status
FAQ
Security FAQ
Where is customer data stored?
PumpCX infrastructure is hosted on Amazon Web Services (AWS) across multiple availability zones. Customer data is stored in a single region as agreed during onboarding. Current deployment regions include Australia (Sydney), Canada (Central), Singapore, United Kingdom (London), and United States (Oregon).
How is data encrypted?
Data is encrypted in transit using TLS 1.2 or higher. Data is encrypted at rest using AES-256 via AWS-managed disk encryption. All encryption follows NIST SP 800-57 standards. Encryption keys are rotated annually.
How is access to customer data controlled?
Access is managed using role-based access control (RBAC) following the principle of least privilege. Multi-factor authentication (MFA) is required for all privileged access to production infrastructure. Access reviews are conducted quarterly, and access is revoked within 24 business hours of employee or contractor departure.
Do you perform penetration testing?
Yes. PumpCX undergoes annual independent third-party penetration testing, as well as continuous vulnerability scanning. Public-facing vulnerability scans are performed at least quarterly. Critical and high severity vulnerabilities are remediated within 30 days of discovery.
Do you monitor security controls continuously?
Yes. Controls are continuously monitored via our compliance platform. PumpCX maintains centralized logging, intrusion detection, and security event investigation. User activity logs including login/logout, data operations, and administrative actions are retained for at least 30 days.
What is your incident response process?
PumpCX maintains a documented incident response plan covering incident identification, containment, evidence gathering, notification, and remediation. For incidents involving protected health information (PHI), affected Covered Entities are notified within 60 days in accordance with the HIPAA Breach Notification Rule. All security incidents should be reported to security@pump.cx.
How long is customer data retained?
Data retention policies are applied according to operational and contractual requirements. Upon contract termination, customer data is deleted within 60 days. Personal information is deleted or de-identified as soon as it no longer has a business use, or in response to a verified data subject request.
Can customer data be deleted on request?
Yes. Personal information will be deleted in response to a verified request from a customer or data subject, unless there is a legal obligation to retain it. Customer data can also be exported in accordance with contractual obligations.
Do you use customer data to train AI models?
No. PumpCX does not use customer data to train AI or machine learning models. Our AI services, including Amazon Bedrock, provide contractual assurances that data is not used for model training. See the AI & Data Usage section for full details.
How is test data handled?
Confidential customer data is not used in development or testing environments without explicit permission from the data owner and the CTO. When approved, data must be scrubbed of sensitive information whenever feasible. Development, testing, and production environments are logically or physically segregated.
What is your disaster recovery capability?
PumpCX maintains documented business continuity and disaster recovery plans. Production services have a recovery time objective (RTO) of 1 hour. Infrastructure is backed up daily with a 14-day snapshot history, stored separately from production. DR plans are tested annually, including backup restoration. Telephony carrier links are highly available with automatic failover.
Do you have a BAA for HIPAA?
Yes. PumpCX will enter into a Business Associate Agreement (BAA) where required. Customers handling protected health information (PHI) can review and accept a BAA through the Reports section of this Trust Center.
Can I get a copy of your SOC 2 report?
Yes. SOC 2 and other compliance reports are available through the Reports section of this Trust Center. Access requires registration with a business email and execution of a mutual NDA to protect the confidentiality of the report contents.
How do you manage third-party vendors?
All third parties with access to confidential data undergo security due diligence before engagement, including evaluation against applicable standards such as ISO 27001, SOC 2, and GDPR. Written agreements are required acknowledging data confidentiality responsibilities. Vendor security and service delivery performance is reviewed at least annually.
How is your software developed securely?
PumpCX follows secure-by-design and privacy-by-design principles. All significant code changes are reviewed and approved before deployment to production. Developers receive secure development training at least annually. Source code is managed in version control with full history for rollback, and application vulnerabilities that materially impact security are patched within 90 days of discovery.
How do you vet employees?
All employees undergo background checks prior to hire, complete security awareness training within 14 days of joining, and receive mandatory annual refresher training. See the Employee Security section for full details on our personnel security program.
Contact
Security Contact
PumpCX welcomes security-related questions from customers, partners, and researchers.
For security concerns, vulnerability reports, or inquiries regarding our security program, please contact:
security@pump.cxOur security team reviews all submissions and will respond as appropriate.
For general support or product inquiries, please use our standard customer support channels.
Vulnerability Reporting
Responsible Disclosure
PumpCX supports responsible disclosure of security vulnerabilities.
If you believe you have discovered a security issue affecting PumpCX systems or services, please report it to our security team at security@pump.cx
When submitting a report, please include:
- β’A description of the vulnerability
- β’Steps to reproduce the issue
- β’Any relevant supporting information
We request that researchers:
- β’Avoid accessing or modifying customer data
- β’Refrain from actions that could disrupt service availability
- β’Allow reasonable time for investigation and remediation before public disclosure
PumpCX investigates all legitimate reports and works to resolve confirmed issues in a timely manner.
PumpCX appreciates the efforts of the security research community in helping keep our systems secure.
Need our compliance reports?
Register with your business email and sign our NDA to access and download SOC 2 reports, penetration test results, Security Architecture Overview, HIPAA Compliance Overview & Business Associate Agreement.
Register for Access