Security & Privacy FAQs

Pinpoint holds an ISO27001 certification and a SOC 2 Type II certification.

We have a documented Incident Management Policy and response plan. This includes incident definitions, incident reporting, incident classification, response process, and specific procedures in the case of internal incidents and compromised communications. This document also sets out the roles and responsibilities related to management of incidents.

Yes. We have documented information security policies that have been approved by management, published, and communicated to constituents.

Yes. Our information security policy and all associated processes are reviewed at least annually (or when a significant change is made) and any actionable findings are immediately implemented by relevant business stakeholders to further enhance the effectiveness of our information security practices. The ISMS Governance Council will determine if the frequency of the audit needs to be increased depending upon the number of findings identified during the audit, the severity of the previous audit findings, and the operating efficiency of conducting the audit annually.

The audit criteria take into consideration the defined set of ISMS policies and procedures, any regulatory, legal and contractual requirements, ISO 27001, and any additional authoritative standards as necessary.

Findings are labelled (major and monitor non-conformities, and opportunities for improvement). The corrective action and improvement plan items are added to the Risk Register.

Yes, our formalized Access Control Policy is documented and reviewed regularly. We apply the principal of least privilege and regularly review access and privileged access rights. All employee accounts must use Multi-Factor Authentication (MFA) wherever it is possible. All users have a unique user identifier for system access, and user credentials and passwords are not shared between users. Granting of administrative rights is strictly controlled, and requires approval from the asset owner.

We have a documented Access Control Policy covering our physical office environment that is reviewed frequently and is policed heavily. Access is granted on the principle of least priviledge and managed via our access control system.

We have a documented access control policy in place defining how we strictly limit access to our production environment to a small number of senior authorised users who have a valid business need following the principle of least privilege. This access is required to troubleshoot problems, provide effective customer support, and to respond to security incidents. Access is monitored and logged.

Customers may choose to grant named members of our support team just-in-time access to their Pinpoint instance via the user interface. This access is granted to a named individual on the Pinpoint support team who is supporting the customer with an open support ticket. Customers can revoke the access at any time, the access is logged, and access is automatically revoked after 24 hours.

All data is encrypted in transit using TLS 1.2 and TLS 1.3 encryption protocols with HTTP requests being automatically redirected to HTTPS. Databases are encrypted at rest using LUKS (Linux Unified Key Setup). Documents and backups are encrypted at rest using AES-256 bit encryption.

We work with a qualified third party to conduct penetration testing at least annually and have procedures in place to ensure findings from the test are reviewed with vulnerabilities being remediated. We also utilise DAST (Dynamic Application Security Testing) tooling which provides additional penetration testing capabilities internally.

Pinpoint supports both 2FA (TOTP) and SSO with Azure AD / Entra ID, Google Workspace, or any SAML based IDP.

Yes, Pinpoint supports SCIM user provisioning.

Pinpoint provides role based access controls.

Access Groups comprise Permissions (what a user can do) and Visibilities (what a user can see). Each User is typically assigned an Access Group. If required, Permissions and Visibilities can be configured on an individual User level.

You can configure an unlimited number of Access Groups in your Pinpoint tenant.

You retain full ownership and control of the data submitted to the Pinpoint platform by both your team and your candidates. You can export your data at any time using our custom report builder.

At the end of a contract, you can request your data be returned to you and deleted. If you request that the data is deleted, it will be removed from production systems within 15 days and from all backup data assets within 45 days.

No, our company has not experienced a data breach.