Home / Legal / Security

Security

Enterprise-grade security for your industrial pump data. We take the protection of your data seriously.

Last updated: February 2026

Encryption

All data encrypted in transit (TLS 1.3) and at rest (AES-256)

Security Best Practices

Security controls aligned with industry standards and GCP certifications

Secure Infrastructure

Hosted on Google Cloud Platform with enterprise-grade security

Access Control

Role-based access control with SSO and MFA support

1 Infrastructure Security

PumpCycle AI is hosted on Google Cloud Platform (GCP), leveraging enterprise-grade infrastructure security.

Google Cloud Platform

EU data residency (europe-west6, Zurich) planned

Network Isolation

VPC with private subnets and Cloud NAT

DDoS Protection

Google Cloud Armor for traffic filtering

Automated Backups

Daily backups with 30-day retention

GCP Certifications: Our infrastructure provider maintains ISO 27001, ISO 27017, ISO 27018, SOC 1/2/3, and PCI DSS certifications.

2 Data Protection

Encryption

In Transit

TLS 1.3 for all connections. HSTS enabled with 1-year max-age.

At Rest

AES-256 encryption for all stored data. Google-managed encryption keys with automatic rotation.

Data Handling

  • Data Isolation: Customer data is logically separated using organization-level access controls
  • Secure Deletion: Data is permanently deleted upon account termination after a grace period. A Data Processing Agreement (DPA) is available upon request.
  • No Data Selling: We never sell or share customer data with third parties for marketing

3 Access Control

Authentication

Single Sign-On (SSO)

Google and social login via Clerk. SAML/OIDC available on Enterprise plans.

Multi-Factor Authentication

TOTP, SMS, and passkey support via Clerk

Session Management

JWT-based sessions managed by Clerk

Password Policy

Minimum 12 characters, breach detection via HaveIBeenPwned

Authorization

Role-based access control (RBAC) with the following default roles:

Role Permissions
Owner Full access, billing, organization deletion, ownership transfer
Admin User management, integrations, all data operations
Reviewer Approve/reject curve submissions, quality control
Member Create/edit pumps, sizing, asset registry, monitoring
Viewer Read-only access to pumps and reports

4 Compliance

GDPR

Compliant

Full compliance with EU General Data Protection Regulation

Swiss FADP

Compliant

Swiss Federal Act on Data Protection compliance

GCP Infrastructure Certifications

Via Google Cloud

Our infrastructure provider (GCP) maintains ISO 27001, SOC 1/2/3, and PCI DSS certifications.

5 Incident Response

We maintain a documented incident response plan with the following SLAs:

P1 - Critical Data breach, complete service outage
Response: 1 hour
P2 - High Partial outage, security vulnerability
Response: 4 hours
P3 - Medium Degraded performance, minor issues
Response: 24 hours

Affected customers are notified within 72 hours of confirmed data breaches, in compliance with GDPR Article 33.

6 Vulnerability Management

  • Dependency Scanning: Automated daily scans with Dependabot and Snyk
  • Patch Management: Critical vulnerabilities patched within 24 hours

Report a Vulnerability

If you discover a security issue, please report it responsibly to security@pumpcycle.dev

7 Security Contact

For security-related inquiries, concerns, or to request our security documentation:

Security Team

PumpCycle AI

security@pumpcycle.dev

PGP key available upon request

Enterprise customers can request our security questionnaire responses through their account manager.