Security
How we protect your data and your business.
Effective date: 10 July 2026
1. Infrastructure
- Hosting: AWS EU-region data centres
- Uptime: 99.9% SLA, multi-AZ redundancy
- Network: WAF and DDoS mitigation
- Backups: Daily automated, 30-day point-in-time recovery
2. Data Encryption
- In transit: TLS 1.2+ for all connections
- At rest: AES-256 for all stored data
- Payments: Stripe PCI DSS Level 1 — we never store card data
3. Access Controls
- Role-based access controls (RBAC)
- MFA enforced for all internal admin access
- All admin access logged and audited
- Customer data logically isolated between accounts
4. Application Security
- Regular patching and dependency updates
- Periodic penetration testing
- OWASP Top 10 mitigations throughout
- Secure code review process
5. Compliance
- UK GDPR / EU GDPR: See Privacy Policy and DPA
- PCI DSS: Via Stripe Level 1
- SOC 2 Type II: AWS certified infrastructure
6. Incident Response
We notify affected customers within 72 hours of a confirmed personal data breach and report to the ICO where required.
7. Responsible Disclosure
Email hello@usepragma.app — subject: "Security Vulnerability Report". Include description, reproduction steps, and impact. We acknowledge within 2 business days. Please don't exploit or publicly disclose while we address it.
Pragma · hello@usepragma.app · DPO: privacy@usepragma.app