Security
We treat security as a first-class engineering discipline, not an afterthought. Here's exactly how we protect your data.
SOC 2 Type II
Annual audit
ISO 27001
Certified
GDPR
Compliant
HIPAA Ready
BAA available
Punchbowl runs on a hardened cloud infrastructure across five global regions. All production workloads run in isolated Kubernetes namespaces with network policies that implement a default-deny posture. Nodes are automatically rotated on a 30-day cycle with immutable base images to prevent configuration drift.
Our infrastructure is defined entirely as code (Terraform), peer-reviewed before every change, and validated by automated policy-as-code checks (Open Policy Agent). No manual changes to production infrastructure are permitted.
All customer data is encrypted at rest using AES-256-GCM with customer-specific key hierarchies managed by our key management service. Encryption keys are rotated automatically every 90 days and can be rotated on demand by Enterprise customers.
All data in transit is protected by TLS 1.3. We do not support TLS 1.0 or 1.1. API endpoints enforce HSTS with a minimum max-age of one year. Internal service-to-service communication uses mutual TLS (mTLS) with short-lived certificates issued by our internal certificate authority.
Punchbowl enforces zero-trust access for all internal systems. All engineer access to production requires hardware security key (FIDO2) authentication and goes through a privileged access management (PAM) system that enforces just-in-time access with automatic expiry.
Production access requests are approved by at least two members of the security team, logged in an immutable audit trail, and automatically revoked when the session ends. We practice least-privilege everywhere: no standing admin access exists in production environments.
Our software development lifecycle (SDLC) includes mandatory security review for all features that touch authentication, authorization, data handling, or external integrations. We use static analysis (SAST), software composition analysis (SCA), and dynamic analysis (DAST) in our CI/CD pipeline.
We conduct annual penetration testing with an independent third-party firm and address all critical and high-severity findings within 30 days of disclosure. We also run a continuous bug bounty program through HackerOne.
Punchbowl maintains a documented incident response plan that is reviewed and tested quarterly through tabletop exercises. Our on-call rotation ensures 24/7 coverage with defined escalation paths and communication protocols.
In the event of a security incident that affects customer data, we commit to: (a) notifying affected customers within 72 hours of becoming aware of the incident; (b) providing a detailed post-incident report within 30 days; and (c) implementing remediation measures to prevent recurrence.
We welcome security researchers who identify potential vulnerabilities in our systems. If you discover a security issue, please report it to security@punchbowl.io with a description of the issue, steps to reproduce, and your contact information.
We commit to: acknowledging receipt within 24 hours; providing an initial assessment within 5 business days; working with you to understand and remediate valid vulnerabilities; and crediting you in our security acknowledgements (unless you prefer to remain anonymous).
Please do not access, modify, or delete customer data; conduct denial-of-service attacks; use automated scanning tools without permission; or disclose findings publicly before we have had the opportunity to remediate them.
A current list of our subprocessors — companies that process customer data on our behalf — is available on request. Enterprise customers may object to the addition of new subprocessors and will receive 30 days' advance notice of any changes to our subprocessor list.
For security-related questions, vulnerability reports, or to request our SOC 2 Type II report, contact our security team at security@punchbowl.io. SOC 2 reports are provided under NDA to Enterprise customers and qualified prospects.