CERTIFICATIONS & STANDARDS.
SOC 2 Type II
Continuous controls monitoring with annual audit attestation covering security, availability, and confidentiality trust principles.
HIPAA Compliant
Protected health information isolation, access logging, BAA support, and encryption controls for covered entities and business associates.
AES-256-GCM Encryption
All data encrypted at rest using AES-256-GCM with customer-managed envelope keys. No plaintext storage anywhere in the platform.
Zero-Trust Architecture
Every request authenticated and authorized. No implicit trust between services. mTLS everywhere. Least-privilege enforced at every boundary.
PCI DSS Ready
Cardholder data environment segmented and monitored. Tokenization-first design eliminates raw card data from application scope.
GDPR Compliant
Data residency controls, right-to-erasure automation, consent management, and cross-border transfer safeguards for EU data subjects.
ENCRYPTED EVERYWHERE.
Encryption at Rest
Every byte stored on the platform is encrypted using AES-256-GCM with envelope encryption. Customer-managed keys via Cloud KMS. Automatic key rotation on configurable schedules. No plaintext touches disk.
Encryption in Transit
All network traffic encrypted with TLS 1.3. Internal service-to-service communication secured with mutual TLS. Certificate rotation is automatic. Downgrade attacks are blocked at the edge.
Key Management
HSM-backed key storage with hardware root of trust. Envelope encryption wraps data encryption keys with key encryption keys. Full audit trail on every key operation. Bring-your-own-key supported.
HARDENED
FROM THE GROUND UP.
Every layer of the Pinkerton AI infrastructure is designed for defense in depth. Private networks, managed databases with automated backups, container isolation, and edge protection work together to eliminate attack surface.
GKE Autopilot
Workloads run on Google Kubernetes Engine Autopilot with automatic node provisioning, pod-level isolation, and built-in security hardening. No node management overhead.
Cloud SQL with Automated Backups
Managed PostgreSQL with automated daily backups, point-in-time recovery to the second, cross-region replication, and encrypted storage. Recovery tested quarterly.
Private VPC Networking
All tenant workloads operate inside private VPCs with no public IP addresses. Interconnects, NAT gateways, and firewall rules enforced by policy. Network segmentation per tenant.
WAF Protection
Web Application Firewall with OWASP Core Rule Set, DDoS mitigation at the edge, rate limiting, geographic restrictions, and bot management. Adaptive rules tuned per deployment.
EVERY REQUEST. VERIFIED.
Identity is the perimeter. Every actor, every action, every resource access is authenticated, authorized, and logged.
Role-Based Access Control
Granular RBAC with sovereignty levels. Permissions scoped to tenant, department, and resource. Inheritance chains with explicit deny overrides.
JWT Authentication
Stateless token authentication with short-lived access tokens and rotating refresh tokens. Token binding prevents replay attacks. Claims validated on every request.
Immutable Audit Logging
Every authentication event, authorization decision, and data access logged to an append-only audit stream. Before/after snapshots for every state change.
Session Management
Configurable session lifetimes, idle timeouts, and concurrent session limits. Force-logout capability for compromised sessions. Session events streamed to SIEM.
Multi-Factor Authentication
TOTP, WebAuthn, and SMS-based second factors. MFA enforced by policy at the tenant level. Step-up authentication for sensitive operations like payroll approval.
Least-Privilege Enforcement
Default-deny posture across all resources. Permissions granted explicitly, scoped narrowly, and reviewed on schedule. Unused permissions flagged for revocation.