Security overview

This overview summarizes how we approach security for Pinnora, operated by Pinnacle MAV Media LLC. It is not an audit report, certification, or guarantee of uninterrupted or error-free service; customers remain responsible for their own security configurations, access policies, and compliance programs. For detailed processor commitments, see our Data Processing Addendum, in particular Annex II (Technical & organizational measures).

1. Architecture & multi-tenancy

The Service is deployed on managed cloud infrastructure with network isolation, least-privilege production access, and separation between development, staging, and production environments. The application is logically multi-tenant: each Customer Organization is identified by a stable organization identifier, and tenant isolation is enforced at multiple layers — including database-level access policies tied to organization membership and application-layer scoping bound to the authenticated user's organization. Object storage paths are namespaced per organization. Cross-tenant access by application code paths is prohibited and tested. Specific subprocessors comprising the underlying infrastructure are listed at Subprocessors.

2. Encryption

• In transit: all client traffic uses modern TLS with strong cipher suites; HSTS is enabled on production hostnames.
• At rest: our managed database and object-storage layers encrypt data at rest using industry-standard symmetric encryption with provider-managed keys.
• Application-layer encryption: high-sensitivity tokens (such as ad-platform OAuth credentials) are additionally encrypted at the application layer before being written to the database.
• Secrets: service credentials are stored in managed secret stores rather than source control, and are rotated when personnel change or on suspected exposure.

3. Authentication & authorization

• User authentication via a managed identity provider, supporting email/password with strong password requirements, OAuth, and SAML SSO for Enterprise tiers.
• MFA is supported for end users where the upstream identity option enforces it; SCIM provisioning is available on Enterprise.
• Role-based access at the Organization and project level; permissions are evaluated server-side on every request.
• Production access by our team is gated behind SSO with MFA and audit logging; standing direct database access is restricted to a minimal break-glass set.

4. Data storage & backups

Customer Content and database records are stored with our managed database and storage providers under access-controlled accounts. Database backups are taken on a continuous basis sufficient to support point-in-time recovery; object storage is replicated per the configured durability class. Backups are encrypted at rest and access to backups is restricted to senior production personnel.

5. Vendor & subprocessor management

We assess subprocessors for security and privacy practices appropriate to the data they handle and review them periodically. Where available, we require SOC 2 Type II or ISO 27001 reports from subprocessors that store Customer Content. The current list, with regions and DPA links, is at Subprocessors.

6. Secure development

• All production changes flow through pull request with code review by at least one other engineer.
• Continuous dependency scanning (SCA) for known vulnerabilities; static analysis (SAST) and lint rules in CI; type-checking enforced on every change.
• Secrets-scanning is enabled on the source repository to prevent credential exposure.
• Production deploys are immutable artifacts promoted from preview environments.

7. Vulnerability management & testing

We engage independent security testing on a risk-prioritized basis appropriate to the maturity and scope of the Service. Findings are triaged and remediated on a risk-weighted schedule. Enterprise customers may request a security questionnaire response and, under NDA, the summary results of recent independent testing.

8. Incident response & breach notification

We maintain documented incident-response procedures covering detection, triage, containment, eradication, recovery, and post-incident review. We will notify affected business customers without undue delay after becoming aware of a personal-data breach affecting their data, in line with the timing and content requirements of applicable Data Protection Laws (further details in our DPA §8 and Privacy Policy §11). Customers will receive notifications at the security or admin email on file; we ask that you keep that contact current.

9. Personnel security

• All personnel and contractors with access to Customer data sign confidentiality and acceptable-use agreements.
• Personnel receive security and privacy training appropriate to their role, including phishing awareness and incident reporting.
• Access is provisioned on a least-privilege basis, reviewed periodically, and revoked promptly on role change or departure.
• Devices used to access production are required to be encrypted, with screen-lock and management controls enforced.

10. Logging & monitoring

Authentication, authorization, configuration changes, and security-relevant events are logged centrally with restricted access. Application errors and performance traces are sent to a managed error-tracking service. Log retention is set to a period appropriate to incident investigation and applicable compliance obligations.

11. Compliance posture

We operate a security and privacy program aligned with the SOC 2 Trust Services Criteria and the CIS Critical Security Controls. Enterprise customers may request our current security questionnaire response, certification status, and supporting documentation under NDA. The certifications held by our subprocessors are documented in their respective trust pages, linked from Subprocessors.

HIPAA / PCI: the Service is not covered by a HIPAA Business Associate Agreement and should not be used to process Protected Health Information unless we have signed a BAA with you. We do not store cardholder data on our systems; payment-card processing is delegated to PCI DSS Level 1 payment processors listed at Subprocessors.

12. Report a vulnerability — responsible disclosure & safe harbor

We welcome reports from security researchers. To report a vulnerability, email security@thepinnacle.media with reproduction steps, affected URL or component, expected vs observed behavior, and any proof-of-concept. We aim to acknowledge receipt within two (2) business days and provide a triage outcome within ten (10) business days. Please give us reasonable time to investigate and remediate before public disclosure (coordinated disclosure target: ninety (90) days, sooner where critical).

Safe harbor:we will not bring legal action against, or support legal action by third parties against, security researchers who, in good faith, conduct testing in accordance with this policy and the conditions below. This commitment provides a limited authorization equivalent to the "authorization" concept in the U.S. Computer Fraud and Abuse Act (CFAA), the Digital Millennium Copyright Act's § 1201 security-research exemption (37 C.F.R. § 201.40), and analogous state and international computer-misuse laws.

• In scope: the production application at our primary domains and any product subdomain; first-party APIs.
• Out of scope: third-party services we depend on (each has its own responsible disclosure program — please report to the respective vendor); social-engineering or phishing of staff; physical attacks; denial-of-service or volumetric testing; testing against customer accounts you do not own.
• Conditions: do not access, modify, or exfiltrate data of other tenants; stop and report immediately if you encounter such data; do not exploit vulnerabilities beyond what is needed to demonstrate the issue; do not publicly disclose before we have remediated or, after good-faith coordination, the disclosure deadline above has passed.

We do not currently operate a paid bug bounty; we appreciate every responsible report and will credit researchers who request it.

13. Customer security controls

Customers can strengthen their own posture by: enabling SSO and MFA for all members; using the principle of least privilege for role assignments; disconnecting unused integrations; periodically reviewing the audit log and member roster; and routing security-incident notifications to a monitored distribution list rather than an individual inbox. Configuration questions: security@thepinnacle.media; privacy questions: privacy@thepinnacle.media.

14. Mailing address

Pinnacle MAV Media LLC — Pinnora