Pactum | Trust Center
Pactum
Welcome to Pactum Trust Center. Pactum is committed to ensuring the confidentiality, integrity, and availability of your data. We have an Information Security Program in place that is communicated throughout the organization. Our Information Security Program follows the criteria set forth by the SOC 2 Framework. SOC 2 is a widely known information security auditing procedure created by the American Institute of Certified Public Accountants.
Frequently Asked Questions

Quick Summary

Third-Party audits
Third-Party penetration testing
Security awareness training
Qualys SSL Labs security grade A+ Link
Vendor risk management
Disaster recovery plan
Responsible disclosure program Link
Privacy policy Link
Quarterly access reviews
Cloud infrastructure security Link
Centralized IAM solution to manage employee access
Uptime statistics Link

Resources

Information Security Policy

Data Retention and Disposal Policy

Change Management Policy

Risk Assessment and Treatment Policy

Business Continuity and Disaster Recovery Plan

SOC 2 Type 2 Report 2024

Penetration Test Report 2024

Information on the General Conditions of the AI Service at Pactum

Large Language Models at Pactum

Customer Data Usage at Pactum

Compliance

Monitoring

Continuously monitored by Secureframe

FAQs

Service is hosted in our GCP data center located in US or EU. They employ a robust security program with multiple certifications. For more information on our provider’s security processes, please visit GCP Security page: https://cloud.google.com/security
All data in transit and at rest is encrypted using industry standard solutions (TLS 1.2 or above, AES-256).
Pactum supports different SSO integrations. SAML is the preferred option due to its more robust security and control over user sessions compared to other similar integrations.
We have a BCDR policy which is reviewed and tested annually.
We have a mandatory security training program in place for all employees upon joining, and it is required to be retaken annually.
We run continuous vulnerability checks. SAST and DAST scans are ran periodically and third party penetration tests are conducted.
We retain the data for the duration of the agreement unless there are legal or regulatory requirements to retain some data for longer.
We ensure the security of third-party vendors and subcontractors go through our formal Vendor management process. All new vendors and subcontractors are subjected to our information security and data privacy risk assessments. Moreover, we conduct an annual review of all vendors and subcontractors who process customer data.
Yes, secure coding practices are integrated into our Secure Software Development Lifecycle (SSDLC). Our engineers define security requirements at the early stages of the SSDLC and then assess for compliance with those requirements. They are also tasked with reviewing the OWASP top 10 web application security risks.

Monitoring

Availability

Automated Backup Process
Full backups are performed and retained in accordance with the Business Continuity and Disaster Recovery Policy.
Uptime and Availability Monitoring
System tools monitors for uptime and availability based on predetermined criteria.
Business Continuity and Disaster Recovery Policy
Business Continuity and Disaster Recovery Policy governs required processes for restoring the service or supporting infrastructure after suffering a disaster or disruption.
Testing the Business Continuity and Disaster Recovery Plan
The Business Continuity and Disaster Recovery Plan is periodically tested via tabletop exercises or equivalents. When necessary, Management makes changes to the Business Continuity and Disaster Recovery Plan based on the test results.

Confidentiality

Disposal of Customer Data
Upon customer request, Company requires that data that is no longer needed from databases and other file stores is removed in accordance with agreed-upon customer requirements.
Retention of Customer Data
Procedures are in place to retain customer data based on agreed-upon customer requirements or in line with information security policies.
Data Classification Policy
A Data Classification Policy details the security and handling protocols for sensitive data.
Data Retention and Disposal Policy
A Data Retention and Disposal Policy specifies how customer data is to be retained and disposed of based on compliance requirements and contractual obligations.

Vulnerability Management

Vulnerability and Patch Management Policy
A Vulnerability Management and Patch Management Policy outlines the processes to efficiently respond to identified vulnerabilities.
Third-Party Penetration Test
A 3rd party is engaged to conduct a network and application penetration test of the production environment at least annually. Critical and high-risk findings are tracked through resolution.

Incident Response

Incident Response Plan Testing
The Incident Response Plan is periodically tested via tabletop exercises or equivalents. When necessary, Management makes changes to the Incident Response Plan based on the test results.
Tracking a Security Incident
Identified incidents are documented, tracked, and analyzed according to the Incident Response Plan.
Incident Response Plan
An Incident Response Plan outlines the process of identifying, prioritizing, communicating, assigning and tracking confirmed incidents through to resolution.

Network Security

Logging and Monitoring for Threats
Logging and monitoring software is used to collect data from infrastructure to detect potential security threats, unusual system activity, and monitor system performance, as applicable.
Network Security Policy
A Network Security Policy identifies the requirements for protecting information and systems within and across networks.
Restricted Port Configurations
Configurations ensure available networking ports, protocols, services, and environments are restricted as necessary, including firewalls.
Automated Alerting for Security Events
Alerting software is used to notify impacted teams of potential security events.
Network Traffic Monitoring
Security tools are implemented to provide monitoring of network traffic to the production environment.

Access Security

Encryption and Key Management Policy
An Encryption and Key Management Policy supports the secure encryption and decryption of app secrets, and governs the use of cryptographic controls.
Removal of Access
Upon termination or when internal personnel no longer require access, system access is removed, as applicable.
Access Control and Termination Policy
An Access Control and Termination Policy governs authentication and access to applicable systems, data, and networks.
Asset Inventory
A list of system assets, components, and respective owners are maintained and reviewed at least annually
Encryption-in-Transit
Service data transmitted over the internet is encrypted-in-transit.
Access to Product is Restricted
Non-console access to production infrastructure is restricted to users with a unique SSH key or access key