Pointer uses industry-leading technologies and services to protect your data against unauthorized access, disclosure, use, and loss. Pointer publishes a security.txt file to streamline responsible disclosure of security issues. This file provides security researchers with a standardized method to report vulnerabilities.

All Pointer administrators undergo background checks and are routinely trained on security practices both during company onboarding and on a quarterly basis.

Security at Pointer is directed and maintained by our founders.

Compliance

SOC 2 Type II. Pointer is SOC 2 Type II compliant. This certification evaluates the design and implementation of our internal controls at a specific point in time, ensuring they align with the Trust Services Criteria: security, availability, processing integrity, confidentiality, and privacy. Achieving this compliance demonstrates our commitment to maintaining a robust security posture and provides assurance to our customers regarding the safeguarding of their data.

ISO 27001. Pointer aligns with ISO 27001 standards, an internationally recognized framework for information security management systems (ISMS). This certification demonstrates our commitment to systematically managing risks to data confidentiality, integrity, and availability, and provides assurance that our security controls follow global best practices.

GDPR. Pointer complies with the General Data Protection Regulation (GDPR), ensuring that personal data of individuals in the European Economic Area is processed lawfully, transparently, and securely. Our practices include strong data minimization, access controls, and rights management processes that safeguard user privacy in line with European standards.

HIPAA. Pointer adheres to the Health Insurance Portability and Accountability Act (HIPAA) requirements for safeguarding protected health information (PHI). Our systems implement administrative, physical, and technical safeguards designed to protect sensitive health data and support compliance for customers operating in regulated healthcare environments.

Infrastructure and Network Security

Physical access control. Our platform is hosted on both Google Cloud Platform (GCP) and Amazon Web Services (AWS), both of which maintain rigorous physical security measures and compliance certifications.

Google Cloud Platform. Their data centers include:

• Vehicle access barriers

• Perimeter fencing

• Biometric access control

• 24/7 security monitoring

• Advanced electronic access control systems

GCP maintains compliance certifications including ISO 27001, ISO 27017, ISO 27018, SOC 2/3, PCI DSS, FedRAMP, and HIPAA.

Amazon Web Services. AWS data centers are designed to deliver 99.999999999% (11 9s) durability and include:

• Redundant storage across multiple devices and facilities

• Comprehensive security and compliance programs, including PCI-DSS, HIPAA/HITECH, FedRAMP, EU Data Protection Directive, and FISMA

• Encryption of all object uploads by default

• S3 Block Public Access to prevent unauthorized access

Pointer employees do not have physical access to any data centers, servers, networking equipment, or storage media.

Logical Access Control. We maintain strict controls over infrastructure access:

• Limited administrator access to authorized employees

• Two-factor authentication requirement

• Detailed audit logging

• Private network administration

• Regular certificate rotation
  

Authentication Security. Our authentication system provides enterprise-grade security through multiple mechanisms:

• OAuth2 integration with Google and GitHub

• Session-based authentication with automatic token rotation

• Comprehensive token refresh and expiry management

• Scope-based authorization controls

• Active session validation and monitoring

With Single Sign-On (SSO), we allow users to access multiple applications with a single set of credentials, simplifying user management and reducing password-related vulnerabilities.

IP Security. We maintain robust location-based security through continuous monitoring and verification. Our system includes:

• Location tracking and verification for all access attempts

• Known IP address monitoring and validation

• Automatic notifications for new location access

• Account locking after multiple suspicious attempts

• Comprehensive location-based risk assessment

• Real-time email alerts for security events

Data Flow

Data Arriving from Customers. We maintain strict security standards for incoming data:

• HTTPS encryption using TLS 1.2 or above

• Rejection of connections using TLS below 1.2

• HSTS is enforced with a max-age of 6 months, preloaded in major browsers

• Zero-trust network with full traffic encryption

• Regular SSL configuration testing via SSL Labs

• Rule and anomaly-based request monitoring

Data Leaving the System. Customers can access their data through multiple secure channels:

• Web Application app.pointer.ai

• Mobile Applications (iOS and Android)

• REST API api.pointer.ai

All data access methods ensure TLS 1.2+ encryption in transit.

Application Security

Authentication Methods. We support multiple secure authentication options:

• Sign In with Google

  • Google/GSuite account integration

  • Annual Google Security Assessment

  • Third-party security audit

• Single sign-on (SSO)

  • Enterprise-grade SSO integration powered by WorkOS

  • Support for SAML 2.0 and OpenID Connect

  • Centralized access management with customer identity providers (Okta, Azure AD, OneLogin, etc.)

  • Independent security assessments of the SSO integration

REST API Authentication

• Brute force resistant API keys with rate limiting

• Self-service token management

• Secure key storage and transmission

• Session-based request validation with automatic rotation

• Origin validation and environment-specific controls

Verification for Destructive Operations

To prevent accidental or unauthorized destructive actions, we implement verification codes for major operations such as deleting a project or a user. Additionally, we provide comprehensive user permission management to control access to sensitive functionalities.

Business Continuity

High Availability. Our platform operates on redundant servers with regular maintenance rotation.

Backup Systems. We maintain comprehensive backup procedures:

• Daily and weekly backups

• Multiple geographic locations

• Encrypted storage

• Regular integrity verification

• Routine restoration testing

Disaster Recovery. We maintain ready-to-deploy recovery procedures:

• Multi-region deployment

• Documented recovery processes

• Regular testing

• Incident response protocols

Monitoring. We provide comprehensive security monitoring:

• Real-time event logging

• Suspicious activity alerts

• Activity tracking

• Security audit trails

• User notifications

For security concerns or vulnerability reports, contact team@pointer.ai.