ProgullProgull
Trust Center

Security and trust, in one place.

A consolidated view of how Progull handles customer environments, data and incidents. Maintained by the Progull security team. Anything not stated here is available on request.

This page is maintained by Progull's security and legal teams to answer common questions about how we operate. It is not an independent certification or audit attestation. For attested reports (SOC 2 Type II, pen-test summaries, DR exercise reports) contact security@progull.com under NDA.
Certifications & frameworks

What we attest, what we align to.

SOC 2 Type II

Attested

12-month observation window, no exceptions. Report available under NDA.

ISO/IEC 27001

In progress

Stage 1 audit complete. Stage 2 scheduled Q3 2026.

ISO/IEC 27017 · 27018

In progress

Aligned with ISO 27001 program. Same Stage 2 window.

GDPR

Compliant

DPA available. EU DPO appointed. Standard contractual clauses supported.

HIPAA

BAA-ready

Business Associate Agreement available for healthcare customers.

PCI-DSS

Scope-limited

Progull does not store cardholder data. Documented descoping available.

Data handling

What we collect, where it lives, how long it stays.

Data collected
Telemetry, abend metadata, log excerpts, ticket fields, reasoning traces.
Data not collected
Cardholder PAN, member PHI payloads, end-customer PII fields. Redaction enforced at ingest.
Customer-content residency
Pinned per tenant: US, EU, UK, IN, SG, JP. No cross-region replication without written approval.
Retention (operational)
90 days hot, 365 days warm, configurable archive up to 7 years.
Retention (audit)
7 years immutable (WORM-equivalent storage).
Deletion
Verified within 30 days of written request. Audit trail of deletion retained.
Encryption & key management

At rest, in transit, end-to-end signed.

In transit
TLS 1.3 only. mTLS for all mainframe-side connectors.
At rest
AES-256-GCM. BYOK supported via AWS KMS, Azure Key Vault, HashiCorp Vault.
Reasoning traces
Signed (Ed25519) and encrypted per tenant. Tamper-evident chain.
Secrets
Brokered through Vault / CyberArk. No long-lived credentials at rest in Progull.
Resilience

Recovery objectives are stated, measured and tested.

RPO
≤ 5 minutes
RTO
≤ 30 minutes
Uptime SLO
99.95% control plane
DR posture
Active / active across two regions per tenant
Backup frequency
Continuous WAL + 15-min full snapshots
Last DR exercise
Q2 2026 (passed; report available)
Sub-processors

The third parties Progull uses.

Vendor
Purpose
Region
AWS
Primary hosting (control plane + tenant data plane)
Per tenant
Microsoft Azure
Hosting (Azure-pinned tenants)
Per tenant
Cloudflare
Edge, WAF, DDoS mitigation
Global anycast
Datadog
Progull-internal observability
US / EU
PagerDuty
Progull-internal on-call
US
Snowflake
Internal analytics warehouse
US (no customer-content)

Customers on Enterprise plans receive 30-day written notice of any sub-processor addition with a right to object.

Security program

Operating practices behind the platform.

Penetration testing
Annual third-party + continuous internal red-team exercises.
Vulnerability management
Critical patched ≤ 7d, High ≤ 30d. Tracked in SLO.
Secure SDLC
Threat modeling per epic. SAST + DAST + SCA on every PR. Two-eyes review enforced.
Personnel
Background checks at hire. Security training on hire + annually.
Endpoint
MDM-managed, FDE-enforced, EDR everywhere. No BYOD against production.
Vendor program
Risk-assessed onboarding. Annual re-review. DPA on file for every sub-processor.
Incident response

What happens when something goes wrong.

Severity model
Sev-1 (customer-impacting) → page < 5 min. Sev-2 → < 15 min. Sev-3 → next business hour.
Customer notification
Sev-1 affecting your tenant: notified within 1 hour. Written RCA within 5 business days.
Regulatory notification
Personal-data breach: regulators notified within 72 hours per GDPR.
Disclosure
Coordinated disclosure for vendor / library findings. Public CVE within 90 days where applicable.

Vulnerability disclosure

security@progull.com

PGP key available on request. Safe-harbour for good-faith research.

DPA & contract

legal@progull.com

Standard DPA, SCCs and UK addendum available. Custom terms reviewable.

Data-subject requests

dpo@progull.com

GDPR / CCPA access, rectification and deletion requests routed to the DPO.