Security & Privacy FAQs

Yes. We’ve been accredited with SOC 2 Type II certification by an independent auditor and ISO27001 by the British Assessment Bureau.

Yes. We have a formal Incident Response Plan incorporated into our Incident Management Policy. The Disaster Recovery Plan sets out roles, responsibilities, and authorizations in case of a disruptive incident.

Our Incident Management Policy is owned by the CTO with input from the Technical Fellow, CEO, and broader engineering team and forms part of new employee onboarding security training, as well as regular refresher training. The policy covers classification and treatment of incidents, learning from incidents, disciplinary actions, and collection of evidence.

Yes. We have dedicated information security policies that have been approved by management, published, and communicated to constituents. Our CTO and Technical Fellow define mandatory internal security standards and provide ongoing training & support to our team.

As an ISO27001 certified business, our policies are organised according to the ISMS framework within ISO/IEC 27002:2013.

Yes. Our CTO and Technical Fellow assess the risk of all activities, define mandatory internal security standards, and provide ongoing training & support to our team to ensure risks are appropriately managed.

Yes, our formalized Access Control Policy is documented and reviewed regularly. We apply the principal of least privilege and regularly review access and privileged access rights. All employee accounts must use Multi-Factor Authentication (MFA) wherever it is possible. All users have a unique user identifier for system access, and user credentials and passwords are not shared between users. Granting of administrative rights is strictly controlled, and requires approval from the asset owner.

We have a documented Access Control Policy covering our physical office environment that is reviewed frequently and is policed heavily. Access is granted on the principle of least priviledge and managed via our access control system.

We do not access your candidates’ data (or any of your Pinpoint data) without your permission. Your team may grant us access to do so when providing end-user support to your team. This access is granted to a named support team member for each interaction, can be revoked by your team at any time, and is automatically revoked within 24 hours.

We restrict access to our production environment extremely heavily, to the point where only a small single digit number of individuals have access to our cloud computing consoles, wider production estate and so on. We have segregation of responsibilities in place with regards to deployments, and endeavour to use managed services where feasible to limit the security exposure we would introduce vs the equivalent security posture of the hyperscale cloud service providers we utilise.

We have an inventory of privileged accounts – this is stored alongside our access control policy. We use the concept of least privilege throughout our access control process and review this frequently to ensure access is not granted to systems that are unnecessary to individuals. Privileged accounts are assigned to named individuals. An individual with a privileged account may also have a nonprivileged account under their name that they can use to perform tasks that do not warrant full authorisation.

Data in our database is encrypted at rest with LUKS (Linux Unified Key Setup). Documents are encrypted at rest using AES-256. Data is encrypted in transit with SSL.

Pinpoint systems are tested at least annually by an independent, third-party penetration testing service. Upon request, Pinpoint will provide a confidential summary of this report.

Yes to both. We support single sign on with Microsoft and Google, as well as any SAML based identity provider (including Okta and JumpCloud). And we support two-factor authentication with our platform.

Who can access data is completely customisable by you. You can set user roles and create custom access groups with very granular visibilities from within your Pinpoint admin interface. This allows you to control which individuals within your business can see your candidates’ data, as well as what they’re able to do with those candidates.

You retain full ownership and control of the data submitted to the Pinpoint platform by both your team and your candidates. You can export your data at any time using our custom report builder.

At the end of a contract, you can request your data be returned to you and deleted. If you request that the data is deleted, it will be removed from production systems within 15 days and from all backup data assets within 45 days.

No, our company has not experienced a data breach.