pxpixelyeah.
Get the pixel
// Security

Protecting customer + visitor data.

The controls we have today, the certifications we're working on, and how to reach the security team.

Encryption

TLS 1.3 in transit. AES-256 at rest. Customer payloads encrypted with per-tenant keys, rotated quarterly.

Access control

SSO + SCIM on Unlimited. Role-based scopes on every API key. All employee access requires hardware MFA.

Audit logging

Every webhook send, key issuance, and configuration change is logged for 12 months and exportable on Unlimited.

Isolation

Tenants are logically isolated at the database row level with policy enforcement and at the application layer with scoped credentials.

Backups + RTO

Continuous WAL backups across two regions. RPO 5 minutes, RTO 60 minutes. Restore drills run quarterly.

Vendor review

Every sub-processor undergoes annual security review. Current list available on request via security@pixelyeah.com.

// compliance

Where we are.

  • SHIPPED
    GDPR + CCPA compliant
  • SHIPPED
    HIPAA-eligible infrastructure
  • IN PROGRESS · Q4 2026
    SOC 2 Type II audit
  • IN PROGRESS · Q1 2027
    ISO 27001
// responsible disclosure

Found something?

Email security@pixelyeah.com with reproduction steps. We acknowledge within one business day and pay bounties on validated reports.

-----BEGIN PGP PUBLIC KEY BLOCK-----
Available on request — security@pixelyeah.com
-----END PGP PUBLIC KEY BLOCK-----
Talk to security